GVC and NetExtender Users are Unable to Change Expired LDAP/Active Directory Passwords
05/29/2020 102 16500
When an LDAP Global VPN Client (GVC) or Netextender (NX) User tries to connect with an expired password, GVC pops-up a window prompting the User to enter a new password. After entering a new password, the User is unable to authenticate with the new password or the User will be prompted to update their password again upon each login attempt.
This issue is seen in LDAP or Active Directory configurations where the Server doesn't support MS-CHAPv2 or MS-CHAPv2 is not enabled on the SonicWall. Windows Server 2012 R2 and 2016 both support MS-CHAPv2, older versions of Microsoft Server should be updated to at least Server 2012 R2 if this functionality is required. For other Server Operating System solutions please refer to the manufacturer documentation for their support of MS-CHAPv2.
For deployments that cannot use MS-CHAPv2 over LDAP there is the option of running LDAP alongside RADIUS, with RADIUS being used for password updates only. That configuration is provided below as an optional resolution.
Enabling Users to reset their password over GVC/NX also requires that LDAP use TLS for secure communication. TLS functionality requires the use of a Trusted Certificate on the SonicWall, you can find more information about setting up TLS with LDAP in the following Knowledge Base Article: Configuring Active Directory/LDAP over TLS (Certificate).
Forcing the SonicWall to use MS-CHAPv2 for LDAP Queries
1. On the SonicWall GUI go to User | Settings | Configure RADIUS.
2. On the RADIUS Configuration pop-up window make sure you're on General Settings Tab and check the box for "Force MS-CHAPv2 mode".
Using RADIUS or LDAP + RADIUS for MS-CHAPv2
If RADIUS is configured, or LDAP is configured alongside RADIUS under User|Settings, the option "Use RADIUS in MS-CHAP / MS-CHAPv2 mode for XAUTH" can be selected under the VPN|Advanced page. In such a configuration, password updates for GVC/NX Users will be done via RADIUS in MS-CHAP or MS-CHAPv2 mode while using LDAP to authenticate the user.
For more information on configuring RADIUS with the SonicWall please reference How to Setup RADIUS Authentication on the SonicWall.
The option "Use RADIUS in MSCHAP/MSCHAPv2 mode" is located on VPN | Advanced and is only available when a RADIUS server has been configured on the Users | Settings page.