topic Re: Radius Authentication on Check Point 1570 Appliance in Firewall and Security Management

Radius Authentication on Check Point 1570 Appliance

GaryJ — Wed, 12 May 2021 11:47:19 GMT

Hello,

I have setup Radius authentication on a Check Point 1570 appliance with a backend FreeRadius server using local accounts.

Furthermore, the Radius server is also using Google Authenticator so that VPN users can use MFA when logging into the VPN.

The solution works fine as the user can enter their password + code and login.

A problem occurs when they set a password longer than 12 characters which would make the password a total of 18 characters with the 6 digit MFA code.

Testing has shown that it's not an issue with the FreeRadius server as it accepts the 12+6 password and it's not a problem with the Linux server as I can login via SSH with a password of 18 characters or more.

Bit more testing shows that when logging into the VPN with a password of 10 characters and 6 digit MFA code (16 in total), works fine. Anything more that this, then the firewall rejects the login with an authentication failure.

This indicates that the 1570 firewall is running Radius v1 where passwords are limited to 16 characters and not Radius 2 (as expected), which does have this issue. There is nothing in the Check Point documentation that indicates the above. As it is 2021, I cannot imagine why anyone would sell a product with an authentication protocol that was obsolete over 20 years ago.

Can anyone confirm this as it will cause a big issue as my company has a policy of 12 character minimum and the 6 digit MFA code will push this over the 16 character limit for Radius 1.

Thank You,

Gary

Re: Radius Authentication on Check Point 1570 Appliance

PhoneBoy — Fri, 14 May 2021 22:22:22 GMT

Unfortunately, it looks like on the SMB appliances, it's an RFE.
See the bottom of: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk13740

Re: Radius Authentication on Check Point 1570 Appliance

the_rock — Fri, 14 May 2021 22:32:04 GMT

Sk phoneboy provided is actually a limitation. I never seen this problem on regular CP firewalls (5400, 6200...) for Radius auth, even with password 15-20 characters.

Re: Radius Authentication on Check Point 1570 Appliance

PhoneBoy — Fri, 14 May 2021 22:36:20 GMT

That's what the SK says: regular gateways support it, SMB ones do not.
No, don't know the reason for this.

Re: Radius Authentication on Check Point 1570 Appliance

the_rock — Fri, 14 May 2021 22:37:42 GMT

Thats what I meant, sorry, worded it wrong : )