Password Expiry Warning on the GlobalProtect Client
Symptom
When using LDAP as the authentication method, users can be prompted with the password expiry warning message when their password is due to expire.
This can be achieved by using LDAP as an authentication method, as shown in the screenshot below:
Environment
- Pan-OS
- Global Protect
- LDAP Authentication
Resolution
- Server Profile: Specify the configured LDAP profile
- Login Attribute: Enter the LDAP directory attribute that uniquely identifies the user or group
- Password Expiry Warning: Enter the number of days prior to password expiration to start displaying notification messages to users to alert them that their passwords are expiring in X number of days (this can be configured ranging from 1 day to 255 days).
By default, notification messages will be displayed seven days before password expiry. Users will not be able to access the VPN if their passwords expire.
Set the maximum password age under the default domain policy in the AD server as shown in the screenshot below:
Shown below is the warning message on the GlobalProtect client.
Additional Information
Note: As a best practice, consider configuring the agents to use a pre-logon connect method. This will allow users to connect to the domain to change their passwords even after the password has expired.
owner: hnatarajan