Skip to main content
kyle-hsuan
kyle-hsuan
Explorer
September 1, 2025
Question

FortiAuthenticator remote ldap user authenticated failed one time, then account status disabled

  • September 1, 2025
  • 4 replies
  • 767 views

Hi

 

What I mean is that I configured the lockout setting to lock the account after five failed attempts, but when my user enters the wrong password just once, FAC disables the account user, and it has to be manually enabled.

kylehsuan_0-1756709753655.png

kylehsuan_2-1756709871429.png

 

FAC version 6.6.4

 

Thanks.

 

 

 

4 replies

AEK
SuperUser
AEK
SuperUser
September 1, 2025

Hi Kyle

Keep in mind user locked is not the same as user disabled.

I don't know where this behavior is configured but I don't think in "User Lockout Policy".

AEK
    Markus_M
    Staff & Editor
    Markus_M
    Staff & Editor
    September 1, 2025

    Hi Kyle,

     

    you can check on the monitor section what is with this user. Based on the second screenshot, bottom, I suppose the FortiGate could need a config adjustment on the RADIUS configuration:
    https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Best-practices-on-hardening-FortiAuthenticator/ta-p/274443#:~:text=radius%20configuration%20on%20fortigate%3A describes that setting.

      kyle-hsuan
      kyle-hsuanAuthor
      Explorer
      September 2, 2025

      Hi Markus

       

      I have already specified RADIUS authentication, but it still gets disabled.

      Markus_M
      Staff & Editor
      Markus_M
      Staff & Editor
      September 2, 2025

      What do the regular logs state. So when the user was just enabled, entered the wrong password, and gets disabled. Also interesting as to what the user exactly authenticates to.

        sisrayilov
        Staff
        sisrayilov
        February 10, 2026

        Hello Kyle-hsuan,
        Is you issue fixed? If not, please share what do you see in the raw log entries on your FortiAuthenticator.

        Terms & ConditionsAccessibility statement