Skip to main content

Tutorial: Configure the Authentication Failure Lockout Policy

Abstract

Learn how to configure the authentication failure lockout policy in Access Server. This guide covers the Admin Web UI and command-line methods to manage lockout settings effectively.

Overview

Prerequisites

  • Installed Access Server.

    • If you're configuring the policy using the Admin Web UI, you need Access Server 2.10.2 or newer.

  • Admin Web UI access or console access with root privileges.

Option 1: Configure the lockout policy in the Admin Web UI

For OpenVPN Access Server 2.10.2 and newer:

  1. Sign in to the Admin Web UI.

  2. Click Authentication > Settings.

  3. Adjust settings under the Password Lockout Policy section as needed.

Option 2: Configure the lockout policy via the command-line interface (CLI)

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Use the following commands to configure the lockout policy:

    • Set the number of authentication failures (default is 5):

      ./sacli --key "vpn.server.lockout_policy.n_fails" --value <NUMBER> ConfigPut
./sacli start

    • Set the lockout duration (default is 900 seconds or 15 minutes):

      ./sacli --key "vpn.server.lockout_policy.reset_time" --value <SECONDS> ConfigPut
./sacli start

    • Set the maximum size of the lockout dictionary (default is 10000):

      ./sacli --key "vpn.server.lockout_policy.max_history" --value <BYTES> ConfigPut
./sacli start
In this section: