| Description | This article describes the issue where users cannot renew their password when connecting to the IPSec VPN using FortiClient. |
| Scope | FortiClient v7.4.1, v7.4.2, v7.2.6. v7.2.7. |
| Solution |
Administrators can enable password renewal for IPSec VPN users. In the respective setup, when the user's password expires while connecting to the IPSec VPN, FortiClient will pop up requiring the user to change the password.
The respective versions stopped working in FortiClient v7.4.1, v7.4.2, v7.2.6, and v7.2.7 as the user will face the issue that the 'Password' field is cleared after providing the 'Answer' to change the password:
On the FortiGate, the debug log indicates that the user's password has expired and the user needs to change the password before allowing access:
[1286] fnbamd_rad_process-Result from radius svr 'FAC' is 2, req 41090098876427
However, as the user could not proceed to change the password given the above error, the IKE process would be terminated due to a timeout waiting for the user to complete the challenge:
[2960] handle_challenge_timeout-Session expired waiting for challenge
The respective impacts only if the remote authentication server is configured with the RADIUS server. The issue does not impact if the remote authentication server is configured as an LDAP server. This behavior is reported as a GUI bug with bug ID (1099714). The respective bug has been resolved in FortiClient v7.2.9 and v7.4.3: |
