Skip to main content

Tutorial: Configure the Authentication Failure Lockout Policy

Abstract

Learn how to configure the authentication failure lockout policy in Access Server. This guide covers the Admin Web UI and command-line methods to manage lockout settings effectively.

Overview

Access Server automatically locks out user accounts after repeated failed authentication attempts to prevent brute-force attacks. When locked out, users see messages like "LOCKOUT" or "User temporarily locked out due to multiple authentication failures."

The lockout triggers after five failed attempts within 15 minutes and expires after 15 minutes. Admins can modify lockout settings or manually lift a lockout if needed.

Prerequisites

  • Installed Access Server.

  • Admin Web UI access or console access with root privileges.

Option 1: Configure the lockout policy in the Admin Web UI

  1. Sign in to the Admin Web UI.

  2. Click Authentication.

  3. Adjust the values under the Password lockout policy section as needed.

    • The default Failed attempts until lockout occurs is 10 attempts.

    • The default Lockout release timeout in seconds is 900 seconds.

  4. Click Save and Reset.

Option 2: Configure the lockout policy via the command-line interface (CLI)

  1. Connect to the console and get root privileges.

  2. Use the following commands to configure the lockout policy:

    • Set the number of authentication failures (default is 5):

      sacli --key "vpn.server.lockout_policy.n_fails" --value <NUMBER> ConfigPut
sacli start

    • Set the lockout duration (default is 900 seconds or 15 minutes):

      sacli --key "vpn.server.lockout_policy.reset_time" --value <SECONDS> ConfigPut
sacli start

    • Set the maximum size of the lockout dictionary (default is 10000):

      sacli --key "vpn.server.lockout_policy.max_history" --value <BYTES> ConfigPut
sacli start
In this section: