Changing Expired passwords with SonicWall UTM for SSLVPN
How to enable users to change expired Passwords on SonicWall UTM Appliances using SSLVPN.
- This document is created based on 6.5 firmware but the procedures are the same with previous versions of SonicOS.
- To enable password changes the SonicWall and the Server need to use MSCHAPv2.
- It is recommended to use LDAPS 636 for the communication between the SonicWall and the AD Server(s).
- Check also if any other Application is using the default RADIUS ports on the server by doing a netstat -ab from the command prompt, if UDP 1812 and 1813 are already listed you will need to change on the NPS Radius Client Advanced settings and the SonicWall RADIUS Settings.
- This document presumes you have already set up the LDAP(S) connection between the SonicWall and the Server. If not refer to this document on the link below first
- https://www.sonicwall.com/en-us/support/knowledge-base/170707170351983
Setting up the Server(s)
1. We will need to Install NPS if not already installed, to do this go to Server Manager, select Add Roles and Features and Select Network Policy and Access Services, continue with the Wizard only selecting Network Policy And Access Services.
2. Run the NPS by going to either Server Manager / Tools / Network Policy Server or by selecting from the Start Menu / Windows Administrative Tools / Network Policy Server.
3. To start we set up the Radius Client, in our case the connecting IP address which will be the SonicWall LAN IP, right click on RADIUS Clients and select new, give it a name, enter your required IP and a Shared Secret of your choice.
4. Once loaded we need to create the Connection Policy and the Network Policy, right click on the Connection Policies in the Policies section and select New.
5. Give the Connection Policy a name.
6. Specify the conditions to connect, in this case we chose the NAS IPv4 Address and enter the IP address of the SonicWall LAN IP which is on the same subnet as the server.
7. Leave the Authentication settings and Methods as Default.
8. You don’t need to add any Attributes just select next and finish.
9. Next, we need to set up the Network Policy like the previous one right click and select New.
10. This time under the condition we select User Groups.
11. We choose the group which has all our SSL VPN users in.
12. Select Access Granted and select the Authentication Methods as below MSCHAP and MSCHAPv2.
13. On configure Constraints and Configure Settings leave as default.
14. Next Check the Settings are correct and the Finish.
15. We need to register NPS in Active Directory, Select Action from the top menu and then Register server in Active Directory.
16. Next, we need to disable the Default Policy Profiles, it is the same procedure for the Connection and the both the default Network Policies, right click on the policies and select Disable.
17. Once you have configured everything, I would recommend restarting the NPS Service after any changes, you can do this by right clicking on the main NPS icon and selecting Stop NPS Service, wait a few seconds for it to refresh then select Start NPS Service.
18. That’s the Server side set up, you can repeat on a backup server if needed.
Setting up the SonicWall
1. To Set up the SonicWall to enable Password changes we first need to go (in Classic Navigation Mode) Users / Settings / Authentication and Select Configure RADIUS, then ADD, enter your Servers IP address and the Shared Secret chosen to match the one entered on the NPS RADIUS Client.
2. Next select RADIUS Users and set to Use LDAP to Retrieve User Names, to test go to Test and check the connectivity and authentication, if you have any errors check the Firewall on the Server and the User is in the relevant Group under the Local User and Groups / Local Groups / SSL VPN Services / Members.
3. The last thing you need to do is under the SSL VPN Server settings is to change the RADIUS User Settings to use RADIUS with MSCHAPv2 this is in case you already have users connected to the SSL VPN it may force them to reconnect.
4. Now that all the settings are in and working, we can now check the Changing of expired Passwords will work.
5. First check that you can connect and authenticate as expected using SonicWall Netextender or mobile connect.
6. Now go in to AD Users and Computers and set the Users password to expire on next logon like below
7. When you login again with Netextender with your password you will be prompted with the Change Password popup
8. You should now be connected, if you have any issues connecting, the best place to look is on the Server on the Event Viewer under Server Roles / Network and Access Policies, it could be to do with your Domain Password polices especially if you are trying to use a previously used password.
Copyright NetThreat Ltd
By Preston Keel