1. Home
    2. GlobalProtect
    3. GlobalProtect App New Features Guide
    4. New Features Released in GlobalProtect App 4.1
    5. Expired Active Directory Password Change for Remote Users
    End-of-Life (EoL)

    Expired Active Directory Password Change for Remote Users

    Remote end users can now change their RADIUS or AD password through the GlobalProtect app when they are authenticated with a RADIUS server using PEAP-MSCHAPv2.
    Software Support
    : Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.1 and later releases
    OS Support
    : iOS 10 and later releases (notifications only), Android 4.4 and later releases, Chrome OS 45 and later releases, Windows 7 and later releases, and macOS 10.10 and later releases
    Remote end users can now change their RADIUS or Active Directory (AD) passwords through the GlobalProtect app when their password expires or when a RADIUS or AD administrator requires a password change at the next login. With this feature, users can change their RADIUS or AD password when they are unable to access the corporate network locally and their only option is to connect remotely using RADIUS authentication. This feature is enabled only when the user is authenticated with a RADIUS server using the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).
    Ensure that you enable Active Directory dial-in network access permissions for your users.
    Use the following steps to configure RADIUS authentication with PEAP-MSCHAPv2:
      • Create a RADIUS server profile. The server profile identifies the external authentication service and instructs the firewall on how to connect to the authentication service and access user credentials. For this setup, select
        PEAP-MSCHAPv2
         from the
        Authentication Protocol
         drop-down.
      • Create an authentication profile. The authentication profile identifies the server profile used for authentication on the GlobalProtect portal or gateway.
    2. (
      Optional
      ) Add a password change message. Password change messages allow you to specify password policies or requirements for your users (for example, passwords must contain at least one number and one uppercase letter).
      1. Select
        Network
        GlobalProtect
        Portals
        .
      2. Select a portal from the list to open the
        GlobalProtect Portal Configuration
         dialog.
      3. On the
        Agent
         tab, select an existing agent from the list or
        Add
         a new one.
      4. Select the
        App
         tab in the Configs dialog.
      5. Under
        App Configurations
        , enter a
        Change Password Message
        (255 characters or less).
      6. Click
        OK
         to save your GlobalProtect agent changes and return to the
        GlobalProtect Portal Configuration
         dialog.
      7. Click
        OK
         to complete the configuration.
    3. Commit
       the configuration.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo