Technical Tip: How to allow an LDAP user to change password at first logon or renew an expired password via SSL VPN With FortiAuthenticator as Radius server

Sheikh · ‎06-18-2024

Description

This article explains how to address two specific scenarios involving SSL VPN in FortiGate:

A new domain account has been created with the option 'User must change password at first logon' enabled.
The password of an existing domain user account has expired.

In both situations, end users may not have network access to change their passwords. They might be working from a different location, such as another site or home, where SSL VPN is the sole method for changing their LDAP passwords.

This article assumes the following configurations are already in place:

SSL VPN settings are configured in FortiGate.
Certificate Authority is already configured. We can use any PKI solution E.g. Microsoft PKI or FortiAuthenticator.

Scope

Windows Active Directory Domain Controllers.
FortiGate - Any version
FortiClient or VPN access via a web browser
FortiAuthenticator - Any version

Solution

It is necessary to import the Root CA certificate to FortiGate. For details and a step-by-step procedure, see this article. The article also includes the procedure to change an expired password or change a password at first logon with an LDAP account using FortiClient or Web-based SSL VPN.

To enable changing an expired LDAP password or passwords on first logon, the following conditions must be met:

Password renewal must be enabled in the FortiGate RADIUS server settings, and MS-CHAP-v2 must be selected as an Authentication method.
FortiAuthenticator must be joined to the domain.
RADIUS policies in FortiAuthenticator must have PEAP enabled and 'Use Windows AD Domain Authentication' must be enabled.
LDAPs must be configured between FortiAuthenticator and the domain controller.

SSLVPN-FAC-FGT-Password Change_2.drawio.png

In this document, FortiAuthenticator will be added as a Radius server in FortiGate to authenticate users using radius communication.

Perform the following steps:

Configure LDAPs and join FortiAuthenticator to Windows Domain.
Import LDAP Users/Groups in FortiAuthenticator.
Configure Realms, the Radius client (FortiGate), and Radius policies & attributes.
Add FortiAuthenticator as a Radius server in FortiGate.
Configure FortiGate Firewall groups and policies.
Testing & troubleshooting LDAP account password change.
General Considerations.

Step 1 - Configure LDAPs and join FortiAuthenticator to Windows Domain.

To configure LDAPs in FortiAuthenticator, the first step is to import the Root and Intermediate CA certificates (if any) into the 'Trusted CAs' list in FortiAuthenticator. Ensure that all CA certificates are imported into FortiAuthenticator to complete the certificate chain.

Logon to FortiAuthenticator -> expand Certificate Management -> Certificate Authorities -> Trusted CAs.

Next, select 'Import' to add the Root and any Intermediate CA certificates. In this technical document, we have a single Root CA named 'Root_CA1'. However, other environments might have additional Intermediate CAs. Ensure all of these are added to the Trusted CAs list.

FAC - CA list.png

The next step would be to select this CA in the LDAP server settings in FortiAuthenticator.

Logon to FortiAuthenticator -> Expand Authentication -> Remote Auth. Servers -> LDAP -> Select LDAP server -> Select Edit.

If there are no LDAP servers configured, select Create New to first create an LDAP server entry.

Edit LDAP settings.png

Fill in the required information. For reference, see the details below.

LDAP and Domain Join.png

Once the LDAP configuration is done, come back to the same server configuration and select Browse to check communication.

If the OU structure is visible, it means that LDAP's communication is working fine with the domain controller on port tcp/636.

LDAP Browsing.png

Note:

Ensure that the Root CA certificate is already added to the domain controller's 'Trusted Root Certificate Authority' store.
The domain controller certificate should also be added to the 'Personal Certificates' certificate store on the domain controller. This certificate must be issued by the same Certificate Authority that was imported into both the FortiAuthenticator 'Trusted CAs' list, and the domain controller's 'Trusted Root Certificate Authority' store.

Root CA on the Domain controller in the 'Trusted Root Certification Authorities'.

