Skip to main content

Tutorial: Configure the Authentication Failure Lockout Policy

Abstract

Learn how to configure the authentication failure lockout policy in Access Server. This guide covers the Admin Web UI and command-line methods to manage lockout settings effectively.

Overview

Access Server automatically locks out user accounts after repeated failed authentication attempts to prevent brute-force password guessing. When an account is locked out, the user will receive a message like "LOCKOUT" or "user temporarily locked out due to multiple authentication failures."

  • Access Server 2.10 and newer: The lockout triggers after five consecutive failed attempts within 15 minutes and expires after 15 minutes.

  • Access Server 2.9 and older: The lockout triggers after three consecutive failed attempts and expires after 15 minutes.

You can modify these default settings and manually lift the lockout if needed. Note that user-locked connection profiles and bootstrap accounts (only on Access Server 2.9 and older) are exceptions to this policy.

Access Server tracks incorrect passwords in the lockout dictionary, stored as hashes. The default settings are typically sufficient, but if thousands of users repeatedly enter incorrect passwords, the dictionary may need adjustment. If the dictionary reaches its maximum size, it will be purged. We recommend leaving the default value unless your use case requires changes.

Tip

If you’re using an external authentication system, that system may have its own lockout policy.

Prerequisites

  • Installed Access Server.

    • If you're configuring the policy using the Admin Web UI, you need Access Server 2.10.2 or newer.

  • Admin Web UI access or console access with root privileges.

Option 1: Configure the lockout policy in the Admin Web UI

For OpenVPN Access Server 2.10.2 and newer:

  1. Sign in to the Admin Web UI.

  2. Click Authentication > Settings.

  3. Adjust settings under the Password Lockout Policy section as needed.

Option 2: Configure the lockout policy via the command-line interface (CLI)

  1. Connect to the console and get root privileges.

  2. Switch to the scripts directory:

    cd /usr/local/openvpn_as/scripts/

  3. Use the following commands to configure the lockout policy:

    • Set the number of authentication failures (default is 5):

      ./sacli --key "vpn.server.lockout_policy.n_fails" --value <NUMBER> ConfigPut
./sacli start

    • Set the lockout duration (default is 900 seconds or 15 minutes):

      ./sacli --key "vpn.server.lockout_policy.reset_time" --value <SECONDS> ConfigPut
./sacli start

    • Set the maximum size of the lockout dictionary (default is 10000):

      ./sacli --key "vpn.server.lockout_policy.max_history" --value <BYTES> ConfigPut
./sacli start
In this section: