- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
GVC and NetExtender Users are Unable to Change Expired LDAP/Active Directory Passwords
05/29/2020 
144 People found this article helpful
104,510 Views
Description
When an LDAP Global VPN Client (GVC) or Netextender (NX) User tries to connect with an expired password, GVC pops-up a window prompting the User to enter a new password. After entering a new password, the User is unable to authenticate with the new password or the User will be prompted to update their password again upon each login attempt.
Resolution
This issue is seen in LDAP or Active Directory configurations where the Server doesn't support MS-CHAPv2 or MS-CHAPv2 is not enabled on the SonicWall. Windows Server 2012 R2 and 2016 both support MS-CHAPv2, older versions of Microsoft Server should be updated to at least Server 2012 R2 if this functionality is required. For other Server Operating System solutions please refer to the manufacturer documentation for their support of MS-CHAPv2.
For deployments that cannot use MS-CHAPv2 over LDAP there is the option of running LDAP alongside RADIUS, with RADIUS being used for password updates only. That configuration is provided below as an optional resolution.
Enabling Users to reset their password over GVC/NX also requires that LDAP use TLS for secure communication. TLS functionality requires the use of a Trusted Certificate on the SonicWall, you can find more information about setting up TLS with LDAP in the following Knowledge Base Article: Configuring Active Directory/LDAP over TLS (Certificate).
Forcing the SonicWall to use MS-CHAPv2 for LDAP Queries
1. On the SonicWall GUI go to User | Settings | Configure RADIUS.
2. On the RADIUS Configuration pop-up window make sure you're on General Settings Tab and check the box for "Force MS-CHAPv2 mode".
Using RADIUS or LDAP + RADIUS for MS-CHAPv2
If RADIUS is configured, or LDAP is configured alongside RADIUS under User|Settings, the option "Use RADIUS in MS-CHAP / MS-CHAPv2 mode for XAUTH" can be selected under the VPN|Advanced page. In such a configuration, password updates for GVC/NX Users will be done via RADIUS in MS-CHAP or MS-CHAPv2 mode while using LDAP to authenticate the user.
For more information on configuring RADIUS with the SonicWall please reference How to Setup RADIUS Authentication on the SonicWall.
The option "Use RADIUS in MSCHAP/MSCHAPv2 mode" is located on VPN | Advanced and is only available when a RADIUS server has been configured on the Users | Settings page.
Related Articles
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO