It is assumed that SSL VPN authentication works with FortiGate and FortiAuthenticator, for password renewal it is mandatory to use MSCHAPv2 on FortiGate and FortiAuthenticator.
To renew the password, it is necessary that FortiAuthenticator can join the domain and use LDAPS.
To enable FortiAuthenticator to join AD, follow the KB article below and make sure “Use Windows AD Domain Authentication” is enabled in Radius Policy.
From the AD side, set a user account to expire and select ‘user must change password’ on the next login.
From the SSL-VPN web portal, try to login with username/password.
You will be prompted that the password has expired, then select a new password.
After the change the user will authenticate, this can be verified by the debug logs on FortiAuthenticator, https://
From the debug logs, it is possible to see that the user password change is required. This can be done by MSCHAPv2 via ntlm_auth helper and the password change will be successful.