VPN Locked Out

Hi,

I'm supporting a remote user who repeatedly gets locked out of the Cisco VPN client when he incorrectly enters his credentials once. The user is not on a domain. I have a NPS for remote vpn access and he is in the appropriate user group. The GPO lockout threshold is set to 0 and I can't figure this one out. The user is able to access his O365 account just fine. The Event viewer shows NPS audit failure due to a user credentials mismatch. Either the user name provided does not map to an existing users account or the password was incorrect. The only way to circumvent this is to reset his password in AD. Any ideas?

Find more posts tagged with

Comments

scaredoftests

Not sure if this matters, but is he on a wireless network? Is this a work computer or a personal computer?

certm0de

He's on a work desktop, hardwired.

MeanDrunkR2D2

Does he have email on his smart phone? Change his password recently? That was ALWAYS my #1 cause of a weird account lockout.

certm0de

No he does not have his work email enabled on his phone. Even if he does, the lockout threshold is set to 0. Since he his trying to authenticate to the RADIUS client on the NPS and the NPS group is on the domain, the GPO should apply correct? Any ideas?

poolmanjim

Check the Domain Controller logs. It should show the failed logins listed in the event viewer. It will also provide a source most of the time that you can nail down to a specific IP or device name. This has saved me hours of looking in the past.

Is the client workstation a member of your domain? I believe the account lockout policies are Computer Policies. If the computer is not a member of your domain (or is but can't receive its initial GPO being offline) then it will not apply computer policies.

You could either try a Fine-Grained Password Policy specific to that user (group) or you could try using loopback processing on the VPN client OU.