How do I renew expired SSL VPN password on AD using FortiAuthenticator?

This article describes in detail how to renew the password for users who have expired on AD using FortiGate and FortiAuthenticator.

Domain

FortiAuthenticator, FortiGate.

Solution

It is assumed that SSL VPN authentication works with FortiGate and FortiAuthenticator, for password renewal it is mandatory to use MSCHAPv2 on FortiGate and FortiAuthenticator.

To renew the password, it is necessary that FortiAuthenticator can join the domain and use LDAPS.

To renew the password, it is necessary that FortiAuthenticator can join the domain and use LDAPS.

To enable FortiAuthenticator to join AD, follow the KB article below and make sure “Use Windows AD Domain Authentication” is enabled in Radius Policy.

To enable FortiAuthenticator to join AD, follow the KB article below and make sure

From the AD side, set a user account to expire and select ‘user must change password’ on the next login.

From the SSL-VPN web portal, try to login with username/password.

You will be prompted that the password has expired, then select a new password.

You will be prompted that the password has expired, then select a new password.

After the change the user will authenticate, this can be verified by the debug logs on FortiAuthenticator, https:///debug and download radius authentication.

From the debug logs, it is possible to see that the user password change is required. This can be done by MSCHAPv2 via ntlm_auth helper and the password change will be successful.

From the debug logs, it is possible to see that the user password change is required.  This can be done by MSCHAPv2 via ntlm_auth helper and the password change will be successful.

Also Read:  DLSS 3 is great for CPU-heavy simulation games, says Frontier

Leave a Comment