Description
This article describes how to configure a password expiration day and a warning feature for the local user database of SSL VPN.
Solution
To configure SSL VPN users to change their password in the local user database before it expires
The password policy is used to configure the password renewal frequency (every 2 days for instance) and the warning that normally occurs the day before the expiration date. Password policy can be applied to any local user password.
The password policy cannot be applied to a user group or a local remote user such as LDAP/RADIUS/TACACS+.
In FortiOS 7.0, users are warned as per warn-days set and they have to renew their password before it get expire, which is based on the expire-days mentioned in the password policy. The user cannot renew the password and need to contact the FortiGate administrator for assistance.
In FortiOS 6.2, users are warned one day before the expiry date of the password and they have one day to renew it. When the password is expired, the user cannot renew the password and need to contact the FortiGate administrator for assistance.
In FortiOS 6.0/5.6, users are warned one day before the expiry date of the password. Users can still renew the password even after the password has expired.
Configure and assign the password policy using the CLI
The following commands are used to configure a password policy that includes an expiration date and a warning time.
config user password-policy
edit "pwpolicy1" <- password policy name.
set expire-days 5 <- password expiry.
set warn-days 3 <- warning notification for password going to be expire soon.
set expired-password-renewal disable <- if enable this option is, after the password expires, still end user can renew the password, with no need to depend upon FortiGate Administrator.
next
end
In FortiOS 7.4.0 and above: under password-policy configuration, 'expire-status' will be disabled by default. Enable it manually.
config user password-policy
edit "pwpolicy1"
set expire-status enable <- By default, it is disabled. To use this feature, enable this option.
end
Assign the password policy to the newly created user.
config user local
edit "sslvpnuser1" <- local username.
set type password
set passwd-policy "pwpolicy1" <- applying password policy.
set passwd-time 2021-11-26 22:46:15 <- the default start time for the password, this is the time when the user was created.
set passwd xyz <- password.
next
end
Once the user is reached warn-days, the user will get the below prompt, while connecting to SSL VPN by entering old username and password. It will redirect to enter a new password for the same.
Once a user changes his password, 'passwd-time' will get changed again.
config user local
edit "sslvpnuser1"
set type password
set passwd-policy "pwpolicy1"
set passwd-time 2021-11-30 23:34:30 <- passwd-time has been changed.
set passwd ENC +sddai212=
next
end
Note that, currently, the Password renewal for local users when using the Dial IPSec VPN is not supported.
