Skip to main content
AEK
SuperUser
AEK
SuperUser
June 4, 2026
Solved

user password must be changed before logging on the first time

  • June 4, 2026
  • 3 replies
  • 141 views

Hello Wi-Fi admins

This tech tip explains how to allow a VPN user change his LDAP password when it expires.

I tried do the same for my Wi-Fi (managed FortiAP), same described config on FGT and FAC, but when user with expired password tries to connect it just fails to connect, and FAC shows the following message.

Windows AD user authentication from (null) (mschap) with no token failed: user password change requiredThe user password must be changed before logging on the first time. (0xc0000224)

Any idea what I might have missed?

    Best answer by ebilcari

    For FNAC yes, it is not supported and there is an active NFR to add support for it. For FAC, I thought that it was supported, but it appears that password reset via the 802.1X supplicant is not mentioned as supported either. For NPS it may be easier since Microsoft covers both ends :).

    3 replies

    ebilcari
    Staff
    ebilcari
    Staff
    June 5, 2026

    Have you checked the requirements shown in this article:

     

    Emirjon
      AEK
      SuperUser
      AEKAuthor
      SuperUser
      June 5, 2026

      Thanks for your feedback, Emirjon.

      Yes I already checked the prerequisites on the doc (NTP, MS-CHAPv2, FAC uses LDAPS, FAC joined AD domain, etc ...).

      Here is the current status.

      • It works with VPN: When user has expired password he is prompted to change it before connecting.
      • It works if WiFi authentication uses directly Windows NPS
      • It doesn’t work if WiFi authentication uses FAC

      Actually in all tech tips they never mention changing expired password for WiFi users. They mention only VPN and portal.

      It reminds me FNAC case, I mean when we use local FNAC’s RADIUS the WiFi user is not prompted to change his expired password even if FNAC joins the domain. I remember it was a limitation. So is it simply not feasible? I start to have doubt that it we cannot achieve this due to some limitation or some security constraint. Is that possible?

      AEK
        ebilcari
        Staff
        ebilcariAnswer
        Staff
        June 7, 2026

        For FNAC yes, it is not supported and there is an active NFR to add support for it. For FAC, I thought that it was supported, but it appears that password reset via the 802.1X supplicant is not mentioned as supported either. For NPS it may be easier since Microsoft covers both ends :).

        Emirjon
          AEK
          SuperUser
          AEKAuthor
          SuperUser
          June 7, 2026

          Thanks for your feedback, Emirjon.

          At least now I know that it is not supported. Just in case one day you hear that Fortinet added the feature in FNAC or in FAC I’d appreciate if you let me know, since this is very interesting for me.

          AEK
            AEK
            SuperUser
            AEKAuthor
            SuperUser
            June 5, 2026

            Here are some relevant FAC debug logs when changing expired password (VPN & WiFi).

             

            VPN:

            2026-06-04T15:44:49.746252+01:00 FortiAuthenticator radiusd[7873]: (0) mschap: ERROR: Program returned code (1) and output 'The user password must be changed before logging on the first time. (0xc0000224)'
            2026-06-04T15:44:49.746398+01:00 FortiAuthenticator radiusd[7873]: (0) mschap: ERROR: Password has expired.  User should retry authentication
            2026-06-04T15:44:49.746755+01:00 FortiAuthenticator radiusd[7873]: (0) facauth: MS-CHAP-Error: \213E=648 R=0 C=c54c4d233fc98b929182aebeeb9a54e8 V=3 M=Password expired
            2026-06-04T15:44:49.746772+01:00 FortiAuthenticator radiusd[7873]: (0) facauth: Remote Windows AD user password reset required
            ...
            2026-06-04T15:44:50.754180+01:00 FortiAuthenticator radiusd[7873]: (0) Sent Access-Reject Id 9 from x.x.x.35:1812 to x.x.x.2:4663 length 114
            2026-06-04T15:44:50.754256+01:00 FortiAuthenticator radiusd[7873]: (0)   Message-Authenticator := 0x00
            2026-06-04T15:44:50.754303+01:00 FortiAuthenticator radiusd[7873]: (0)   MS-CHAP-Error = "\213E=648 R=0 C=c54c4d233fc98b929182aebeeb9a54e8 V=3 M=Password expired"
            ...
            2026-06-04T15:45:05.993040+01:00 FortiAuthenticator radiusd[7873]: (1) Received Access-Request Id 10 from x.x.x.2:20348 to x.x.x.35:1812 length 765
            2026-06-04T15:45:05.993060+01:00 FortiAuthenticator radiusd[7873]: (1)   NAS-Identifier = "fgt"
            2026-06-04T15:45:05.993073+01:00 FortiAuthenticator radiusd[7873]: (1)   User-Name = "DOM\\ad-user1"
            2026-06-04T15:45:05.993087+01:00 FortiAuthenticator radiusd[7873]: (1)   MS-CHAP-Challenge = 0xc54c4d233fc98b929182aebeeb9a54e8
            2026-06-04T15:45:05.993110+01:00 FortiAuthenticator radiusd[7873]: (1)   MS-CHAP-NT-Enc-PW = xxx
            2026-06-04T15:45:05.993135+01:00 FortiAuthenticator radiusd[7873]: (1)   MS-CHAP-NT-Enc-PW = xxx
            2026-06-04T15:45:05.993148+01:00 FortiAuthenticator radiusd[7873]: (1)   MS-CHAP-NT-Enc-PW = xxx
            2026-06-04T15:45:05.993163+01:00 FortiAuthenticator radiusd[7873]: (1)   MS-CHAP2-CPW = xxx
            ...
            2026-06-04T15:45:05.998439+01:00 FortiAuthenticator radiusd[7873]: (1) mschap: MS-CHAPv2 password change request received
            2026-06-04T15:45:05.998453+01:00 FortiAuthenticator radiusd[7873]: (1) mschap: Doing MS-CHAPv2 password change via ntlm_auth helper
            2026-06-04T15:45:06.314181+01:00 FortiAuthenticator radiusd[7873]: (1) mschap: Password change successful
            ...
            2026-06-04T15:45:06.554222+01:00 FortiAuthenticator radiusd[7873]: (1) facauth: Remote Windows AD user authenticated
            2026-06-04T15:45:06.554295+01:00 FortiAuthenticator radiusd[7873]: (1) facauth: Authentication OK

