Unable to change expired password via GlobalProtect, when using RADIUS In Authentication Sequence

Unable to change expired password via GlobalProtect, when using RADIUS In Authentication Sequence

16545
Created On 09/14/21 08:58 AM - Last Modified 02/05/22 05:19 AM


Symptom


  • Users connecting through GlobalProtect with expired password get error "Authentication failed, enter login credential"
  • Authentication Profile is configured with Authentication Sequence as fallows
    1. RADIUS with MSCHAPv2 (configured with "Allow users to change passwords after expiry")
    2. LDAP Profile
  • When Authentication Profile is changed to single Auth Profile (no Auth Sequence) they are prompted to change password

Environment


  • GlobalProtect configured with Authentication Sequence
  • RADIUS Authentication with MSCHAPv2
  • RADIUS Profile enabled with "Allow users to change passwords after expiry"




 

Cause


Once the RADIUS Profile fails with Error: 648 Password expired, the next profile is attempted. The behavior when the Authentication Sequence is configured is as per the design and it cannot support password change in the context of the authentication sequence.

Resolution


The workaround is to use an authentication profile only (don't use an authentication sequence).
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMV1CAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language