What's the User Lockout Policy?
Question: What is Access Server's user account lockout policy?
Answer:
Access Server automatically locks out user accounts after repeated failed authentication attempts to prevent brute-force attacks. When locked out, users see messages like "LOCKOUT" or "User temporarily locked out due to multiple authentication failures."
Access Server 2.10 and newer: The lockout triggers after five failed attempts within 15 minutes and expires after 15 minutes.
Access Server 2.9 and older: Lockout triggers after three failed attempts and expires after 15 minutes.
Access Server tracks incorrect passwords in a lockout dictionary (stored as hashes). The dictionary is purged if it reaches its limit. The default settings are usually sufficient, but high-volume environments may require adjustments.
External authentication systems (LDAP, RADIUS, SAML) may have their own lockout policies.
Exceptions for Access Server 2.9 and older ONLY: User-locked connection profiles and bootstrap accounts don't trigger lockouts.
Admins can modify lockout settings or manually lift a lockout if needed.
Refer to our lockout policy documentation for more.