How to Unlock Users on the Lock List for Failed Maximum Authentication Attempts

How to Unlock Users on the Lock List for Failed Maximum Authentication Attempts

143900
Created On 09/26/18 21:06 PM - Last Modified 06/09/23 06:35 AM


Resolution


Issue

When authentication attempts exceed the number of permitted failed attempts, the user will be in a locked state, and the error message below will appear in the authd logs:

 

"pan_authd_generate_alarm(pan_authd.c:808): Generating alarm for auth failure log: Admin jai failed to authenticate 2 times - the unsuccessful authentication attempts threshold reached. Admin jai's account is being disabled due to excessive failed authentication attempts".

 

Cause

If the user tries to authenticate for the first time, and if the Failed Attempts is configured to 2 and the Lockout Time is configured to 10 minutes, it will check the first Profile. If the attempt fails it will then check "Profile 2", and if that too fails, then the user will be pushed into a locked state for a brief moment, which is specified in the Lockout Time.

 

f Failed Attempts is configured to 3, it will check profile "Profile" for the first attempt, then profile "Profile 2" for the second attempt and then finally again profile "Profile" for the third attempt. If a user has 2 Authentication Profiles and if the failed attempts is configured as 1, then the second profile "Profile 2" will not even be evaluated and the user will be immediately moved to the locked state.

 

Go to Device > Authentication Sequence, as shown below:

Capture.PNG

 

Note: If the lockout time is configured as 0 minutes, then the user will not be unlocked after a specific amount of time, but will need to be unlocked manually by an administrator via the Device > Administrators tab for administrators and Device > Authentication Profile for other users.

 

When users are locked, the logs below appear when running the following CLI command:

> tail follow yes mp-log authd.log

 

After two attempts, the user is disabled and put into a locked state:

Capture1.PNG

 

The syslog generates the following logs, which suggests the account is locked and placed in the locked users list:

Capture2.PNG

 

Resolution

  1. Go to Device > Authentication Profile.
  2. On the last column,"Locked Users," click the Unlock icon:

Unlock.PNG


The user will be unlocked as shown below:

Capture3.PNG

The user can also be unlocked under Device > Administrator:

Capture4.JPG

 

owner: dantony
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm61CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language