Re: I can not password change with OTP on SSL VPN

_______ · ‎12-18-2014

When I loging to SA2500 with OTP (custom otp solution), if checked "must change next logon" in Active directory. I can not see password change page.

Otp solution is custom, it using free radius.

do you have any idea for this case? Thanks all.

flip_pipe_ · ‎12-19-2014

Hi @li,

That information just live in the ldap, if you use radius, the SA do not have that information.

Regards

_______ · ‎12-19-2014

Hi Flip,

First of all thank you for the answer.

But, other OTP solutions (you know, they function as the radius) do it this. You can see at following pdf file.

Do you have any idea how they do it?

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24538/en_US/...

flip_pipe_ · ‎12-19-2014

The information of "change password in next logon" is not just a flag or attribuite... it is a mix of both

"

Pwd-Last-Set attribute

(...) If this value is set to 0 and the User-Account-Control attribute does not contain the UF_DONT_EXPIRE_PASSWD flag, then the user must set the password at the next logon.

"

in this microsoft article.

In Radius (here my knowlegde is very limited) you have other code/message to inform the client (in this case, the SA) the user must change the password:

4. New Messages

(...)

32 Password Expired

in RFC2882

So in order to all this works, should be something like

Radius Client send user credentials to Radius Server

Radius Server check via ldap the credentials of the user and if Pwd-Last-Set attribute is 0 and User-Account-Control has UF_DONT_EXPIRE_PASSWD flag

if true, Radius Server send to radius Cliente the attribute/message 32 to the password be changed.

In comercial products, they implement this... check in freeradius if they do this out-of-box or if you need to code this.