topic Re: Local User Database :: Password Change :: VPN Global Protect Client in General Topics

Local User Database :: Password Change :: VPN Global Protect Client

rbonicenha — Tue, 31 Jan 2017 20:43:30 GMT

Hello,

Is the a way to force the Local User change your password at the first login in the Global Protect Client?

Today I create your respective username and password but some users have been complain that I know your local respective password and they want a way to change.

Someone already had to implement something to make it easier to change that user's password without having to interfere, so I only need to pass the password once and after the first login through the global protect client he could somehow change his password.

Re: Local User Database :: Password Change :: VPN Global Protect Client

BPry — Wed, 01 Feb 2017 15:00:15 GMT

I don't believe that this is an option as is. If this isn't already a feature request I would be kind of suprised, add your vote to the request through your SE or have him put a request in for it.

This could potentially be done through the XML-API. You could create a powershell script with the respective variables for the user account and a password field that the user is prompted for when they run the script. The upside to this is they can change the password by themselves and just let you know that they have change it so you can schedule a commit, the downside is even with admin roles since the API would need to run with a user given permission to alter the configuration you have to trust your users enough not to monkey with the script for any reason.

Re: Local User Database :: Password Change :: VPN Global Protect Client

glastra1 — Thu, 02 Feb 2017 19:58:43 GMT

not at the top of my head but you can rely on third party authentication like radius, LDAP or kerberos so the users can change their passwords on those systems or use the same password as in their domain computers (which you don't know)

https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/set-up-the-globalprotect-infrastructure/set-up-external-authentication

regards,

Gerardo.

Re: Local User Database :: Password Change :: VPN Global Protect Client

CPPalo — Mon, 06 Feb 2017 06:52:38 GMT

Using external LDAP/RADIUS will not solve problem. Simplest example is when a user is outside of work for a longer period and have no possibility to update expired password onsite but have to use VPN.
It would be nice to have at last password change/expired password change possibility if using LDAP/Active Directory with Global Protect (without workarounds like cookies, additional cert logon etc.).

Re: Local User Database :: Password Change :: VPN Global Protect Client

fkijamie — Wed, 03 Oct 2018 16:22:59 GMT

This is a security issue and needs higher priority by Palo Alto. How am I to deliver credentials to a user safely if that user isn't forced to change her password upon first login? Every other firewall brand has this feature. Are you telling me I have to fly from LA to Chicago to hand deliver the password? How am I supposed to dispense credentials safely?

Re: Local User Database :: Password Change :: VPN Global Protect Client

OtakarKlier — Wed, 03 Oct 2018 16:46:19 GMT

Hello,

I'm sure there are ways to convey a password without having to hop onto a plane. I would think a phone call or text message may work?

Cheers!

Re: Local User Database :: Password Change :: VPN Global Protect Client

fkijamie — Wed, 03 Oct 2018 19:01:44 GMT

Fair enough, I was being a bit hyperbolic. But, text message is out of the question because it relies on the end user to delete it. Otherwise if the device is compromised, it has the vpn client and password on the same device. Dictating a complex password can also be tough, especially when you are rolling out VPN access to dozens of people. Also, best practice is to renew passwords on a periodic basis. GlobalProtect simply doesn't have the capabilites to maintain best practice. I guess we will have to rely on MFA for every type of user.

Re: Local User Database :: Password Change :: VPN Global Protect Client

OtakarKlier — Thu, 04 Oct 2018 16:01:51 GMT

Hello,

I completly understand and from what I can tell it would be a nice feature. Talk to your SE and see if there is already a feature request for it. However you could use a different RADIUS server for those users and have it perform the password change?

Cheers!

Re: Local User Database :: Password Change :: VPN Global Protect Client

fkijamie — Thu, 04 Oct 2018 17:22:08 GMT

I'm open to workarounds. How would this work in practice? Tell people to first login to a public facing web server and change their password before logging into globalprotect for the first time? In this scenario, what would happen if users skipped the first step and just logged into globalprotect with the initial passoword? Would globalprotect deny access?

Re: Local User Database :: Password Change :: VPN Global Protect Client

OtakarKlier — Fri, 05 Oct 2018 13:33:38 GMT

Hello,

From my experience, the password change option gets passed from the RADIUS server to the PAN then GP prompts the end user. Kind of like when windows on a domain asks you to change your password. I have seen this work with multi factor authentication where the user is asked to either create/change a pin for their token and/or change their password on first logon.

Hope that helps.

Re: Local User Database :: Password Change :: VPN Global Protect Client

fkijamie — Tue, 09 Oct 2018 00:41:19 GMT

Otakar,

Thanks, that is exactly the solution I was looking for. Our SE also confirmed this is now supported and provided the following link:

https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-features-released-in-gp-agent-4_1/expired-active-directory-password-change-for-remote-users

Thanks for all of your help!