topic Re: After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS in SASE and Remote Access

After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Axel_Winterberg — Tue, 11 Jun 2024 20:36:43 GMT

Hi guys,

we have a VSX Cluster (2x 23800 appliances).

I have upgraded to R81.20 with latest recommended Hotfix T65 .

It seems, that the Gateway is blocking the 1 Factor Authentication to the RADIUS Server.

I noticed, that upgraded GWs are blocking 1 Factor for InternalUsers. That can be allowed by

"blockSFAInternalUsers -a".

Unfortunately this does not work for RADIUS Server.

Error Message is:

Failed Login Factor: 1st factor - RADIUS

Reason: RADIUS servers not responding

When failover to the GW without the T65, authentication works fine.

Any Ideas?

Re: After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Duane_Toler — Tue, 11 Jun 2024 20:49:45 GMT

Are these user accounts locally-defined, but with Authentication set to "RADIUS"? I bet that's what it is. As for a fix, I wager that it's a TAC case.

(I'm conjecturing and making a lot of assumptions for the below suggestion)

However, if you do have users defined this way, you ought to consider using the multi-authentication profiles instead and have users deferred to RADIUS that way. You can set multiple profiles for multiple types of authentications, then have the VPN client select that login method to select the right authentication. You can combine the multi-auth profile with an LDAP AU to link them to an Access Role for policy enforcement.

Re: After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Axel_Winterberg — Tue, 11 Jun 2024 20:59:21 GMT

No, the Users are not locally defined on the Gateways.

The Gateway with T65 is blocking 1 Factor Authentication with the RADIUS.
Unfortunately, I am not the admin of the RADIUS. So I can not change the authentication mode.

I have opened a SR for this issue. Waiting for a respons from CP.

Re: After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Duane_Toler — Tue, 11 Jun 2024 21:07:52 GMT

Are you still using the classic "generic*" user instead?

As for the authentication options, these are configured per gateway, not on the RADIUS servers:

Double-click a gateway for gateway properties
VPN Clients, on the left
Authentication

Re: After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Lesley — Tue, 11 Jun 2024 21:15:40 GMT

Packet capture would maybe help if you load it in Wireshark, then you can compare the radius request between the working and non working gateway. Maybe there is a hint(or hint for TAC)

Re: After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Axel_Winterberg — Tue, 11 Jun 2024 22:39:55 GMT

It is a VSX-Cluster. So the configuration is on the Management-Server.

We have decided to uninstall the T65 Hotfix. After Reboot SIngle Factor Authentication

with RADIUS works fine. So I also have upgraded the other member to R81.20.

Our maintenance window is closed, now. Next evening I will install T65 again,

to do some troubleshooting with TAC.

Re: After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Axel_Winterberg — Tue, 11 Jun 2024 22:42:16 GMT

Yes, we have collected some tcpdumps.

We could see, that there is communication between GW and Radius.
I strongly believe, that the T65 is preventing to use single factor Authentication.

TAC engineer will check this with R&D.