- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiAuthenticator LDAP auth and password change o...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiAuthenticator LDAP auth and password change over SSL VPN
Hello guys!
I already implemented a solution with FortiGate and LDAP (via LDAPS) in which it's possible for users to change the password with the SSL VPN Client if it is expired so I hope there is an FortiAuthenticator solution.
config user ldap
edit <server_name>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
...
end
I'm searching for a solution in which the same is possible but the FortiGate isn't connected to an LDAP server but instead to an FortiAuthenticator via RADIUS (dynamic FortiToken Mobile assigning) which gets the User Information from the LDAP server (via LDAPS). I only found the Self Service Portal which provides this feature but this doesn't meet the customer expectations.
Do you have any experience with this? Thank you.
Kind Regards, Maximilian
Solved! Go to Solution.
Kind Regards, Maximilian
Labels:
- Labels:
-
5.0
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear xsilver_FTNT
I have the same situation as in this topic.
I have FAC (5.5.0) connected via LDAPS to AD.
FAC is Radius server to FGT (6.0.2) - MSCHAPv2.
SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).
Normal users with time valid password can establish vpn connect and everything works fine.
Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.
I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.
As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:
1. Windows AD user authentication(mschap) with no token failed: user password change required
and from /debug logs:
1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)
2. Remote Windows AD user password reset required
3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required
Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.
The problem is solved: I just had to set password-renewal in radius configuration on FGT...
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey ISAC, sure:
that toggle for Windows AD Authentication needs to be enabled as well for MSCHAPv2 to work :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you very much. Everything is working as I want now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great to hear, ISAC :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everybody. Same setup here:
FAC (6.1.2) connected via LDAPS to AD and domain joined
FAC as Radius server to FGT (7.0.6) - MSCHAPv2
- set password-expiry-warning and set password-renewal enabled at FTG LDAP
- Use Windows AD domain authentication enabled at FAC Radius policy
- SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).
Users are not able to change their passwords. FAC prompts to password change but after entering the new (accomplishing password policies) it prompts again for password change.
If we uncheck 'user need to change password' at AD, user can login to FAC (user portal) and when trying to change password from there (My account, User, Change password) he gets and 'incorrect old password' message. Logs at FAC shows the following message (ID 868489):
Wrong Password. User name and old password cannot be successfully verified.
We have check CA AD server certs and are ok
Looking for LDAP or Radius errors at https://facIP/debug and nothing relevant. Nor at AD server event viewer.
Need help to diagnose that.
Thanks in advance.
Regards.
EDIT: I forget to mention that, when user try to login at VPN portal with password expired, it prompts for password change with no token prompt (but it is sent) and when trying to change, he gets 'permission denied' error.
EDIT 2: this setup was working fine time ago, and the only thing that was different is de FGT version, updated to v7 in April.
- « Previous
-
- 1
- 2
- Next »
Related Posts
- FortiToken for FortiClient users CONCERN 105 Views
- Change forticloud mail account 107 Views
- FortiPortal Login 112 Views
- UniFi Controller SSID with FortiGate Captive... 463 Views
- Forticlient 7.2.3 prompts for admin credentials... 314 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.