ROOTCA- DC.png

The domain controller certificate in the 'Personal Certificates' store:

DC Certificate - Personal Store.png

Next step would be to check the Domain joining status.

FAC Domain Joined.png

Step 2 - Import LDAP Users/Groups in FortiAuthenticator.

Expand Authentication -> User Management -> Remote Users -> Select Import.

Import LDAP users.png

Select LDAP groups.png

Select the group(s) and select OK to import users in FortiAuthenticator and set 'Radius Attributes' and click Save.

LDAP group Name in FAC with Radius attributes.png

Step 3 - Configure Realms, Radius client (FortiGate), Radius policies & Attributes.

Now, add FortiGate as a radius client in FortiAuthenticator.

Expand Authentication -> Radius Service -> Clients.

Note:

Radius secret must match on both sides (FortiGate and FortiAuthenticator).

FGT as Radius Client.png

Now, it is necessary to create a Local Realm in FortiAuthenticator pointing towards the LDAP server.

After creating a realm, it is necessary to create Radius policies and include recently created a Local FortiAuthenticator group and realm.

Expand Authentication -> Radius Service -> Policies -> Select Create New.

The policy should look something like this:

Step 4 - Add FortiAuthenticator as a Radius server in FortiGate.

Login to FortiGate, then expand User & Authentication -> Radius Servers and select Create New and fill in the required information.

FGT - Radius Server.png

config user radius

edit "FAC"

set server "10.X.X.X"
set secret ENC ocwDlXuMx70Jyieo0M0fgW1ulPeEmkeLEmLdeaWrlt23gUYpq9+7PMO6qjuvbyvwxQUDQ6fJBPHNY2vg32v/JVX8nqdURFS1OXwe6ObYI8wN395vKLPNxDyjLELPyFBHCU0K07QIhwm5eqJT9GzKaWBizbfAfozAwaHwqGmvd3tIUbIinG5LBkDJyKT65HYzq56wQg==
set nas-ip 10.X.X.X
set auth-type ms_chap_v2

get
name : FAC
server : 10.X.X.X
secret : *
timeout : 5
status-ttl : 300
all-usergroup : disable
use-management-vdom : disable
nas-ip : 10.X.X.X
nas-id-type : legacy
call-station-id-type: legacy
acct-interim-interval: 0
radius-coa : disable
radius-port : 0
h3c-compatibility : disable
auth-type : ms_chap_v2
source-ip :
username-case-sensitive: disable
group-override-attr-type:
class :
password-renewal : enable
password-encoding : auto
mac-username-delimiter: hyphen
mac-password-delimiter: hyphen
mac-case : lowercase
acct-all-servers : disable
switch-controller-acct-fast-framedip-detect: 2
interface-select-method: auto
switch-controller-service-type:
transport-protocol : udp
account-key-processing: same
account-key-cert-field: othername
rsso : disable
secondary-server :
secondary-secret : *
tertiary-server :
tertiary-secret : *
accounting-server:

Step 5 - Configure FortiGate Firewall groups and policies.

Now create a local Firewall group with the same name as in the FortiAuthenticator Radius attribute name defined on the group.

FGT group from FAC.png

The next step is to add this Radius group 'sslvpn' to the firewall policies created for SSL VPN.

Firewall Policy - FAC group.png

Step 6 - Testing & troubleshooting LDAP account password change.

Now the required configurations are done on the FortiGate and FortiAuthenticator, it isnecessary to test SSL VPN with FortiClient and web-based VPN.

For SSL VPN testing purposes, a test account has been set up in the Domain controller with a name of 'test1' with 'User must change password at next logon' enabled.

Test1 LDAP account.png

Enable debugging on FortiAuthenticator to see the Radius Authentication debug logs for SSL VPN connection.

https://Fortiauthenticator_IP/debug

FAC Radius Debug.png

Debuggin mode Active.png

Now, test SSL VPN connection from FortiClient using an LDAP account 'test1'.

FCt Pasword change.png

Now, check the FortiAuthenticator Radius Authentication debug logs.

