VPN Locked Out

certm0decertm0de Posts: 11Member ■□□□□□□□□□

I'm supporting a remote user who repeatedly gets locked out of the Cisco VPN client when he incorrectly enters his credentials once. The user is not on a domain. I have a NPS for remote vpn access and he is in the appropriate user group. The GPO lockout threshold is set to 0 and I can't figure this one out. The user is able to access his O365 account just fine. The Event viewer shows NPS audit failure due to a user credentials mismatch. Either the user name provided does not map to an existing users account or the password was incorrect. The only way to circumvent this is to reset his password in AD. Any ideas?


  • scaredoftestsscaredoftests Security +, ITIL Foundation, MPT, EPO, ACAS, HTL behind youPosts: 2,715Mod Mod
    Not sure if this matters, but is he on a wireless network? Is this a work computer or a personal computer?
    Never let your fear decide your fate....
  • certm0decertm0de Posts: 11Member ■□□□□□□□□□
    He's on a work desktop, hardwired.
  • MeanDrunkR2D2MeanDrunkR2D2 MCSA: Server 2012, MCITP: EDA KCPosts: 889Member ■■■■■□□□□□
    Does he have email on his smart phone? Change his password recently? That was ALWAYS my #1 cause of a weird account lockout.
  • certm0decertm0de Posts: 11Member ■□□□□□□□□□
    No he does not have his work email enabled on his phone. Even if he does, the lockout threshold is set to 0. Since he his trying to authenticate to the RADIUS client on the NPS and the NPS group is on the domain, the GPO should apply correct? Any ideas?
  • poolmanjimpoolmanjim MCSE, MCSA: 2016, MCSA: 2012 KC, KS, USAPosts: 285Member ■■■□□□□□□□
    Check the Domain Controller logs. It should show the failed logins listed in the event viewer. It will also provide a source most of the time that you can nail down to a specific IP or device name. This has saved me hours of looking in the past.

    Is the client workstation a member of your domain? I believe the account lockout policies are Computer Policies. If the computer is not a member of your domain (or is but can't receive its initial GPO being offline) then it will not apply computer policies.

    You could either try a Fine-Grained Password Policy specific to that user (group) or you could try using loopback processing on the VPN client OU.
    2019 Goals: Security+
    2020 Goals: 70-744, Azure
    Completed: MCSA 2012 (01/2016), MCSE: Cloud Platform and Infrastructure (07/2017), MCSA 2017 (09/2017)
    Future Goals: CISSP, CCENT
Sign In or Register to comment.