Password Reset using Global Protect App without PreLogon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Password Reset using Global Protect App without PreLogon

L2 Linker

Has anyone been able to configure their firewall so that users will be able to change thier password via the global protect app while using LDAP for authentication and NOT using Pre-Logon

9 REPLIES 9

L2 Linker

Hello Victor,

 

This is supported in the newer versions of PANOS and GP, however there are some requirements that have to be met on the RADIUS server.

1. The firewall only supports changing expired passwords when utilizing RADIUS with PEAP-MSCHAP-V2 authentication.

2.  The RADIUS server has to be registered in AD and have permissions in the RAS and IAS Servers group.

3.  The RADIUS server must have a certificate configured from a CA that can be validated/trusted by the firewall with a client certificate profile.

4.   The firewall has to be a RADIUS client configured on the RADIUS server and have the desired authentication policies in place.

 

I have a lengthy guide for setting this up from scratch and utilizing Microsoft NPS.  I will also warn you that in the event that the user tries to change their password to something that isn't in compliance with the AD Password policy, the message to the user is just a generic error, so its something to make people aware of that will be using the feature.

 

Thanks,

 

Brandon

Hello,

I have the same problem. Requirements you were talking about seem to be met.

When a user has a valid, non expired password everything works fine. 

When using a user with an expired password, nothing is logged in event viewer in NPS server, authentication fails, and user is not prompted to change his password.

 

Could you please share the guide you were talking before?

 

Thanks in advance.

 

Regards,

Cristiano.

Hello Cristiano,

 

See the document I've posted here -> https://drive.google.com/file/d/1_wjjrIILr2akt63ueUIK-xAq9zPwGqWw/view?usp=sharing

 

Keep in mind that you should use a Windows PKI issued Certificate on the RADIUS server, but I wrote this up since I've run into customers in the past that may not have that infrastructure available.

 

Thanks,

 

Brandon

Hi Brandon,

great doc. 

I'll give it a try asap.

 

Thanks again.

 

Cristiano.

Hi Brandon,

I've tried your document, but I have two problems:

1) at connection request level, it always hit the default (99999) policy, but I think this should not be a problem: reading your document It seemed to me that your making a specific policy only to override authentication polcy for a more clear readbility, am I right?

2) This insted is more problematic: I see that network policy hit is correct, but then I see this error in security event id on nps server:

"unable to authenticate client. Eap type could not be processed by the server". Googling around I always hit into certificate problems, but I don't think this is my case. In fact first of all, this only happens when I have a user password expired or in change password at next logon. Second, if I take a look at certificate in properties of peap it shows the right certificate ( signed by PA-CA ), so I think certificate chain should be ok.

 

Do you have any advices?

 

Thanks in advance,

Regards,

Cristiano.

 

HI Brandon,  this setup should work regardless what type of GP agents one uses, correct?  we have users using ios GP agents.  Thank you very much in advance for your response.

Hello Cristiano,

 

Make sure that you have EAP type added for PEAP, on the connection policy:PEAP-CONNECTIONPROPERTIES.png

 

Also ensure you have a condition set for the connection request policy:

 

ConditionForConnectionRequestPolicy.png

 

Also ensure that after you put the cert and key pair on the RADIUS server that you make sure that's being used by the RADIUS server, and that the profile is set to trust from that CA.  It needs to be in the Machine store I believe:

 

 

 

 

Hello Cristiano,

 

I believe it should work with any variant of the GP client since the RADIUS challenge response stuff is built into all of the clients.

 

Thanks,

 

Brandon

Not supported on SAML?

  • 13842 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!