Troubleshooting Tip: Password renewal with password complexity for local SSL VPN user is not working in FortiClient SSL VPN

Password complexity is a new feature in FortiOS 7.4.1

Refer to the below document: 

New features or enhancements

Refer to the below documentation on how to enable password renewal with password complexity for local users:

Enhance complexity options for local user password policy 7.4.1 | FortiGate / FortiOS 7.4.0 | Fortin...

This feature is supported for local SSL VPN users both with 2FA and without 2FA enabled.

In the below configuration, SSL VPN local user 'pearlangelica' is applied with FortiToken as 2FA.

Enable password renewal with complexity in FortiGate:

1. Configure password policy:

config user password-policy

    edit "pwpolicy1"

         set expire-days 5

         set warn-days 3

         set expired-password-renewal enable

         set min-lower-case-letter 1

         set min-upper-case-letter 1

         set min-non-alphanumeric 1

         set min-number 1

         set min-change-characters 2

         set expire-status enable

         set reuse-password disable

    next

end

2. Apply password policy on the SSL VPN user.

Password policy can be applied on the user level.

Local user with 2FA enabled:

config user local
    edit "pearlangelica"
        set type password
        set two-factor fortitoken
        set fortitoken "FTKMOB35D39832AD"
        set email-to "<email address>"
        set passwd-policy "pwpolicy1"   <----- Apply password policy.
        set passwd-time 2024-01-08 11:24:40   <----- Last password change.
        set passwd ENC QWp+uKQ7Mk1GOh+864tiS/zOVo/Wsx/4DcVRRMrfe3Ujre1lv0It45yD8S9mgl2BBPKl39hkZHSoto+akR9kIgpnIE9tU73yMdehp7Gq3KWUKeQoYnv8iWFUXQjmLTEp5gJ3Mb221tFtAYd9jumB/YS+v52QrGvWJdg3OQfxb3bdkgtpgGWMagTZojLj5gLv4kyM7A==
    next

end

Password policy can also be applied in global settings:

config user setting
    set default-user-password-policy 'pwpolicy1'
end

Testing:

To change the expired password, log in to the VPN using the existing password.

FortiClient:

The new password should meet the complexity requirements configured on the password policy

If the new password does not meet the requirements, the error ‘New password may not meet the policy’ will prompt.

With FortiToken 2FA enabled:

For a local SSL VPN user with 2FA enabled, the user will need to input the password together with the token first.

Once the user is successfully authenticated with the password and FortiToken, it will be necessary to enter a new password.

SSL VPN Web:

The same process will go if using SSL VPN web mode. For a local SSL VPN user with 2FA enabled, the user will need to input the password together with the Token first.

With FortiToken 2FA enabled:

User will be asked to enter a new password.

If the password change is successful, it will allow the user to directly connect to the VPN after the password change. This is the expected behavior.

In case this issue and the error 'Unable to establish the VPN connection. The VPN server may be unreachable (-8)' appears, there is a known issue Bug 0958430 in FortiOS 7.4.1 where password renewal with password complexity is not working in SSL VPN FortiClient.

Solution:

For a permanent fix, upgrade the firmware to FortiOS v7.4.2.

For a workaround, use SSL VPN web mode for password renewal.