Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
rbraha
Staff
Staff

Created on ‎07-26-2023 07:53 AM Edited on ‎03-24-2025 08:04 AM By Moderator

Article Id 265819

Technical Tip: Password change for SSL VPN local users on FortiAuthenticator.

Description This article describes how to reset local users' password that resides on FortiAuthenticator database.
Scope FortiGate, FortiAuthenticator.
Solution

Let's presume that SSL VPN authentication is configured between FortiGate and FortiAuthenticator.

The configuration part is described in the below documentation:

Technical Tip: Guide to setting up FortiGate SSL-VPN with RADIUS authentication, remote LDAP tie-in ...

 

In this case, local user groups on FortiAuthenticator are used instead of remote LDAP users.

When creating a local user there is an option on FortiAuthenticator to 'Force change password on next logon'.

 

local user FAC.png

 

To be able to reset on the FortiGate side as Authentication Method should be used MS-CHAP-v2, using PAP will not be triggered to change the password on the next logon.

 

RADIUS Fgt.png

 

This is tested from Webmode of the SSL VPN link on FortiGate.

 

passw.png

 

It is possible to run the debug logs on the FortiGate CLI side :

 

diagnose debug application fnbamd -1

diagnose debug application sslvpn -1

diagnose debug enable 


[191:root:f9]sslvpn_authenticate_user:191 authenticate user: [genci]
[191:root:f9]sslvpn_authenticate_user:205 create fam state
[191:root:f9][fam_auth_send_req_internal:426] Groups sent to FNBAM:
[191:root:f9]group_desc[0].grpname = genci

 

root:f9]fam_auth_send_req:1007 task finished with 4
[570] __fnbamd_cfg_get_radius_list_by_group-Loading RADIUS server 'FAC' for usergroup 'genci' (4)

 

sent radius req to server 'FAC': fd=12, IP=x.x.x.x:1812) code=1 id=31 len=185 user="genci" using MS-CHAPv2

 

fnbamd_radius_auth_validate_pkt-RADIUS resp code 3
[424] extract_chap_error-CHAP err: E=648 R=0 C=0cf6fd4d20b660f535dcb65716d4c8fa V=3 M=Password Expired

 

auth_proc_resp:1359 fnbam_auth_update_result return: 2 (challenged)   <-- Challenged means that password was expired.

 

nbamd_radius_auth_validate_pkt-RADIUS resp code 2  <-- An access-accept has been granted.
[323] extract_success_vsas-FORTINET attr, type 1, val sales 

 

fnbamd_auth_handle_radius_result-->Result for radius svr 'FAC' 10.191.21.11(1) is 0
[1607] fnbam_user_auth_group_match-req id: 1831613320, server: FAC, local auth: 0, dn match: 0
[1576] __group_match-Group 'genci' passed group matching ---- group matched 

 

fam_auth_proc_resp:1359 fnbam_auth_update_result return: 0 (success)

:root:fb]fam_do_cb:667 fnbamd return auth success<-- Authentication success.

 

Related Articles:

Technical Tip: How to allow LDAP user to change password at first logon or renew expired password vi...

Technical Tip: How to allow an LDAP user to change password at first logon or renew an expired passw... 
5893
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.