Hello guys!
I already implemented a solution with FortiGate and LDAP (via LDAPS) in which it's possible for users to change the password with the SSL VPN Client if it is expired so I hope there is an FortiAuthenticator solution.
config user ldap
edit <server_name>
set password-expiry-warning {disable | enable}
set password-renewal {disable | enable}
...
end
I'm searching for a solution in which the same is possible but the FortiGate isn't connected to an LDAP server but instead to an FortiAuthenticator via RADIUS (dynamic FortiToken Mobile assigning) which gets the User Information from the LDAP server (via LDAPS). I only found the Self Service Portal which provides this feature but this doesn't meet the customer expectations.
Do you have any experience with this? Thank you.
Kind Regards, Maximilian
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Dear xsilver_FTNT
I have the same situation as in this topic.
I have FAC (5.5.0) connected via LDAPS to AD.
FAC is Radius server to FGT (6.0.2) - MSCHAPv2.
SSL VPN users are connecting to FGT which takes credentials from FAC radius server (and FAC takes by LDAPS from AD).
Normal users with time valid password can establish vpn connect and everything works fine.
Users with expired password has to change their password, but instead of form to password change in FortiClient I have error about wrong credentials.
I know there should be displaye form to change password because when I used LDAP authentication on FGT (FGT connected to AD directly without FAC), it works.
As I said, I have wrong credentials error in FortiClient, but FAC is aware of need to change password because I see that in FAC logs:
1. Windows AD user authentication(mschap) with no token failed: user password change required
and from /debug logs:
1. Module-Failure-Message: mschap: External script says Must change password (0xc0000224)
2. Remote Windows AD user password reset required
3. Updated auth log 'tmp': Windows AD user authentication(mschap) with no token failed: user password change required
Do you know what may be a problem that I cannot change password in this setup? I would appreciate any help.
The problem is solved: I just had to set password-renewal in radius configuration on FGT...
Hey ISAC, sure:
that toggle for Windows AD Authentication needs to be enabled as well for MSCHAPv2 to work :)
thank you very much. Everything is working as I want now.
Great to hear, ISAC :)
Hi everybody. Same setup here:
FAC (6.1.2) connected via LDAPS to AD and domain joined
FAC as Radius server to FGT (7.0.6) - MSCHAPv2
Users are not able to change their passwords. FAC prompts to password change but after entering the new (accomplishing password policies) it prompts again for password change.
If we uncheck 'user need to change password' at AD, user can login to FAC (user portal) and when trying to change password from there (My account, User, Change password) he gets and 'incorrect old password' message. Logs at FAC shows the following message (ID 868489):
Wrong Password. User name and old password cannot be successfully verified.
We have check CA AD server certs and are ok
Looking for LDAP or Radius errors at https://facIP/debug and nothing relevant. Nor at AD server event viewer.
Need help to diagnose that.
Thanks in advance.
Regards.
EDIT: I forget to mention that, when user try to login at VPN portal with password expired, it prompts for password change with no token prompt (but it is sent) and when trying to change, he gets 'permission denied' error.
EDIT 2: this setup was working fine time ago, and the only thing that was different is de FGT version, updated to v7 in April.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.