- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
01-31-2017 12:43 PM
Hello,
Is the a way to force the Local User change your password at the first login in the Global Protect Client?
Today I create your respective username and password but some users have been complain that I know your local respective password and they want a way to change.
Someone already had to implement something to make it easier to change that user's password without having to interfere, so I only need to pass the password once and after the first login through the global protect client he could somehow change his password.
02-01-2017 07:00 AM
I don't believe that this is an option as is. If this isn't already a feature request I would be kind of suprised, add your vote to the request through your SE or have him put a request in for it.
This could potentially be done through the XML-API. You could create a powershell script with the respective variables for the user account and a password field that the user is prompted for when they run the script. The upside to this is they can change the password by themselves and just let you know that they have change it so you can schedule a commit, the downside is even with admin roles since the API would need to run with a user given permission to alter the configuration you have to trust your users enough not to monkey with the script for any reason.
02-02-2017 11:58 AM
not at the top of my head but you can rely on third party authentication like radius, LDAP or kerberos so the users can change their passwords on those systems or use the same password as in their domain computers (which you don't know)
regards,
Gerardo.
02-05-2017 10:48 PM - edited 02-05-2017 10:52 PM
Using external LDAP/RADIUS will not solve problem. Simplest example is when a user is outside of work for a longer period and have no possibility to update expired password onsite but have to use VPN.
It would be nice to have at last password change/expired password change possibility if using LDAP/Active Directory with Global Protect (without workarounds like cookies, additional cert logon etc.).
10-03-2018 09:22 AM
This is a security issue and needs higher priority by Palo Alto. How am I to deliver credentials to a user safely if that user isn't forced to change her password upon first login? Every other firewall brand has this feature. Are you telling me I have to fly from LA to Chicago to hand deliver the password? How am I supposed to dispense credentials safely?
10-03-2018 09:46 AM
Hello,
I'm sure there are ways to convey a password without having to hop onto a plane. I would think a phone call or text message may work?
Cheers!
10-03-2018 12:01 PM
Fair enough, I was being a bit hyperbolic. But, text message is out of the question because it relies on the end user to delete it. Otherwise if the device is compromised, it has the vpn client and password on the same device. Dictating a complex password can also be tough, especially when you are rolling out VPN access to dozens of people. Also, best practice is to renew passwords on a periodic basis. GlobalProtect simply doesn't have the capabilites to maintain best practice. I guess we will have to rely on MFA for every type of user.
10-04-2018 09:01 AM
Hello,
I completly understand and from what I can tell it would be a nice feature. Talk to your SE and see if there is already a feature request for it. However you could use a different RADIUS server for those users and have it perform the password change?
Cheers!
10-04-2018 10:22 AM
I'm open to workarounds. How would this work in practice? Tell people to first login to a public facing web server and change their password before logging into globalprotect for the first time? In this scenario, what would happen if users skipped the first step and just logged into globalprotect with the initial passoword? Would globalprotect deny access?
10-05-2018 06:33 AM
Hello,
From my experience, the password change option gets passed from the RADIUS server to the PAN then GP prompts the end user. Kind of like when windows on a domain asks you to change your password. I have seen this work with multi factor authentication where the user is asked to either create/change a pin for their token and/or change their password on first logon.
Hope that helps.
10-08-2018 05:41 PM
Otakar,
Thanks, that is exactly the solution I was looking for. Our SE also confirmed this is now supported and provided the following link:
Thanks for all of your help!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!