| Description |
This article describes how to enable password renewal for SSL VPN RADIUS users. FortiGate can process the renewal of expired passwords for Radius users during the user's login. |
| Scope |
In this example, the RADIUS server is a Windows NPS Server. A user radiususer is configured on Windows NPS server with force password change on the next logon. |
| Solution |
Password renewal will only work with radius using MS-CHAP-v2 authentication method.
To enable password renewal in FortiGate:
# config user radius edit "Radius" set server "10.230.0.2" set secret <passwd> set auth-type ms_chap_v2 set password-renewal enable next end
On the Windows NPS Radius server, see the below screenshots for reference of configuration:
Connection Request Policies: Enable 'MS-CHAP-v2' and 'User can change the password after it has expired'.
Network Policies: Enable 'MS-CHAP-v2' and 'User can change the password after it has expired'.
To change the expired password, log in to VPN using the existing password. Upon login, the message 'Your password expired. Please provide a new one.’ this should prompt. Enter the new password.
Note also that it is not possible to use the previously used passwords on the renewal. A new password should meet the complexity requirements of the organization.
If the new password does not meet the requirements, error ‘New password maybe not meet the policy’ will prompt.
If the password change is successful, it will allow connecting to VPN after the password change.
The same process will go if using SSL VPN web mode. Upon login, the message ‘Your password expired. Please provide a new one.’ This should prompt.
If the password change is successful, it will allow the user to connect to VPN. |
