OpenVPN Support Forum

Been searching the web trying to figure out how to unlock an account. We are using PAM for authentication. I thought maybe it was locking the unix account but it isn't. How do I unlock an account to allow the user to login again.

Thanks,
Travis

I've searched for this a few times now and haven't found any information on it.

There is nothing in the web ui that I can see, I suspect that restart openvpnas would fix it but that seems pretty hardcore.

We are also using PAM authentication but had the same issue when using Radius.

If anyone knows an elegant way of unlocking a user account that has failed too many password attempts that would be great to hear.

Thanks

Alex

I haven't had chance to try this yet but I noticed this in the CLI readme file:

Ban a user from logging into the VPN or Web server
(doesn't affect a user who is already logged in -- for this,
use DisconnectUser below):

./sacli --user <USER> --key prop_deny --value true UserPropPut

Re-admit a user who was previously banned:

./sacli --user <USER> --key prop_deny --value false UserPropPut

I'm wondering if that would work to unlock an account immediately.
Will give that a go next time someone is locked out and let you know.

Not worked... Any solution ...

I found that running "/etc/init.d/openvpnas restart" will reset all lockouts. I haven't found a way to do it for a specific user though.

The easiest method I've found is to toggle the User Authentication method in the admin web portal.

1. Log into the webportal at "https://[your-url-or-ip]:943/admin"

2. Click on "General" under the "Authentication" section.

3. Change the authentication method.

Note: It doesn't matter what you change the authentication method to, just that you change the method. For example, I use an LDAP server. So I'll change the method to "Local".

4. Click "Save Settings", then click "Update Running Server".

5. Now immediately change the authentication method back to it's original setting.

6. Click "Save Settings", then click "Update Running Server".

At this point, all lockouts are now reset and previously locked out users can attempt to log in. In my experience, this trick does NOT affect currently logged in users. It will, however, affect anyone who tries to log in while you're performing this toggle. But seeing as how this toggle takes all of 10 seconds, I've never experienced someone trying to log in while I was performing this reset.

There is no way to reset the lockout for a specific user, sorry.

If you have a user that is locked out now and you need a fast way to unlock the user, run this command in an SSH or console session on the Access Server. Note, this is one line, just copy and paste it. It will reset the lock out of all currently locked out users:

/usr/local/openvpn_as/scripts/confdba -mk vpn.server.lockout_policy.reset_time -v 1;/usr/local/openvpn_as/scripts/sacli start;sleep 2;/usr/local/openvpn_as/scripts/confdba -mk vpn.server.lockout_policy.reset_time -v 900;/usr/local/openvpn_as/scripts/sacli start

What this will do is simply set the lockout period to 1 second, then wait 2 seconds, and put it back to the default of 900 seconds.

If you run into the problem a lot consider simply changing the threshold for when lockout triggers.

have to be sudo

cd /usr/local/openvpn_as/scripts/

./sacli -u username GoogleAuthRegen

mbelcherit; that's something different than a password lockout, but okay, thanks for the contribution.