2024-06-14T17:09:36.017495+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Client type: external (subtype: radius)
2024-06-14T17:09:36.017507+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Input raw_username: test1 Realm: (null) username: test1
2024-06-14T17:09:36.017517+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Searching default realm as well
2024-06-14T17:09:36.017529+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Realm not specified, default goes to Windows AD, id: 6
2024-06-14T17:09:36.018423+02:00 FortiAuthenticator radiusd[982]: (2) facauth: LDAP user found: test1
2024-06-14T17:09:36.018441+02:00 FortiAuthenticator radiusd[982]: (2) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
2024-06-14T17:09:36.018454+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2024-06-14T17:09:36.018466+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
2024-06-14T17:09:36.018486+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Added Stripped-User-Name with value test1
2024-06-14T17:09:36.019364+02:00 FortiAuthenticator radiusd[982]: (2) facauth: # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-06-14T17:09:36.092260+02:00 FortiAuthenticator radiusd[982]: (2) mschap: ERROR: Program returned code (1) and output 'The user password must be changed before logging on the first time. (0xc0000224)'
2024-06-14T17:09:36.092417+02:00 FortiAuthenticator radiusd[982]: (2) mschap: ERROR: Password has expired. User should retry authentication
2024-06-14T17:09:36.092518+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Module-Failure-Message: mschap: Program returned code (1) and output 'The user password must be changed before logging on the first time. (0xc0000224)'
2024-06-14T17:09:36.092581+02:00 FortiAuthenticator radiusd[982]: (2) facauth: MS-CHAP-Error: \240E=648 R=0 C=57697ecc65eaaf0e7f82ca68a156279c V=3 M=Password expired
2024-06-14T17:09:36.092631+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Remote Windows AD user password reset required
2024-06-14T17:09:36.094662+02:00 FortiAuthenticator radiusd[982]: (2) facauth: update_fac_authlog:164 nas_str = 10.191.36.128~192.168.153.51.
2024-06-14T17:09:36.094872+02:00 FortiAuthenticator radiusd[982]: (2) facauth: Updated auth log 'test1' for attempt from 10.191.36.128~192.168.153.51: Windows AD user authentication from 192.168.153.51 (mschap) with no token failed: user password change requiredThe user password must be changed before logging on the first time. (0xc0000224)
2024-06-14T17:09:36.094977+02:00 FortiAuthenticator radiusd[982]: (2) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-06-14T17:09:36.349831+02:00 FortiAuthenticator radiusd[982]: Waking up in 0.7 seconds.
2024-06-14T17:09:37.097801+02:00 FortiAuthenticator radiusd[982]: (2) Sent Access-Reject Id 120 from 10.191.36.116:1812 to 10.191.36.128:17134 length 96
2024-06-14T17:09:37.097837+02:00 FortiAuthenticator radiusd[982]: (2) MS-CHAP-Error = "\240E=648 R=0 C=57697ecc65eaaf0e7f82ca68a156279c V=3 M=Password expired"
2024-06-14T17:09:37.097943+02:00 FortiAuthenticator radiusd[982]: Waking up in 4.2 seconds.

.

2024-06-14T17:09:59.850645+02:00 FortiAuthenticator radiusd[982]: (3) facauth: # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-06-14T17:09:59.850684+02:00 FortiAuthenticator radiusd[982]: (3) mschap: MS-CHAPv2 password change request received
2024-06-14T17:09:59.850696+02:00 FortiAuthenticator radiusd[982]: (3) mschap: Doing MS-CHAPv2 password change via ntlm_auth helper
2024-06-14T17:09:59.853997+02:00 FortiAuthenticator radiusd[982]: (3) mschap: ERROR: No NT-Domain was found in the User-Name
2024-06-14T17:10:00.012422+02:00 FortiAuthenticator radiusd[982]: (3) mschap: Password change successful
2024-06-14T17:10:00.084627+02:00 FortiAuthenticator radiusd[982]: (3) facauth: Remote Windows AD user authenticated
2024-06-14T17:10:00.087133+02:00 FortiAuthenticator radiusd[982]: (3) facauth: Authentication OK
2024-06-14T17:10:00.087213+02:00 FortiAuthenticator radiusd[982]: (3) facauth: Setting 'Post-Auth-Type := FACAUTH'
2024-06-14T17:10:00.088676+02:00 FortiAuthenticator radiusd[982]: (3) facauth: Add Static Radius attribute: attr_id:809762817 (attr 1, vendor 12356) attr_val:'sslvpn'
2024-06-14T17:10:00.090149+02:00 FortiAuthenticator radiusd[982]: (3) facauth: Add Static Radius attribute: attr_id:809762817 (attr 1, vendor 12356) attr_val:'sslvpn'
2024-06-14T17:10:00.090228+02:00 FortiAuthenticator radiusd[982]: (3) facauth: update_fac_authlog:164 nas_str = 10.191.36.128~192.168.153.51.
2024-06-14T17:10:00.090282+02:00 FortiAuthenticator radiusd[982]: (3) facauth: Updated auth log 'test1' for attempt from 10.191.36.128~192.168.153.51: Windows AD user authentication from 192.168.153.51 (mschap) with no token successful
2024-06-14T17:10:00.090335+02:00 FortiAuthenticator radiusd[982]: (3) # Executing group from file /usr/etc/raddb/sites-enabled/default
2024-06-14T17:10:00.090449+02:00 FortiAuthenticator radiusd[982]: (3) Sent Access-Accept Id 121 from 10.191.36.116:1812 to 10.191.36.128:17134 length 207
2024-06-14T17:10:00.090459+02:00 FortiAuthenticator radiusd[982]: (3) MS-CHAP2-Success = 0xa0533d46443338423744323344424334434246353339333636464631444337464644353041373641464641
2024-06-14T17:10:00.090464+02:00 FortiAuthenticator radiusd[982]: (3) MS-MPPE-Recv-Key = <<< secret >>>
2024-06-14T17:10:00.090469+02:00 FortiAuthenticator radiusd[982]: (3) MS-MPPE-Send-Key = <<< secret >>>
2024-06-14T17:10:00.090476+02:00 FortiAuthenticator radiusd[982]: (3) MS-MPPE-Encryption-Policy = Encryption-Allowed
2024-06-14T17:10:00.090481+02:00 FortiAuthenticator radiusd[982]: (3) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
2024-06-14T17:10:00.090487+02:00 FortiAuthenticator radiusd[982]: (3) Fortinet-Group-Name += "sslvpn"

To check whether the password gets changed in the Active directory, go to the domain controller and open the run menu and type 'adsiedit.msc'.

Once it is opened, right-click it and select 'Connect to', select OK to make a connection, then expand Default naming context -> Domain name -> and select user 'test1'. Right -click and go to 'Properties'.

Password change in AD.png

The password gets changed in the Domain controller via FortiClient. To check the password change while connecting to SSL VPN using web browser:

Password change prompt from Web Browser.png

Succesful SSPVN pasword change Web Browser.png

Step 7 - Some Considerations.

Since the users belong to a domain, there might be Group Policy Objects (GPOs) configured with 'Password Policies.' Sometimes, when end users try to change their password, they might attempt to use one of their last 10 passwords. If the domain's group policies are set to maintain a history of the last 10 passwords, the password change will fail.
The password policy might include minimum password length and complexity requirements. Please ensure that these requirements are met when changing the password.
The LDAP bind username configured in FortiAuthenticator LDAP settings should have sufficient permissions in active directory, especially to the Organizational Units (OUs), where the users are located.

As per this article from Microsoft.

After a domain user successfully changes a password by using NTLM, the old password can still be used for network access for a user-definable time period. This behavior allows accounts, such as service accounts, that are logged on to multiple computers to access the network while the password change propagates.
To change the lifetime period of an old password, a registry settings needs to be created on the domain controller.
Be careful when modifying a registry, as it could lead to a serious problems if modified incorrectly.

Related articles: