New Member

Solved

FortiAuthenticator LDAP auth and password change over SSL VPN

Forum|Forum|8 years ago
September 14, 2017
2 replies
27607 views

Hello guys!

I already implemented a solution with FortiGate and LDAP (via LDAPS) in which it's possible for users to change the password with the SSL VPN Client if it is expired so I hope there is an FortiAuthenticator solution.


config user ldap
   edit <server_name>
   set password-expiry-warning {disable | enable}
   set password-renewal {disable | enable}
   ...
end

I'm searching for a solution in which the same is possible but the FortiGate isn't connected to an LDAP server but instead to an FortiAuthenticator via RADIUS (dynamic FortiToken Mobile assigning) which gets the User Information from the LDAP server (via LDAPS). I only found the Self Service Portal which provides this feature but this doesn't meet the customer expectations.

Do you have any experience with this? Thank you.

5.0

Best answer by mwojcicki

Dear xsilver_FTNT

I have the same situation as in this topic.

I have FAC (5.5.0) connected via LDAPS to AD.

FAC is Radius server to FGT (6.0.2) - MSCHAPv2.

SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).

Normal users with time valid password can establish vpn connect and everything works fine.

Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.

I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.

As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:

1. Windows AD user authentication(mschap) with no token failed: user password change required

and from /debug logs:

1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)

2. Remote Windows AD user password reset required

3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required

Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.

The problem is solved: I just had to set password-renewal in radius configuration on FGT...

xsilver_FTNT

Staff

Hi Maxmilian

that should work for SSL VPN terminated on FGT as well.

If LDAP has for example set that user has to change password next logon, it should propagate to FAC and then via RADIUS challenge requests to the RADIUS client (FGT) and to actual client/user.

This should work since some 4.2.1 FAC and 5.4.4 FGT

RADIUS should be MSCHAPv2

and FAC to LDAP with Kerberos (Windows Active Directory Domain Authentication) or LDAPS

mwojcickiAnswer

New Member

Dear xsilver_FTNT

I have the same situation as in this topic.

I have FAC (5.5.0) connected via LDAPS to AD.

FAC is Radius server to FGT (6.0.2) - MSCHAPv2.

SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).

Normal users with time valid password can establish vpn connect and everything works fine.

Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.

I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.

As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:

1. Windows AD user authentication(mschap) with no token failed: user password change required

and from /debug logs:

1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)

2. Remote Windows AD user password reset required

3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required

Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.

The problem is solved: I just had to set password-renewal in radius configuration on FGT...

ISAC_

Explorer

Hi,

I can't connect via FAC - LDAPS to AD. I can't connect to FGT to radius server FAC with MSCAPv2. LDAP connection and default radius Authentication method is OK. Could you help me please?

smontys

New Member

Hi everybody. Same setup here:

FAC (6.1.2) connected via LDAPS to AD and domain joined
FAC as Radius server to FGT (7.0.6) - MSCHAPv2
set password-expiry-warning and set password-renewal enabled at FTG LDAP
Use Windows AD domain authentication enabled at FAC Radius policy
SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).

Users are not able to change their passwords. FAC prompts to password change but after entering the new (accomplishing password policies) it prompts again for password change.

If we uncheck 'user need to change password' at AD, user can login to FAC (user portal) and when trying to change password from there (My account, User, Change password) he gets and 'incorrect old password' message. Logs at FAC shows the following message (ID 868489):

Wrong Password. User name and old password cannot be successfully verified.

We have check CA AD server certs and are ok

Looking for LDAP or Radius errors at https://facIP/debug and nothing relevant. Nor at AD server event viewer.

Need help to diagnose that.

Thanks in advance.

Regards.

EDIT: I forget to mention that, when user try to login at VPN portal with password expired, it prompts for password change with no token prompt (but it is sent) and when trying to change, he gets 'permission denied' error.

EDIT 2: this setup was working fine time ago, and the only thing that was different is de FGT version, updated to v7 in April.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded