• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Active Directory password expiration notifications with OpenVPN

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    dpas7
    last edited by Jan 19, 2023, 4:50 PM

    I have pfsense setup to authenticate active directory users and it works quite well. The only issue I see at this point is that my road worriers who use OpenVPN to remotely connect don't see (or never get) the notices that their passwords are about to expire. Once their passwords expire, they are not able to login to change their passwords because it is too late. Is there a way to configure things to allow them to get the messages that their accounts are about to expire through their VPN connection? This does not effect all my local users, only the remote users.

    M 1 Reply Last reply Jan 20, 2023, 3:25 AM Reply Quote 0
    • S
      stephenw10 Netgate Administrator
      last edited by Jan 19, 2023, 10:49 PM

      Not that I'm aware of, not via only the OpenVPN interface at least. I don't believe OpenVPN itself ever gets that information from AD. If users are logging into AD after connecting to the VPN I would expect that to be available though.

      Steve

      1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @dpas7
        last edited by Jan 20, 2023, 3:25 AM

        @dpas7 Shoulsnt they get that notification from the Windows client? Open VPN wouldn’t know if a password is set to expire.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 1
        • D
          dpas7
          last edited by Jan 20, 2023, 4:04 PM

          So here is how I see this. The OpenVPN client that I export from pfsense is installed on each remote client machine. The remote user connects to pfsense and gets a prompt for their credentials and it looks to active directory to check if they are good to go, and if they are, they get an IP address that is setup through Openvpn and they are able to connect to resources on the corporate network. So at this point, I don't see why they don't receive a notification that their password is about to expire, when they are remote. I have notifications turned on in Group Policy on the server. Is there anything on pfsense that needs to get turned on? Is there a way I can test this with a test user account?
          Thanks!

          M 1 Reply Last reply Jan 20, 2023, 5:42 PM Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @dpas7
            last edited by Jan 20, 2023, 5:42 PM

            @dpas7 said in Active Directory password expiration notifications with OpenVPN:

            The remote user connects to pfsense and gets a prompt for their credentials and it looks to active directory to check if they are good to go

            Right so how would openVPN or pfsense know that the password is set to expire? It has no knowledge of policies within Active Directory. OpenVPN is just the client. Active Directory is the server. OpenVPN sends username/password to the server and the server sends back an accept or reject the message. No one other than your AD system would care about your password policy.

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            M 1 Reply Last reply Jan 20, 2023, 5:46 PM Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @michmoor
              last edited by Jan 20, 2023, 5:46 PM

              @michmoor
              Quick google search i found the following

              bfe4b133-4db9-4f6c-b71f-d9551d7d67c8-image.png

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • S
                stephenw10 Netgate Administrator
                last edited by Jan 20, 2023, 5:51 PM

                I don't believe the OpenVPN client has any way to pass a password expiry message to the user. But I also don't think OpenVPN gets that info from AD. It just gets the authorised or not reply.

                However I expect Windows to get that info from AD directly once it's connected to the VPN if the client attempts to use any resources that require it.

                D 1 Reply Last reply Jan 23, 2023, 2:20 PM Reply Quote 0
                • D
                  dpas7 @stephenw10
                  last edited by Jan 23, 2023, 2:20 PM

                  @stephenw10 Ok then, I will use the email option to remind our users to change passwords when they are about to expire.

                  1 Reply Last reply Reply Quote 1
                  7 out of 8
                  • First post
                    7/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received