topic Re: RADIUS Server Authentication VPN on Quantum Spark 1600 in Spark Firewall (SMB)

RADIUS Server Authentication VPN on Quantum Spark 1600

LM-Rafael — Sun, 26 Jan 2025 12:51:23 GMT

Hi,

i want to setup RADIUS Authentication for VPN. My device is a Quantum Spark 1600 with latest Gaia OS. Actually i get no error von Windows Server NPS Server -> Event ID 6272 Access Granted but the connection hang at 47% and after some seconds it will stop to connect with Message: Username or Password are wrong. And i get no IP Adress from RADIUS Server. What can i do? Where is the correct log files and what have anybody an link to an how to?

Thanks

Rafael

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

Chris_Atkinson — Mon, 27 Jan 2025 01:55:28 GMT

Did you try increasing the radius timeout and is the request arriving at the NPS with the correct source / NAS IP address that is permitted to act as a radius client?

Where required their is a build of R81.10.15 available from TAC that mitigates BlastRADIUS also.

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

LM-Rafael — Sun, 26 Jan 2025 15:58:22 GMT

Hi Chris,

i found some information in the log files see under the attachments (username: adminmu) and information from eventviewer:

Der Netzwerkrichtlinienserver hat einem Benutzer den Zugriff gewährt.

Benutzer:

Sicherheits-ID: ADMUS\adminmu

Kontoname: adminmu

Kontodomäne: ADMUS

Vollqualifizierter Kontoname: ad.mustermann.gmbh/mustermann.gmbh/Benutzer/Service Benutzer/Administrator Mustermann

Clientcomputer:

Sicherheits-ID: NULL SID

Kontoname: -

Vollqualifizierter Kontoname: -

ID der Empfangsstation: -

ID der Anrufstation: -

NAS:

NAS-IPv4-Adresse: 89.206.221.134

NAS-IPv6-Adresse: -

NAS-ID: -

NAS-Porttyp: -

NAS-Port: -

RADIUS-Client:

Clientanzeigename: MUSNFWC-FRA-01-01

Client-IP-Adresse: 10.8.8.1

Authentifizierungsdetails:

Name der Verbindungsanforderungsrichtlinie: Verbindungen für virtuelles privates Netzwerk (VPN)

Netzwerkrichtlinienname: Verbindungen für virtuelles privates Netzwerk (VPN)

Authentifizierungsanbieter: Windows

Authentifizierungsserver: MUSSDC-FRA-01.ad.mustermann.gmbh

Authentifizierungstyp: PAP

EAP-Typ: -

Kontositzungs-ID: -

Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.

Thanks

Rafael

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

LM-Rafael — Mon, 27 Jan 2025 20:57:23 GMT

First i increase the timeout limit.

I see only in Eventlog that the User get access (access granted) for User Adminmu. Everything looks fine but not working.

Do you have an sk for setup A Windows RADIUS NPS server??

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

Chris_Atkinson — Mon, 27 Jan 2025 23:36:26 GMT

Not aware of a specific SK but there are discussions here from others who have it working.

Typically the issues align to one of those I eluded to above or ignoring specific radius attributes depending on the patch level of the NPS / AD environment.

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

PhoneBoy — Tue, 28 Jan 2025 14:23:30 GMT

If you are using a fully patched NPS server, then it is very likely this is failing because of the mitigations deployed as a result of the Blast RADIUS issue: https://support.checkpoint.com/results/sk/sk182516
You need to do one of the following:

Disable Message Authenticator codes on the RADIUS Server
Upgrade to a firmware version that has RADIUS Message Authenticator support (as @Chris_Atkinson noted, this needs to be procured from TAC for Quantum Spark appliances)
Configure the gateway to ignore RADIUS attribute 80: https://support.checkpoint.com/results/sk/sk42184

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

G_W_Albrecht — Tue, 28 Jan 2025 14:28:28 GMT

Open a SR# with CP TAC to get this resolved asap !

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

LM-Rafael — Tue, 28 Jan 2025 18:22:28 GMT

Hi,

both is not working. I cant find under advanced settings "VPN Remote Access - RADIUS attribute to be ignored." (sk42184 - RADIUS authentication fails in Remote Access VPN, Identity Awareness, Mobile Access or Smart Console admin login) and this is also not working: sk182516 - Check Point response to CVE-2024-3596 - Blast-RADIUS attack.

I have contact TAC and now i wait for response.

I have no ideas what can i do to solve this problem.

Thanks

Rafael

Re: RADIUS Server Authentication VPN on Quantum Spark 1600

PhoneBoy — Tue, 28 Jan 2025 20:57:48 GMT

The RADIUS Server can require the Message Authenticator codes and fail also, I believe.