Description |
FortiGate can process the renewal of expired passwords for local SSL VPN users. This article provides describes how to resolve issues when password renewal with password complexity is not working in FortiClient SSL VPN. |
Scope | FortiOS 7.4.1 |
Solution |
Password complexity is a new feature in FortiOS 7.4.1
Refer to the below document:
Refer to the below documentation on how to enable password renewal with password complexity for local users:
This feature is supported for local SSL VPN users both with 2FA and without 2FA enabled.
In the below configuration, SSL VPN local user 'pearlangelica' is applied with FortiToken as 2FA.
Enable password renewal with complexity in FortiGate:
config user password-policy edit "pwpolicy1" set expire-days 5 set warn-days 3 set expired-password-renewal enable set min-lower-case-letter 1 set min-upper-case-letter 1 set min-non-alphanumeric 1 set min-number 1 set min-change-characters 2 set expire-status enable set reuse-password disable next end
Password policy can be applied on the user level.
Local user with 2FA enabled:
config user local end
Password policy can also be applied in global settings:
Testing: To change the expired password, log in to the VPN using the existing password.
FortiClient: The new password should meet the complexity requirements configured on the password policy If the new password does not meet the requirements, the error ‘New password may not meet the policy’ will prompt.
With FortiToken 2FA enabled: For a local SSL VPN user with 2FA enabled, the user will need to input the password together with the token first.
Once the user is successfully authenticated with the password and FortiToken, it will be necessary to enter a new password.
SSL VPN Web: The same process will go if using SSL VPN web mode. For a local SSL VPN user with 2FA enabled, the user will need to input the password together with the Token first.
With FortiToken 2FA enabled:
User will be asked to enter a new password.
If the password change is successful, it will allow the user to directly connect to the VPN after the password change. This is the expected behavior. In case this issue and the error 'Unable to establish the VPN connection. The VPN server may be unreachable (-8)' appears, there is a known issue Bug 0958430 in FortiOS 7.4.1 where password renewal with password complexity is not working in SSL VPN FortiClient.
Solution: For a permanent fix, upgrade the firmware to FortiOS v7.4.2. For a workaround, use SSL VPN web mode for password renewal. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.