Expired Active Directory Password Change for Remote Users
Remote end users can now change their RADIUS or AD password
through the GlobalProtect app when they are authenticated with a
RADIUS server using PEAP-MSCHAPv2.
: Starting with GlobalProtect™
App 4.1 and with PAN-OS® 8.1 and later releases
iOS 10 and later releases (notifications only), Android 4.4 and
later releases, Chrome OS 45 and later releases, Windows 7 and later
releases, and macOS 10.10 and later releases
Remote end users
can now change their RADIUS or Active Directory (AD) passwords through
the GlobalProtect app when their password expires or when a RADIUS
or AD administrator requires a password change at the next login.
With this feature, users can change their RADIUS or AD password
when they are unable to access the corporate network locally and
their only option is to connect remotely using RADIUS authentication.
This feature is enabled only when the user is authenticated with
a RADIUS server using the Protected Extensible Authentication Protocol
Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).
Ensure that you enable Active Directory dial-in
network access permissions for your users.
following steps to configure RADIUS authentication with PEAP-MSCHAPv2:
Create a RADIUS server profile. The server profile
identifies the external authentication service and instructs the
firewall on how to connect to the authentication service and access
user credentials. For this setup, select
Create an authentication profile. The authentication
profile identifies the server profile used for authentication on
the GlobalProtect portal or gateway.
) Add a password change message. Password
change messages allow you to specify password policies or requirements
for your users (for example, passwords must contain at least one
number and one uppercase letter).
Select a portal from the list to open the
tab, select an
existing agent from the list or
tab in the Configs
Change Password Message
to save your GlobalProtect
agent changes and return to the