https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311091#M80531 <P>Hello,</P><P>I have the same problem. Requirements you were talking about seem to be met.</P><P>When a user has a valid, non expired password everything works fine.&nbsp;</P><P>When using a user with an expired password, nothing is logged in event viewer in NPS server, authentication fails, and user is not prompted to change his password.</P><P>&nbsp;</P><P>Could you please share the guide you were talking before?</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P><P>Regards,</P><P>Cristiano.</P> Thu, 13 Feb 2020 15:26:11 GMT Digital 2020-02-13T15:26:11Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/261856#M74214 <P>Has anyone been able to configure their firewall so that users will be able to change thier password via the global protect app while using LDAP for authentication and NOT using Pre-Logon</P> Tue, 21 May 2019 20:25:03 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/261856#M74214 Victor.Newsom 2019-05-21T20:25:03Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/278490#M75641 <P>Hello Victor,</P><P>&nbsp;</P><P>This is supported in the newer versions of PANOS and GP, however there are some requirements that have to be met on the RADIUS server.</P><P>1. The firewall only supports changing expired passwords when utilizing RADIUS with PEAP-MSCHAP-V2 authentication.</P><P>2.&nbsp; The RADIUS server has to be registered in AD and have permissions in the RAS and IAS Servers group.</P><P>3.&nbsp; The RADIUS server must have a certificate configured from a CA that can be validated/trusted by the firewall with a client certificate profile.</P><P>4.&nbsp; &nbsp;The firewall has to be a RADIUS client configured on the RADIUS server and have the desired authentication policies in place.</P><P>&nbsp;</P><P>I have a lengthy guide for setting this up from scratch and utilizing Microsoft NPS.&nbsp; I will also warn you that in the event that the user tries to change their password to something that isn't in compliance with the AD Password policy, the message to the user is just a generic error, so its something to make people aware of that will be using the feature.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Brandon</P> Tue, 23 Jul 2019 20:02:19 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/278490#M75641 BrandonWright 2019-07-23T20:02:19Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311091#M80531 <P>Hello,</P><P>I have the same problem. Requirements you were talking about seem to be met.</P><P>When a user has a valid, non expired password everything works fine.&nbsp;</P><P>When using a user with an expired password, nothing is logged in event viewer in NPS server, authentication fails, and user is not prompted to change his password.</P><P>&nbsp;</P><P>Could you please share the guide you were talking before?</P><P>&nbsp;</P><P>Thanks in advance.</P><P>&nbsp;</P><P>Regards,</P><P>Cristiano.</P> Thu, 13 Feb 2020 15:26:11 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311091#M80531 Digital 2020-02-13T15:26:11Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311301#M80573 <P>Hello Cristiano,</P><P>&nbsp;</P><P><SPAN>See the document I've posted here -&gt;&nbsp;</SPAN><A href="https://drive.google.com/file/d/1_wjjrIILr2akt63ueUIK-xAq9zPwGqWw/view?usp=sharing" target="_blank" rel="noopener">https://drive.google.com/file/d/1_wjjrIILr2akt63ueUIK-xAq9zPwGqWw/view?usp=sharing</A></P><P>&nbsp;</P><P>Keep in mind that you should use a Windows PKI issued Certificate on the RADIUS server, but I wrote this up since I've run into customers in the past that may not have that infrastructure available.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Brandon</P> Fri, 14 Feb 2020 21:21:01 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311301#M80573 BrandonWright 2020-02-14T21:21:01Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311545#M80625 <P>Hi Brandon,</P><P>great doc.&nbsp;</P><P>I'll give it a try asap.</P><P>&nbsp;</P><P>Thanks again.</P><P>&nbsp;</P><P>Cristiano.</P> Mon, 17 Feb 2020 17:16:14 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311545#M80625 Digital 2020-02-17T17:16:14Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311897#M80691 <P>Hi Brandon,</P><P>I've tried your document, but I have two problems:</P><P>1) at connection request level, it always hit the default (99999) policy, but I think this should not be a problem: reading your document It seemed to me that your making a specific policy only to override authentication polcy for a more clear readbility, am I right?</P><P>2) This insted is more problematic: I see that network policy hit is correct, but then I see this error in security event id on nps server:</P><P>"unable to authenticate client. Eap type could not be processed by the server". Googling around I always hit into certificate problems, but I don't think this is my case. In fact first of all, this only happens when I have a user password expired or in change password at next logon. Second, if I take a look at certificate in properties of peap it shows the right certificate ( signed by PA-CA ), so I think certificate chain should be ok.</P><P>&nbsp;</P><P>Do you have any advices?</P><P>&nbsp;</P><P>Thanks in advance,</P><P>Regards,</P><P>Cristiano.</P><P>&nbsp;</P> Wed, 19 Feb 2020 11:33:03 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/311897#M80691 Digital 2020-02-19T11:33:03Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/313176#M80891 <P>HI Brandon,&nbsp; this setup should work regardless what type of GP agents one uses, correct?&nbsp; we have users using ios GP agents.&nbsp; Thank you very much in advance for your response.</P> Wed, 26 Feb 2020 18:15:17 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/313176#M80891 SabrinaChen 2020-02-26T18:15:17Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/313192#M80895 <P>Hello Cristiano,</P><P>&nbsp;</P><P>Make sure that you have EAP type added for PEAP, on the connection policy:<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PEAP-CONNECTIONPROPERTIES.png" style="width: 725px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24120i7ADE7953954FC07A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="PEAP-CONNECTIONPROPERTIES.png" alt="PEAP-CONNECTIONPROPERTIES.png" /></span></P><P>&nbsp;</P><P>Also ensure you have a condition set for the connection request policy:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ConditionForConnectionRequestPolicy.png" style="width: 777px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24121i32C425242FAC8B76/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ConditionForConnectionRequestPolicy.png" alt="ConditionForConnectionRequestPolicy.png" /></span></P><P>&nbsp;</P><P>Also ensure that after you put the cert and key pair on the RADIUS server that you make sure that's being used by the RADIUS server, and that the profile is set to trust from that CA.&nbsp; It needs to be in the Machine store I believe:</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 26 Feb 2020 20:07:41 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/313192#M80895 BrandonWright 2020-02-26T20:07:41Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/313193#M80896 <P>Hello Cristiano,</P><P>&nbsp;</P><P>I believe it should work with any variant of the GP client since the RADIUS challenge response stuff is built into all of the clients.</P><P>&nbsp;</P><P>Thanks,</P><P>&nbsp;</P><P>Brandon</P> Wed, 26 Feb 2020 20:09:10 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/313193#M80896 BrandonWright 2020-02-26T20:09:10Z https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/336884#M84907 <P>Not supported on SAML?</P> Tue, 07 Jul 2020 16:55:46 GMT https://live.paloaltonetworks.com/t5/general-topics/password-reset-using-global-protect-app-without-prelogon/m-p/336884#M84907 Sec101 2020-07-07T16:55:46Z