Expired Active Directory Password Change for Remote Users
Remote end users can now change their RADIUS or AD password
through the GlobalProtect app when they are authenticated with a
RADIUS server using PEAP-MSCHAPv2.
Software Support
: Starting with GlobalProtect™
App 4.1 and with PAN-OS® 8.1 and later releases
OS Support
:
iOS 10 and later releases (notifications only), Android 4.4 and
later releases, Chrome OS 45 and later releases, Windows 7 and later
releases, and macOS 10.10 and later releases
Remote end users
can now change their RADIUS or Active Directory (AD) passwords through
the GlobalProtect app when their password expires or when a RADIUS
or AD administrator requires a password change at the next login.
With this feature, users can change their RADIUS or AD password
when they are unable to access the corporate network locally and
their only option is to connect remotely using RADIUS authentication.
This feature is enabled only when the user is authenticated with
a RADIUS server using the Protected Extensible Authentication Protocol
Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).
Ensure that you enable Active Directory dial-in
network access permissions for your users.
Use the
following steps to configure RADIUS authentication with PEAP-MSCHAPv2:
Create a RADIUS server profile. The server profile
identifies the external authentication service and instructs the
firewall on how to connect to the authentication service and access
user credentials. For this setup, select
PEAP-MSCHAPv2
from
the
Authentication Protocol
drop-down.
Create an authentication profile. The authentication
profile identifies the server profile used for authentication on
the GlobalProtect portal or gateway.
(
Optional
) Add a password change message. Password
change messages allow you to specify password policies or requirements
for your users (for example, passwords must contain at least one
number and one uppercase letter).
Select
Network
GlobalProtect
Portals
.
Select a portal from the list to open the
GlobalProtect
Portal Configuration
dialog.
On the
Agent
tab, select an
existing agent from the list or
Add
a new
one.
Select the
App
tab in the Configs
dialog.
Under
App Configurations
, enter
a
Change Password Message
(255 characters
or less).
Click
OK
to save your GlobalProtect
agent changes and return to the