topic Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true in Spark Firewall (SMB)

Spark R81.10 and support for Radius 2.0 .... well not entirely true

marcyn — Wed, 01 Feb 2023 12:13:57 GMT

Hi CheckMates,

There are couple of topics on this community regarding 2FA via radius on Sparks.
A few of you noticed an issue with Spark and radius with fw older then R81.10.
It was due to Spark below R81.10 supports only radius 1.0.
From R81.10 it supports radius 2.0 and issues with passwords longer then 16 characters should be gone.

Well ... as far as I see not entirely 🙂

On last Saturday I was configuring my new Spark 1570.
Because I'm a huge fan of 2FA it was pretty sure that I will configure radius.
So I did it ... and faced an issue.

I have R81.10.05 (996001002) and it's locally mgmt.
On radius server I have user with password longer then 10 characters (+6 OTP = 16) ...
I had no issues with logging in to mgmt portal, but I was not able to log in using the same user to VPN (wrong credentials).
After some diggings I noticed in radius logs something like that as password "1234567890abcdef\12\34\56\23" - so soon after exactly 16 characters there is "a mess" - which is exactly the same as it looks like with radius 1.0.

It looks like Spark supports radius 2.0 but not for VPN (here it is still radius 1.0 constraint) 🙂

Falks from R&D maybe you can take a look at this ?

--
Best
m.

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

Chris_Atkinson — Wed, 01 Feb 2023 15:29:51 GMT

Did you report this via TAC and have an SR number that can be shared for follow-up?

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

marcyn — Wed, 01 Feb 2023 15:44:12 GMT

Hi Chris,

Not yet. First I wanted to know if anyone else from community faced this issue as well.

If not I will direct this to TAC.

Best

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

Eduardo_Eiros — Wed, 01 Feb 2023 19:36:22 GMT

¿Have you configured the Radius Server with version 2.0?

It must be done in cli "set radius server" -- set radius-server (checkpoint.com)

Hope it helps.

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

marcyn — Wed, 01 Feb 2023 19:55:36 GMT

Hi Eduardo,

Jackpot ! This fixed the issue.

It's very very interesting that regarding having version 1 (taken from show radius-server command) it worked fine with web access to mgmt portal with password longer then 16 characters 🙂

Because of that I didn't even consider that there could be need to change any setting regarding to radiu from cli. If it worked with longer passwords for web it was clear to me that it us version 2 🙂

To be honest I completely don't get it why it worked for web login ... but it is not as important, as that it now works for vpn as well, after manual change of version from cli.

Thank you, case closed.

Best

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

Chris_Atkinson — Thu, 02 Feb 2023 05:45:16 GMT

Further to this I've asked internally that we consider the following related enhancements for future versions.

- Radius 2.0 as default

- Version selection via the Web UI.

If this is important for you please follow-up with your local SE accordingly as an RFE - thanks.

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

skandshus — Fri, 07 Jun 2024 16:59:47 GMT

Would you by any chance be using DUO mfa for the spark? im seeing same issues with Radius authentication
I can do ad authentication without aproblem but not radius @ Duo

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

marcyn — Fri, 07 Jun 2024 17:15:43 GMT

Hi skandshus,

No, this was FreeRadius.

Now I even don't use it anymore as 2FA is inside Gaia Embedded fw.

If you see the same issue that I had ... it should be because of Radius version 1. If you've already changed this version to 2 on Spark side then probably it's something else on Duo side.

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

skandshus — Fri, 07 Jun 2024 18:40:26 GMT

How so i 2FA inside embedded? are you talking about the sms feature they got?

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

marcyn — Fri, 07 Jun 2024 18:57:13 GMT

2FA via e-mail and sms has been around for several years, but in fw R81.10.07 Check Point added another 2FA based on OTP like GoogleAuthenticator, Microsoft Authenticator, etc.

Before R81.10.07 we had to use some external mechanisms like linux with freeradius and google authenticator to have OTP ... but since R81.10.07 google authenticator "server" is included in Spark's fw.

Take a look at this: https://support.checkpoint.com/results/sk/sk179615

Of course now there is no sense to use R81.10.07 ... R81.10.08 is better ... and even best in my opinion R81.10.10 where we also have 2FA for web gui and "nicer" gui 😀

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

skandshus — Fri, 07 Jun 2024 19:36:59 GMT

LOL i havent ever gotten back to that. i remeber when it was only sms, and then after that, ive never visited that again

now i see we can do Email too & google authenticator.

Are you sure Microsoft Authenticator is working too? i guess its not microsoft-365 integration but a regular OTP if you use Microsoft? right?

Just to be clear. is this ONLY for administration login? the MFA cant be used for remote access?

Re: Spark R81.10 and support for Radius 2.0 .... well not entirely true

marcyn — Fri, 07 Jun 2024 19:51:33 GMT

Regarding Microsoft Authenticator I'm not 100% sure because I didn't use it but I believe that it can be used as regular OTP like Google Authenticator.

From Check Point's documentation:

"You can use either the Microsoft Authenticator or the Google Authenticator"

So... it should work 🙂

I use neither ... because I like FreeOTP 🙂

This 2FA provided in R81.10.07 was only for ... Remote Access. 2FA for mgmt access was introduced in R81.10.10.

So in case you want it for RA, which I believe is the case, you can use it since R81.10.07.