User Lockout in PhenixID Server

This article describes the User Lockout Settings in PhenixID Server.

The reader of this document should have some basic knowledge about PhenixID Server.

Overview

This document describes the User Lockout settings available in PhenixID Server.


The user lockout count will be increased independent of where the login fails. Meaning that both wrong password and wrong one-time password will trigger the same counter.

Instruction

As of version 2.x of Phenix Server, user lockout is configured in pipes/valves.

The following valves support user lockout:

LDAPBindValve, OTPValidationValve and TokenValidationValve.

The example below shows the configuration on user/password validation pipe and LDAPBindvalve. The same procedure should be used for otp validation pipe with OTPValidationValve and TokenValidationValve.

Possible configuration on these valves are:

"userid_param_name" : "{{request.User-Name}}", parameter representing the unique user id.
"lockout_enabled" : "true/false",

"lockout_login_attempts" : "3", (attempts before we lock the account)

"lockout_time" : "60", (The amount of time, in minutes, the user is locked out/not able to authenticate)

"lockout_login_window" : "30", (The time window the user can enter x login attempts before lockout)

For checking if the user is already locked, the following valve must be configured first in respective pipe:

{
      "name" : "LockoutCheckValve",
      "config" : {
        "userid_param_name" : "{{request.User-Name}}"
      }
}

 

Example: User lockout on RADIUS username & password scenario

This example assumes that there is already configuration in place for RADIUS username & password.

Start by choosing the 'Execution flow' tab on the scenario. This is where we will add additional configuration to support user lockout. 

Click the 'Add valve' button and add the LockoutCheckValve to the configuration.

Click the 'Enabled' checkbox to make the valve runnable.

This new valve should be the first valve for every pipe it is in. Drag and drop the valve in place.

Expand the valve and add the parameter 'userid_param_name' with value '{{request.User-Name}}'

Next, expand the LDAPBindValve and add the following parameters and values

      "userid_param_name" : "{{request.User-Name}}"
      "lockout_enabled" : "true"
      "lockout_login_attempts" : "3"
      "lockout_time" : "60"
      "lockout_login_window" : "30"

Click the 'Save' button. After a couple of seconds the new configuration is in use and can be tested.