How do you disable maxfail

Me again! I can’t seem to find away to disable the lockout policy. How do I disable lockouts on failed attempts? It appears that the vpn client being used will try to reconnect from sleep using the old otp. I know I can cache the authentication, but Id prefer to deny access. In my case the fail counter goes up and then eventually locks out the user. I did notice I can clear the counter after x minutes. Is that the only option?

nevermind. it looks like Automatically clearing Failcounter timeout will work.