Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Local User Database :: Password Change :: VPN Global Protect Client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Local User Database :: Password Change :: VPN Global Protect Client

L0 Member

Hello,

 

Is the a way to force the Local User change your password at the first login in the Global Protect Client?

 

Today I create your respective username and password but some users have been complain that I know your local respective password and they want a way to change.

 

Someone already had to implement something to make it easier to change that user's password without having to interfere, so I only need to pass the password once and after the first login through the global protect client he could somehow change his password.

10 REPLIES 10

Cyber Elite
Cyber Elite

I don't believe that this is an option as is. If this isn't already a feature request I would be kind of suprised, add your vote to the request through your SE or have him put a request in for it. 

 

This could potentially be done through the XML-API. You could create a powershell script with the respective variables for the user account and a password field that the user is prompted for when they run the script. The upside to this is they can change the password by themselves and just let you know that they have change it so you can schedule a commit, the downside is even with admin roles since the API would need to run with a user given permission to alter the configuration you have to trust your users enough not to monkey with the script for any reason. 

L4 Transporter

not at the top of my head but you can rely on third party authentication like radius, LDAP or kerberos so the users can change their passwords on those systems or use the same password as in their domain computers (which you don't know)

 

https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/set-up-the...

 

regards,

Gerardo.

Using external LDAP/RADIUS will not solve problem. Simplest example is when a user is outside of work for a longer period and have no possibility to update expired password onsite but have to use VPN.
It would be nice to have at last password change/expired password change possibility if using LDAP/Active Directory with Global Protect (without workarounds like cookies, additional cert logon etc.).

This is a security issue and needs higher priority by Palo Alto.  How am I to deliver credentials to a user safely if that user isn't forced to change her password upon first login?  Every other firewall brand has this feature.  Are you telling me I have to fly from LA to Chicago to hand deliver the password?  How am I supposed to dispense credentials safely?

Hello,

I'm sure there are ways to convey a password without having to hop onto a plane. I would think a phone call or text message may work?

 

Cheers!

Fair enough, I was being a bit hyperbolic.  But, text message is out of the question because it relies on the end user to delete it.  Otherwise if the device is compromised, it has the vpn client and password on the same device.  Dictating a complex password can also be tough, especially when you are rolling out VPN access to dozens of people.  Also, best practice is to renew passwords on a periodic basis.  GlobalProtect simply doesn't have the capabilites to maintain best practice.  I guess we will have to rely on MFA for every type of user. 

Hello,

I completly understand and from what I can tell it would be a nice feature. Talk to your SE and see if there is already a feature request for it. However you could use a different RADIUS server for those users and have it perform the password change?

 

Cheers!

I'm open to workarounds.  How would this work in practice?  Tell people to first login to a public facing web server and change their password before logging into globalprotect for the first time?  In this scenario, what would happen if users skipped the first step and just logged into globalprotect with the initial passoword?  Would globalprotect deny access?

Hello,

From my experience, the password change option gets passed from the RADIUS server to the PAN then GP prompts the end user. Kind of like when windows on a domain asks you to change your password. I have seen this work with multi factor authentication where the user is asked to either create/change a pin for their token and/or change their password on first logon.

 

Hope that helps.

Otakar, 

 

Thanks, that is exactly the solution I was looking for.  Our SE also confirmed this is now supported and provided the following link:

 

https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-f...

 

Thanks for all of your help!

  • 12092 Views
  • 10 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!