What is the lockout policy on Access Server?

OpenVPN Access Server automatically locks out user accounts after repeated failed authentications as a security precaution.  When this lockout is triggered on an account, the user receives a message like "LOCKOUT" or "user temporarily locked out due to multiple authentication failures" when trying to sign in. This prevents brute-force guessing the password by endlessly trying different passwords.

The lockout triggers when a wrong password is entered three times consecutively within 15 minutes. The lockout expires after 15 minutes. You can modify these default settings. You can also manually lift the lockout if you don’t want to wait 15 minutes.

Exceptions to the lockout policy are authentications done with a user-locked connection profile and bootstrap accounts. Access Server requires authentication with valid credentials to obtain a user-locked connection profile; bootstrap accounts can only bypass the lockout policy on Access Server 2.9 and older.

To change the lockout policy from the default settings, refer to this command line documentation page regarding the lockout policy.