Active Directory password expiration notifications with OpenVPN

dpas7

I have pfsense setup to authenticate active directory users and it works quite well. The only issue I see at this point is that my road worriers who use OpenVPN to remotely connect don't see (or never get) the notices that their passwords are about to expire. Once their passwords expire, they are not able to login to change their passwords because it is too late. Is there a way to configure things to allow them to get the messages that their accounts are about to expire through their VPN connection? This does not effect all my local users, only the remote users.

stephenw10

Not that I'm aware of, not via only the OpenVPN interface at least. I don't believe OpenVPN itself ever gets that information from AD. If users are logging into AD after connecting to the VPN I would expect that to be available though.

Steve

michmoor

@dpas7 Shoulsnt they get that notification from the Windows client? Open VPN wouldn’t know if a password is set to expire.

dpas7

So here is how I see this. The OpenVPN client that I export from pfsense is installed on each remote client machine. The remote user connects to pfsense and gets a prompt for their credentials and it looks to active directory to check if they are good to go, and if they are, they get an IP address that is setup through Openvpn and they are able to connect to resources on the corporate network. So at this point, I don't see why they don't receive a notification that their password is about to expire, when they are remote. I have notifications turned on in Group Policy on the server. Is there anything on pfsense that needs to get turned on? Is there a way I can test this with a test user account?
Thanks!

michmoor

@dpas7 said in Active Directory password expiration notifications with OpenVPN:

The remote user connects to pfsense and gets a prompt for their credentials and it looks to active directory to check if they are good to go

Right so how would openVPN or pfsense know that the password is set to expire? It has no knowledge of policies within Active Directory. OpenVPN is just the client. Active Directory is the server. OpenVPN sends username/password to the server and the server sends back an accept or reject the message. No one other than your AD system would care about your password policy.

michmoor

@michmoor
Quick google search i found the following

stephenw10

I don't believe the OpenVPN client has any way to pass a password expiry message to the user. But I also don't think OpenVPN gets that info from AD. It just gets the authorised or not reply.

However I expect Windows to get that info from AD directly once it's connected to the VPN if the client attempts to use any resources that require it.

dpas7

@stephenw10 Ok then, I will use the email option to remind our users to change passwords when they are about to expire.