The 30 incorrect attempts can be configured in vas.conf. In older versions of QAS this value defaulted to 5. Also, although by default cached credentials never expire an expiration period can be set as well. These are the relevant vas.conf options.
password-cache-age = <integer (days)>
Default value: 0
QAS allows disconnected mode authentication with locally cached password hashes. These hashes are cached anytime a user logs in, but they are only good for a limited amount of time. Every 24
hours vasd will check all hashes in the authentication cache. If any of these hashes have a time stamp older than the password-cache-age, they are removed from the authentication cache and
disconnected authentication will fail for that user. The password-cache age is specified in days. For example, to change the password-cache age to 5 days, change the option as follows:
[vas_auth]
password-cache-age = 5
bad-password-max = <integer>
Default value: 5
When QAS handles disconnected authentication, it enforces its own internal password policy on invalid login attempts in order to prevent brute-force attacks on passwords in disconnected mode. If
a user has the configured number of consecutive failed login attempts, then the QAS authentication modules will delete their cached authentication credentials. This will completely disable
disconnected authentication for the given user. This option applies to both normal disconnected authentication and persistent disconnected authentication. To set the maximum number of invalid
authentication attempts to 10, do the following:
[vas_auth]
bad-password-max =10