End-of-Life (EoL)

Expired Active Directory Password Change for Remote Users

Remote end users can now change their RADIUS or AD password through the GlobalProtect app when they are authenticated with a RADIUS server using PEAP-MSCHAPv2.
Software Support
: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.1 and later releases
OS Support
: iOS 10 and later releases (notifications only), Android 4.4 and later releases, Chrome OS 45 and later releases, Windows 7 and later releases, and macOS 10.10 and later releases
Remote end users can now change their RADIUS or Active Directory (AD) passwords through the GlobalProtect app when their password expires or when a RADIUS or AD administrator requires a password change at the next login. With this feature, users can change their RADIUS or AD password when they are unable to access the corporate network locally and their only option is to connect remotely using RADIUS authentication. This feature is enabled only when the user is authenticated with a RADIUS server using the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2).
Ensure that you enable Active Directory dial-in network access permissions for your users.
Use the following steps to configure RADIUS authentication with PEAP-MSCHAPv2:
    • Create a RADIUS server profile. The server profile identifies the external authentication service and instructs the firewall on how to connect to the authentication service and access user credentials. For this setup, select
      PEAP-MSCHAPv2
      from the
      Authentication Protocol
      drop-down.
    • Create an authentication profile. The authentication profile identifies the server profile used for authentication on the GlobalProtect portal or gateway.
  1. (
    Optional
    ) Add a password change message. Password change messages allow you to specify password policies or requirements for your users (for example, passwords must contain at least one number and one uppercase letter).
    1. Select
      Network
      GlobalProtect
      Portals
      .
    2. Select a portal from the list to open the
      GlobalProtect Portal Configuration
      dialog.
    3. On the
      Agent
      tab, select an existing agent from the list or
      Add
      a new one.
    4. Select the
      App
      tab in the Configs dialog.
    5. Under
      App Configurations
      , enter a
      Change Password Message
      (255 characters or less).
    6. Click
      OK
      to save your GlobalProtect agent changes and return to the
      GlobalProtect Portal Configuration
      dialog.
    7. Click
      OK
      to complete the configuration.
  2. Commit
    the configuration.

Recommended For You