https://community.checkpoint.com/t5/SASE-and-Remote-Access/Message-Authenticator-RADIUS-attribute-Okta-for-Endpoint-VPN/m-p/245025#M2192 <P>That SK is the correct one.<BR />Prior to the releases listed, we didn't support sending or receiving the message authenticator attributes.<BR />I assume if you upgrade to the relevant release and enable the setting to require message authenticator attributes will also send them.<BR />If you find otherwise, I suggest a TAC case.</P> Thu, 27 Mar 2025 18:46:22 GMT PhoneBoy 2025-03-27T18:46:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Message-Authenticator-RADIUS-attribute-Okta-for-Endpoint-VPN/m-p/245010#M2191 <P>Hello!</P><P>R81.20 take 89</P><P>Our Endpoint Security VPN uses an Okta RADIUS integration.&nbsp; We have been asked to upgrade the Okta (Windows) agents to the latest version 2.24.2 (from 2.17).&nbsp; When we do this, VPN authentication fails and we see an error in the Okta logs of:</P><P>"The Message-Authenticator attribute was expected but not found in the request"</P><P>Okta have suggested we need to "upgrade the downstream integration"....<BR /><EM><SPAN>"If the downstream integration is not presently configured to send a Message-Authenticator attribute to the Okta RADIUS Agents, it will need to be reconfigured to include the Message-Authenticator attribute or upgraded so that they can support message-authenticator"</SPAN></EM></P><P><SPAN>And in their words, this would be a <EM>"Gateway/VPN device (like Cisco ASA, F5 VPN, etc.)"</EM>.&nbsp; Or in our case, I'm assuming the Check Point firewall.</SPAN></P><P><SPAN>I can't seem to find anything about how to "configure it to send a Message-Authenticator attribute".&nbsp; I did find an SK...&nbsp;<A href="https://support.checkpoint.com/results/sk/sk182516" target="_blank">sk182516 - Check Point Response to CVE-2024-3596 - Blast-RADIUS attack</A>&nbsp;(5th section of the table) but this seems to be to do with what the Firewall should do if it encounters the Message-Authenticator attribute, not to do with actually including it in a request.</SPAN></P><P><SPAN>Love and packets,<BR />Mark</SPAN></P> Thu, 27 Mar 2025 16:48:48 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Message-Authenticator-RADIUS-attribute-Okta-for-Endpoint-VPN/m-p/245010#M2191 Mraybone 2025-03-27T16:48:48Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Message-Authenticator-RADIUS-attribute-Okta-for-Endpoint-VPN/m-p/245025#M2192 <P>That SK is the correct one.<BR />Prior to the releases listed, we didn't support sending or receiving the message authenticator attributes.<BR />I assume if you upgrade to the relevant release and enable the setting to require message authenticator attributes will also send them.<BR />If you find otherwise, I suggest a TAC case.</P> Thu, 27 Mar 2025 18:46:22 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Message-Authenticator-RADIUS-attribute-Okta-for-Endpoint-VPN/m-p/245025#M2192 PhoneBoy 2025-03-27T18:46:22Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Message-Authenticator-RADIUS-attribute-Okta-for-Endpoint-VPN/m-p/245026#M2193 <P>Ok thanks for the info - another Okta article I read suggested that along with the Firewall and Okta agent change, a 3rd change is also required on the Okta side.&nbsp; After following the SK with no luck before, I think that's probably why.</P> Thu, 27 Mar 2025 18:49:03 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Message-Authenticator-RADIUS-attribute-Okta-for-Endpoint-VPN/m-p/245026#M2193 Mraybone 2025-03-27T18:49:03Z