VPN SSL - AD authentication users with expired password

We have a large client with up to 500 users and now, approximately 200 working remotely from house.

They use Mobile VPN SSL and logon with they AD user/password credentials because we enabled this authentication on Firebox.
We are having some issues with users with password expired. For security, users password expire after 90 days and the user needs to change it, this is mandatory.
If the password expire, VPN SSL fails to connect because obviously AD is not accepting the password and is requiring to change it, but VPN SSL client doesn't allow it because it's unable to interact with AD. Just authenticate.

I know that VPNSSL works with OpenVPN Servers and this is not allowed too.... because the Access Server module "only can read" AD information but not set/allow changes.... but others brands like SonicWall or Fortinet allow to change the password and I know that MSCHAPv2 allows it.

I just want to know if WatchGuard have this on the Roadmap and will launch a solution/improvement or it will never implemented due to OpenVPN server limitation.



  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @ILIMIT
    You're correct that the current AD implementation doesn't allow this. There is a feature request, FBX-3898, to allow this via RADIUS and the SSLVPN.

    While this is on our roadmap, I don't have a tentative release schedule for this feature. If you'd like to follow it and receive updates, I'd suggest opening a case with support and mention FBX-3898 -- they can set your case to track that for you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Hello James, Today I received an update through case opened as you said.
    The defect/enhancement you reported is: RFE91178

    The current status is:
    BUG/RFE is open and awaiting Engineering review

    What does it mean? That is developed and will reach Beta soon?

  • "BUG/RFE is open and awaiting Engineering review" means they know about it and have it on their road map. It could be months away, or over a year.

    Gregg Hill

  • If you want to get things implemented more quickly, sometimes it helps to be a beta tester.


    Gregg Hill

  • Or many years...

  • If anything, for now I'd invest in an MFA product like AuthPoint or DUO. Then you can MFA the VPN off and the passwords don't need to expire.

    This is technically more secure any way as currently all someone needs to do is know your vpn URL and someones user/password and they are in.

    When I last talked to them the risk of allowing this would be the secure risk of giving the firewall that much power to control your AD info...

  • Yep. I have been doing more things with AuthPoint. When it first came out I struggled with getting anything to work, but these days it seems to work very well and the WatchGuard integration guides are very useful. I already have one customer on board with AuthPoint and the others are starting to get interested in the solution.

    Adrian from Australia

Sign In to comment.