How to change Password for openfortivpn in CLI

[wildborn]

root@lakshay:/home/lakshay# openfortivpn -v
DEBUG:  openfortivpn 1.12.0
DEBUG:  Loaded config file "/etc/openfortivpn/config".
DEBUG:  Loaded password from config file "/etc/openfortivpn/config"
DEBUG:  Config host = "xxx"
DEBUG:  Config realm = ""
DEBUG:  Config port = "xxx"
DEBUG:  Config username = "xxx"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  server_addr: xxxx
DEBUG:  server_port: xxx
DEBUG:  gateway_addr: xxx
DEBUG:  gateway_port: xxx
DEBUG:  Setting cipher list to: 
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
### DEBUG:  No cookie given -7
INFO:   Closed connection to gateway.
DEBUG:  server_addr: xxx
DEBUG:  server_port: xxx
DEBUG:  gateway_addr: xxxx
DEBUG:  gateway_port: xxx
DEBUG:  Setting cipher list to: 
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.

[DimitriPapadopoulos]

I see a log with an authentication error. Is the password incorrect? Please give some context.

[wildborn]

I've checked password requires to be updated which is why this error -7 is coming so Please let me know how to generate new password or open the prompt for new password .

[DimitriPapadopoulos]

I see. You cannot do that with openfortivpn. Neither openfortivpn nor openconnect support that. How to achieve that might depend, or not, on the back-end behind the Fortigate that handles authentication.

[DimitriPapadopoulos]

I have read Secure LDAP and AD Password Change via Forticlient which addresses what happens on the server side. As you can see, the proprietary client can detect that the password needs to be changed:

1. As a first step, perhaps providing a (redacted) detailed log (openfortivpn -v -v -v) would provide enough information to at least understand how to detect that the password needs to be changed.
2. As a second step, we could implement the actual password changing routine, with additional information:
   • either a test account on such a VPN,
   • or a dump of network traffic between the Fortigate and the proprietary client when the password is being changed.

[DimitriPapadopoulos]

In the short term, you might be able to change the password by connecting to the gateway with a browser, before using a VPN SSL client.

[wildborn]

I've tried this GUI setup too but its not prompting for this sort of password change. Suggest me something which can resolve this issue as by using VPN SSL Client it prompts an error of -455.

[DimitriPapadopoulos]

I am not sure I follow. What sort of "GUI setup" have you tried? If you are using the proprietary client, and it cannot change the password, why would you expect openfortivpn to be able to change it?

Are you certain the Fortigate is configured to change the password when logging in remotely, either from the web portal or a VPN SSL client?

[DimitriPapadopoulos]

By the way, I was able to find information on setting password renewal on the Fortigate, but unfortunately no information on the protocol between the Fortigate and the client:

• Technical Tip: Enable expired password LDAP renewal with Active Directory
• SSL VPN with LDAP user password renew
• Technical Tip: SSL VPN password renewal using Radius

[DimitriPapadopoulos]

I still lack context. Are you an administrator of the Fortigate? A simple end-user? In the latter case, how did you check "password requires to be updated"?

[wildborn]

Thanks for helping! well here's the main thing that I'm end user. Although GUI refers to SSL Client used in windows and in CLI its showing the error where tried to debug and found the error posted above.

[DimitriPapadopoulos]

I still don't understand. Have you tried the proprietary FortiClient? If so, are you able to change the password with the proprietary FortiClient?

FortiClient VPN

[DimitriPapadopoulos]

I cannot make any sense of "GUI refers to SSL Client used in windows". Which exact GUI? Please add links, names, context. Do spend much more time providing complete information and explanations, so that I do not have to spend time trying to understand and ask questions.

[wildborn]

Yes I was referring to ssl client which was used on windows as it changed the password and now its working. Sorry:) Thanks !!

[DimitriPapadopoulos]

You don't make any sense. Which ssl client was used on windows?

[avenjamin]

lol

[DimitriPapadopoulos]

Yes, that's exactly what I feel :smile: You never answer my questions – perhaps answering your own questions, but that's not a dialogue.

[wildborn]

I'm really sorry for that 😅 and this was the ssl client also it worked later on somehow although might be stuck as the new password prompt wasn't coming while using this incase of expired password. Once again thanks for so much support you provided and sorry for unable to make you understand. :)