Changing Expired passwords with SonicWall UTM for SSLVPN

28/05/19 14:49:00

How to enable users to change expired Passwords on SonicWall UTM Appliances using SSLVPN.

 

  •  This document is created based on 6.5 firmware but the procedures are the same with previous versions of SonicOS.
  •  To enable password changes the SonicWall and the Server need to use MSCHAPv2.
  •  It is recommended to use LDAPS 636 for the communication between the SonicWall and the AD Server(s).
  •  Check also if any other Application is using the default RADIUS ports on the server by doing a netstat -ab from the command prompt, if UDP 1812 and 1813 are already listed you will need to change on the NPS Radius Client Advanced settings and the SonicWall RADIUS Settings.
  •  This document presumes you have already set up the LDAP(S) connection between the SonicWall and the Server. If not refer to this document on the link below first
  •  https://www.sonicwall.com/en-us/support/knowledge-base/170707170351983

 

Setting up the Server(s)

 1.     We will need to Install NPS if not already installed, to do this go to Server Manager, select Add Roles and Features and Select Network Policy and Access Services, continue with the Wizard only selecting Network Policy And Access Services.

 

 2.     Run the NPS by going to either Server Manager / Tools / Network Policy Server or by selecting from the Start Menu / Windows Administrative Tools / Network Policy Server.

 

 3.     To start we set up the Radius Client, in our case the connecting IP address which will be the SonicWall LAN IP, right click on RADIUS Clients and select new, give it a name, enter your required IP and a Shared Secret of your choice.

 

 SSL VPN Password Change 1

 

 

 4.     Once loaded we need to create the Connection Policy and the Network Policy, right click on the Connection Policies in the Policies section and select New.

 

 

SSL VPN Password Change 2

 

 

 5.     Give the Connection Policy a name.

 

 

 SSL VPN Password Change 3

 

 

 6.     Specify the conditions to connect, in this case we chose the NAS IPv4 Address and enter the IP address of the SonicWall LAN IP which is on the same subnet as the server.

 

 SSL VPN Password Change 4

 

 

 7.     Leave the Authentication settings and Methods as Default.

 

 SSL VPN Password Change 5

 

 

 8.     You don’t need to add any Attributes just select next and finish.

 

 SSL VPN Password Change 6

 

 

 9.     Next, we need to set up the Network Policy like the previous one right click and select New.

 

 

SSL VPN Password Change 7

 

 

 10.  This time under the condition we select User Groups.

 

 SSL VPN Password Change 8

 

 

 11.   We choose the group which has all our SSL VPN users in.

 

 SSL VPN Password Change 9

 

 

 12.  Select Access Granted and select the Authentication Methods as below MSCHAP and MSCHAPv2.

 

 SSL VPN Password Change 10

 

 

 13.  On configure Constraints and Configure Settings leave as default.

 

 SSL VPN Password Change 10

 

 

 14.   Next Check the Settings are correct and the Finish.

 

 

 SSL VPN Password Change 11

 

 

 15.   We need to register NPS in Active Directory, Select Action from the top menu and then Register server in Active Directory.

 

 

 SSL VPN Password Change 12

 

 

 16.   Next, we need to disable the Default Policy Profiles, it is the same procedure for the Connection and the both the default Network Policies, right click on the policies and select Disable.

 

 

SSL VPN Password Change 13

 

 

 17.   Once you have configured everything, I would recommend restarting the NPS Service after any changes, you can do this by right clicking on the main NPS icon and selecting Stop NPS Service, wait a few seconds for it to refresh then select Start NPS Service.

 

 

 SSL VPN Password Change 14

 

 

 18.  That’s the Server side set up, you can repeat on a backup server if needed.

 

 

Setting up the SonicWall

1.     To Set up the SonicWall to enable Password changes we first need to go (in Classic Navigation Mode) Users / Settings / Authentication and Select Configure RADIUS, then ADD, enter your Servers IP address and the Shared Secret chosen to match the one entered on the NPS RADIUS Client.

 

 SSL VPN Password Change 15

 

 

2.     Next select RADIUS Users and set to Use LDAP to Retrieve User Names, to test go to Test and check the connectivity and authentication, if you have any errors check the Firewall on the Server and the User is in the relevant Group under the Local User and Groups / Local Groups / SSL VPN Services / Members.

 

 

 SSL VPN Password Change 16

 

 

 3.      The last thing you need to do is under the SSL VPN Server settings is to change the RADIUS User Settings to use RADIUS with MSCHAPv2 this is in case you already have users connected to the SSL VPN it may force them to reconnect.

 

 

 SSL VPN Password Change 17

 

 

 4.     Now that all the settings are in and working, we can now check the Changing of expired Passwords will work.

 

 5.     First check that you can connect and authenticate as expected using SonicWall Netextender or mobile connect.

 

 6.     Now go in to AD Users and Computers and set the Users password to expire on next logon like below

 

 SSL VPN Password Change 18

 

 

 7.     When you login again with Netextender with your password you will be prompted with the Change Password popup

 

 SSL VPN Password Change 19

 

 

 8.     You should now be connected, if you have any issues connecting, the best place to look is on the Server on the Event Viewer under Server Roles / Network and Access Policies, it could be to do with your Domain Password polices especially if you are trying to use a previously used password.

 

 

SSL VPN Password Change 20

 

Copyright NetThreat Ltd

 

By Preston Keel