Local User Database :: Password Change :: VPN Global Protect Client

Reply
Highlighted
L0 Member

Local User Database :: Password Change :: VPN Global Protect Client

Hello,

 

Is the a way to force the Local User change your password at the first login in the Global Protect Client?

 

Today I create your respective username and password but some users have been complain that I know your local respective password and they want a way to change.

 

Someone already had to implement something to make it easier to change that user's password without having to interfere, so I only need to pass the password once and after the first login through the global protect client he could somehow change his password.

Tags (2)
Highlighted
Cyber Elite

I don't believe that this is an option as is. If this isn't already a feature request I would be kind of suprised, add your vote to the request through your SE or have him put a request in for it. 

 

This could potentially be done through the XML-API. You could create a powershell script with the respective variables for the user account and a password field that the user is prompted for when they run the script. The upside to this is they can change the password by themselves and just let you know that they have change it so you can schedule a commit, the downside is even with admin roles since the API would need to run with a user given permission to alter the configuration you have to trust your users enough not to monkey with the script for any reason. 

Highlighted
L4 Transporter

not at the top of my head but you can rely on third party authentication like radius, LDAP or kerberos so the users can change their passwords on those systems or use the same password as in their domain computers (which you don't know)

 

https://www.paloaltonetworks.com/documentation/62/globalprotect/globalprotect-admin-guide/set-up-the...

 

regards,

Gerardo.

Highlighted
L1 Bithead

Using external LDAP/RADIUS will not solve problem. Simplest example is when a user is outside of work for a longer period and have no possibility to update expired password onsite but have to use VPN.
It would be nice to have at last password change/expired password change possibility if using LDAP/Active Directory with Global Protect (without workarounds like cookies, additional cert logon etc.).

Highlighted
L1 Bithead

This is a security issue and needs higher priority by Palo Alto.  How am I to deliver credentials to a user safely if that user isn't forced to change her password upon first login?  Every other firewall brand has this feature.  Are you telling me I have to fly from LA to Chicago to hand deliver the password?  How am I supposed to dispense credentials safely?

Highlighted
Cyber Elite

Hello,

I'm sure there are ways to convey a password without having to hop onto a plane. I would think a phone call or text message may work?

 

Cheers!

Highlighted
L1 Bithead

Fair enough, I was being a bit hyperbolic.  But, text message is out of the question because it relies on the end user to delete it.  Otherwise if the device is compromised, it has the vpn client and password on the same device.  Dictating a complex password can also be tough, especially when you are rolling out VPN access to dozens of people.  Also, best practice is to renew passwords on a periodic basis.  GlobalProtect simply doesn't have the capabilites to maintain best practice.  I guess we will have to rely on MFA for every type of user. 

Highlighted
Cyber Elite

Hello,

I completly understand and from what I can tell it would be a nice feature. Talk to your SE and see if there is already a feature request for it. However you could use a different RADIUS server for those users and have it perform the password change?

 

Cheers!

Highlighted
L1 Bithead

I'm open to workarounds.  How would this work in practice?  Tell people to first login to a public facing web server and change their password before logging into globalprotect for the first time?  In this scenario, what would happen if users skipped the first step and just logged into globalprotect with the initial passoword?  Would globalprotect deny access?

Highlighted
Cyber Elite

Hello,

From my experience, the password change option gets passed from the RADIUS server to the PAN then GP prompts the end user. Kind of like when windows on a domain asks you to change your password. I have seen this work with multi factor authentication where the user is asked to either create/change a pin for their token and/or change their password on first logon.

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!