             

            WiFi:

            2026-06-04T15:37:26.218281+01:00 FortiAuthenticator radiusd[6756]: (5) mschap: ERROR: Program returned code (1) and output 'The user password must be changed before logging on the first time. (0xc0000224)'
            2026-06-04T15:37:26.218431+01:00 FortiAuthenticator radiusd[6756]: (5) mschap: ERROR: Password has expired.  User should retry authentication
            2026-06-04T15:37:26.218537+01:00 FortiAuthenticator radiusd[6756]: (5) facauth: MS-CHAP-Error: \327E=648 R=0 C=820f891d74bbe32b065314e5592302e3 V=3 M=Password expired 
            2026-06-04T15:37:26.218554+01:00 FortiAuthenticator radiusd[6756]: (5) facauth: Remote Windows AD user password reset required 
            ...
            2026-06-04T15:37:26.219904+01:00 FortiAuthenticator radiusd[6756]: (5) Sent Access-Challenge Id 110 from x.x.x.35:1812 to x.x.x.2:17806 length 97
            2026-06-04T15:37:26.219942+01:00 FortiAuthenticator radiusd[6756]: (5)   EAP-Message = xxx
            2026-06-04T15:37:26.219958+01:00 FortiAuthenticator radiusd[6756]: (5)   Message-Authenticator = xxx
            2026-06-04T15:37:26.219974+01:00 FortiAuthenticator radiusd[6756]: (5)   State = xxx
            2026-06-04T15:37:26.226495+01:00 FortiAuthenticator radiusd[6756]: (6) Received Access-Request Id 111 from x.x.x.2:17806 to x.x.x.35:1812 length 319
            2026-06-04T15:37:26.226538+01:00 FortiAuthenticator radiusd[6756]: (6)   User-Name = "DOM\\ad-user1"
            2026-06-04T15:37:26.226559+01:00 FortiAuthenticator radiusd[6756]: (6)   NAS-IP-Address = x.x.x.2
            2026-06-04T15:37:26.226574+01:00 FortiAuthenticator radiusd[6756]: (6)   NAS-Identifier = "x.x.x.20/5246-w2"
            2026-06-04T15:37:26.226662+01:00 FortiAuthenticator radiusd[6756]: (6)   Fortinet-AP-Name = "FP221Exxx"
            2026-06-04T15:37:26.226703+01:00 FortiAuthenticator radiusd[6756]: (6)   Acct-Session-Id = "6A2020640000033B"
            2026-06-04T15:37:26.226717+01:00 FortiAuthenticator radiusd[6756]: (6)   Acct-Multi-Session-Id = "243D4E4678315064"
            2026-06-04T15:37:26.226774+01:00 FortiAuthenticator radiusd[6756]: (6)   Framed-MTU = 1400
            2026-06-04T15:37:26.226789+01:00 FortiAuthenticator radiusd[6756]: (6)   EAP-Message = xxx
            ...
            2026-06-04T15:37:26.227156+01:00 FortiAuthenticator radiusd[6756]: (6) eap_peap:   ERROR: The users session was previously rejected: returning reject (again.)
            ...
            2026-06-04T15:37:27.230048+01:00 FortiAuthenticator radiusd[6756]: (6) Sent Access-Reject Id 111 from x.x.x.35:1812 to x.x.x.2:17806 length 44
            2026-06-04T15:37:27.230088+01:00 FortiAuthenticator radiusd[6756]: (6)   Message-Authenticator := 0x00
            2026-06-04T15:37:27.230101+01:00 FortiAuthenticator radiusd[6756]: (6)   EAP-Message = 0x04d80004

             

             
            AEK
              Terms & ConditionsAccessibility statement