Authentication failure lockout policy

Access Server locks out users when they enter a wrong password three times consecutively within 15 minutes. The lockout expires after 15 minutes.

As a security precaution, Access Server automatically locks out user accounts after repeated failed authentications. When this lockout is triggered on an account, the user receives a message like "LOCKOUT" or "temporarily locked out due to multiple authentication failures" when trying to sign in. This prevents brute-force guessing the password by endlessly trying different passwords.

Exceptions to the lockout policy include user-locked connection profile authentications and bootstrap accounts. Access Server requires authentication with valid credentials to obtain a user-locked connection profile; bootstrap accounts can only bypass the lockout policy on Access Server 2.9 and older.

If you don't want to wait 15 minutes, you can modify the default lockout settings or manually lift the lockout.

Configure the lockout policy

You can configure the lockout policy from the Admin Web UI (Access Server 2.10.2 and newer) or the command-line interface (CLI).

Important

If you’re using an external authentication system, that system might have its own lockout policy.

Configure the lockout policy in the Admin Web UI

OpenVPN Access Server 2.10.2 and newer provides configuration of the lockout policy in the Admin Web UI:

Sign in to the Admin Web UI.
Click Authentication > Settings.
Under the section, Password Lockout Policy, adjust or configure as needed.
Click Save Settings and Update Running Server.

Configure the lockout policy from the CLI

Use the commands below to configure the lockout policy from the console.

Set the number of authentication failures after which the user will be locked out (default is 5):
```
./sacli --key "vpn.server.lockout_policy.n_fails" --value <NUMBER> ConfigPut
./sacli start
```
Release the lockout on a user after the specified amount of seconds pass (default is 900 seconds or 15 minutes):
```
./sacli --key "vpn.server.lockout_policy.reset_time" --value <SECONDS> ConfigPut
./sacli start
```
Maximum size of lockout dictionary (default is 10000):
```
./sacli --key "vpn.server.lockout_policy.max_history" --value <BYTES> ConfigPut
./sacli start
```
Tip
Access Server tracks incorrect passwords in the lockout dictionary with the passwords stored as hashes. The default value should be adequate unless you have thousands of users repeatedly entering incorrect passwords. If the dictionary reaches its maximum size, it will eventually be purged. The consequence of this dictionary reaching its limits with thousands of users entering wrong passwords is that if the failed authentication attempts are spread far enough apart (hours), the number of authentication failures can be higher than configured. If the failed authentication attempts occur shortly after one another, then the number of authentication failures per user will be adhered to just fine. We recommend leaving the default value.

Manually unlock a locked-out user account

If you wish to unlock a locked-out user manually, follow the steps below.

Tip

You can't unlock a single, specific user. The steps below allow you to set the automatic lockout reset period to one second and then revert it back to the default value.

Manually unlock a user from the Admin Web UI

Access Server 2.10.2 and newer configures the lockout policy in the Admin Web UI. To manually unlock users, follow these steps:

Sign in to the Admin Web UI.
Click Authentication > Settings.
Under Password Lockout Policy, take note of your current value for the Lockout release timeout in seconds.
Set the value to 1.
Click Save Settings and Update Running Server.
Wait two seconds.
Set the value back to your initial value.
Tip
Access Server's default lockout is set to 900 seconds, or 15 minutes.
Click Save Settings and Update Running Server.
- The locked-out user can sign in again.

Manually unlock a user from the CLI

Connect to your Access Server console and get root privileges.
Change your directory to use the sacli tool.
```
cd /usr/local/openvpn_as/scripts/
```

Run these commands to set the lockout to one second, wait two seconds, and then set it back to the default value of 15 minutes. (If desired, modify the command for your preferred lockout time.)

./sacli --key "vpn.server.lockout_policy.reset_time" --value "1" ConfigPut
./sacli start
sleep 2
./sacli --key "vpn.server.lockout_policy.reset_time" --value "900" ConfigPut
./sacli start
service openvpnas restart

The locked-out user can sign in again.

In this section: