SSL VPN
Reply
Visitor
wiley
Posts: 1
Registered: ‎08-25-2009
0

SA2000 Password Management - AD integration - Force User Account Lockout?

Hi,

 

If all the steps necessary for password management (advanced license, LDAPS etc.) are in place is it possible to implement a lockout on a user's account signging in through the IVE;   I know from supported password management functions matrix that IVE can check if an account is locked out or expired but what I want to do is configure it so that if a user enters a password incorrectly via the IVE login page, say 3 times, that their account is locked.  I'd appreciate any views as to if this is possible; I presume not and that the password management feature only 'pulls' information from the AD as to status of a user account and that an incorrect login through the IVE would not count towards any account lockout threshold set on AD.

 

Any guidance appreciated.

Contributor
wotsit
Posts: 12
Registered: ‎04-28-2009
0

Re: SA2000 Password Management - AD integration - Force User Account Lockout?

I do believe that if the AD is set to lock out after 3 incorrect login attempts, then this will still be enforced via the Juniper access.  Therefore if a users attempts to log in via Juniper incorrectly 3 times, then you should see the account be locked out in AD.
Production: Clustered SA6500-FIPS running 6.5r2
Development: Single SA2000 running 7.1r1
Distinguished Expert
muttbarker
Posts: 2,389
Registered: ‎01-29-2008
0

Re: SA2000 Password Management - AD integration - Force User Account Lockout?

Wotsit is 100% correct. The SA box does not do any lockout validation. It simply passes the credentials on to the AD box and accepts the returned result of good login, bad password, lockout.....
Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.