When using LDAP as the authentication method, you can now configure an optional custom password expiry notification message in the GlobalProtect portal agent configuration. The message can include additional instructions, such as help desk contact information or a link to a password portal where users can change their passwords. GlobalProtect appends the custom message to the standard notification, which the agent displays when a user’s passwords is due to expire.
Consider configuring GlobalProtect agents to use pre-logon connect method. This allows users to connect and change their own expired passwords without administrative intervention. Otherwise, users cannot access the VPN if their passwords expire. See Remote Access VPN with Pre-Logon
If users allow their passwords to expire, you may assign a temporary LDAP password to enable them to log in to the VPN. In this case, the user can use the temporary password to authenticate to the portal but the gateway login may fail because the same temporary password cannot be reused. To prevent this failure, enable
in the portal configuration (
Portal) to enable the agent to use a cookie to authenticate to the portal and then use the temporary password to authenticate the gateway.
Configure a Custom Notification Message
In an authentication profile, configure the number of days before a password expires that the GlobalProtect agent should start displaying pending expiration notification messages.
Notification messages display seven days before password expiry by default (range is 1-255). Because users must change their passwords before the end of the expiration period, make sure you provide a notification period that is adequate for your user base to ensure continued access to the VPN.
In a GlobalProtect portal agent configuration, configure the
Custom Password Expiration Message (LDAP Authentication Only)
that users should see before their password expires. The message must be 200 or fewer characters.