Technical Tip: Password expiration policy for SSL VPN local user

Description

This article describes how to configure a password expiration day and a warning feature for the local user database of SSL VPN.

Scope

FortiGate.

Solution

To configure SSL VPN users to change their password in the local user database before it expires:

The password policy is used to configure the password renewal frequency (every 2 days for instance) and the warning that normally occurs the day before the expiration date. Password policy can be applied to any local user password.

The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.

In FortiOS 7.0, users are warned as per warn-days set and they have to renew their password before it get expire, which is based on the expire-days mentioned in the password policy. The user cannot renew the password and need to contact the FortiGate administrator for assistance. 

In FortiOS 6.2, users are warned one day before the expiry date of the password and they have one day to renew it. When the password is expired, the user cannot renew the password and need to contact the FortiGate administrator for assistance.

In FortiOS 6.0/5.6, users are warned one day before the expiry date of the password. Users can still renew the password even after the password has expired.

Configure and assign the password policy using the CLI:

The following commands are used to configure a password policy that includes an expiration date and a warning time. 

config user password-policy
    edit "pwpolicy1"          <----- Password policy name.
        set expire-days 5     <----- Password expiry. (Default value is 180 days)
        set warn-days 3       <----- Warning notification for a password going to expire soon. (The default value is 15 days.)
        set expired-password-renewal disable  <----- If this option is still enabled, after the password expires, the end user can still renew the password with no need to depend on a FortiGate Administrator. 
    next

end

In FortiOS 7.4.0 and above: under password-policy configuration, 'expire-status' will be disabled by default. Enable it manually. 

config user password-policy

edit "pwpolicy1"

set expire-status enable <----- By default, it is disabled. To use this feature, enable this option.

end

Assign the password policy to the newly created user.

config user local

    edit "sslvpnuser1"     <----- Local username.
        set type password
        set passwd-policy "pwpolicy1"    <----- Applying password policy.
        set passwd-time 2021-11-26 22:46:15    <----- The default start time for the password, this is the time when the user was created.
        set passwd  xyz   <----- Password.
    next
end

Once the user is reached warn-days, the user will get the below prompt, while connecting to SSL VPN by entering the old username and password. It will redirect to enter a new password for the same.

Once a user changes the password, 'passwd-time' will be changed again. 

config user local

    edit "sslvpnuser1"

     set type password
     set passwd-policy "pwpolicy1"
     set passwd-time 2021-11-30 23:34:30  <----- passwd-time has been changed.
     set passwd ENC +sddai212=

    next

end

Notes: 

• Currently, password renewal for local users when using the dial-up IPsec VPN is not supported.
• In FortiOS v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN' as explained in Technical Tip: Upcoming changes on SSL VPN modes starting from v7.6.3.
• It is not possible to change passwd-time manually on the CLI or the GUI. It is created while setting the password for the local user.