Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
dbu
Staff
Staff

Created on ‎07-07-2023 02:51 AM Edited on ‎03-25-2025 09:39 AM By Community Manager

Article Id 262931

Troubleshooting Tip: Fix an issue where the first failed login attempt locks out the user: 'User locked'

Description

 

This article describes how to solve an issue where the user ends up on the locked-out users list after a single failed login attempt.

 

Scope

 

FortiGate, FortiAuthenticator.

 

Solution

 

This article assumes FortiGate is configured with FortiAuthenticator as a RADIUS server with the default values.


The default Authentication method specified on the RADIUS server configured on the FortiGate is set to 'Default'.
If an authentication request is submitted, FortiGate will try each method one by one until it finds a match in the following order:

 

Default Authentication method specified .png

 

  1. PAP.
  2. CHAP.
  3. MS-CHAP.
  4. MS-CHAPv2.

The Lockout policy settings set as:

 

Lockout method.png

 

This means that if the wrong credentials are used on this first attempt, four authentication requests will be sent to the RADIUS server.

If the maximum value of failed attempts is 4 or less on the FortiAuthenticator side or its remote user database like the activate directory, that user will end up in the locked-out user list.


To prevent this issue from occurring, apply one of the following fixes:

 

  1. Specify an Authentication method in the RADIUS server settings on the FortiGate.
  2. Edit the number of maximum failed attempts on FortiAuthenticator.
  3. Change the number of maximum failed attempts on the FortiAuthenticator remote authentication server.

 

Specifying the method.png

 

RADIUS debug logs from the FortiAuthenticator show as:

 

2024-12-04T12:59:56.069285+01:00 FAC1 radiusd[23899]: Message-Authenticator := 0x00
2024-12-04T12:59:56.069289+01:00 FAC1 radiusd[23899]: Reply-Message += "user locked"

 

The following log entries will be noticed among  the raw logs through Logging -> Log access -> Logs on FortiAuthenticator as well:

cat="Event" subcat="Authentication" level="information" nas="172.16.55.254" action="Authentication" status="Failed" msg="Windows AD user authentication(chap) with FortiToken failed: invalid user parameter" user="branitskyi-d"

cat="Event" subcat="Authentication" level="information" nas="172.16.55.254" action="Authentication" status="Failed" msg="Windows AD user authentication(mschap) with FortiToken failed: AD auth error: Logon failure (0xc000006d)" user="branitskyi-d"


Note the same applies to users trying to authenticate via VPN as well as for administrative access using RADIUS server.

Navigate to System -> Administration -> System access for lockout settings for administrative access.

Navigate to Authentication -> User account Policies -> Lockouts for remote lockout settings.

2906
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.