Unable to change expired password via GlobalProtect, when using RADIUS In Authentication Sequence
16543
Created On 09/14/21 08:58 AM - Last Modified 02/05/22 05:19 AM
Symptom
- Users connecting through GlobalProtect with expired password get error "Authentication failed, enter login credential"
- Authentication Profile is configured with Authentication Sequence as fallows
- RADIUS with MSCHAPv2 (configured with "Allow users to change passwords after expiry")
- LDAP Profile
- When Authentication Profile is changed to single Auth Profile (no Auth Sequence) they are prompted to change password
Environment
- GlobalProtect configured with Authentication Sequence
- RADIUS Authentication with MSCHAPv2
- RADIUS Profile enabled with "Allow users to change passwords after expiry"
Cause
Once the RADIUS Profile fails with Error: 648 Password expired, the next profile is attempted. The behavior when the Authentication Sequence is configured is as per the design and it cannot support password change in the context of the authentication sequence.
Resolution
The workaround is to use an authentication profile only (don't use an authentication sequence).