Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Collaborator

Microsoft Updates KB4487026/KB4485447 stops IA and remote access via RADIUS from working??

Hello Check Mates, 

i have just received an info from one of my customers.
after installing the patches KB4487026/KB4485447 on their domain controllers the identity awarenress stopped working, a yellow exclamation mark in SmartView Monitor.

and RAS via RADIUS stopped working alslo, users were no longer able to connect ... username or password wrong in the Microsoft NPS logs and on the Check Point Endpoint Connect VPN clients.

setup is: 
R80.10 + Take 154
Windows 2016 domain controllers 
especially the patch KB4487026 is causing this issue ... 

since i have so little information so far its not easy to give any clear answers.

but did somebody install this Microsoft patches already together with IA running with AD Query?
And remote access via RADIUS authentication?

best regards
Thomas Eichelburg

0 Kudos
7 Replies
Mark_Mitchell
Advisor

Hi Thomas, 

I would strongly recommend raising a TAC raise so that support can investigate the issue further. 

Regards

Mark

Daniel_Taney
Advisor

It is interesting you bring this up because I have observed that I am unable to manually run IPS updates from SmartConsole from two Win10 machines that have this same Servicing Stack Update applied to them. The IPS updates worked when I ran them from an old Server 2008 R2 machine I had. I wonder if the same issue could be affecting multiple Check Point functions?

R80 CCSA / CCSE
0 Kudos
Daniel_Taney
Advisor

I created another thread https://community.checkpoint.com/thread/11714-windows-kb4485449-kb4485447-causing-multiple-check-poi... that documented the other issues I've uncovered that seem to be related to these patches. I have an open TAC case and will update TAC with this information.

R80 CCSA / CCSE
0 Kudos
Ashley_Griffin
Explorer

Good Morning,

We've had the same issue with IA/RADIUS and KB4487026. I would suggest it relates to this line in the patch release notes:

Addresses an issue that fails to set the LmCompatibilityLevel value correctly. LmCompatibilityLevel specifies the authentication mode and session security. 

I've raised it with our Check Point support, but until then, the only fix I've found is to uninstall the patch from our domain controllers which is not ideal.

Martin_van_Eden
Participant

Hi all,

Last weekend these patches were installed on our NPS servers ( W2012 R2 ) and the SmartConsole login failed afterwards. Also the wrong username/password enrtries in the NPS logs.

We have configured authentication via RADIUS v2 + MS-CHAP2.


I changed to PAP and it worked again.
Seems like the patch broke MS-CHAP2 ?

But if you guys are looking for a quick workaround, changing to PAP should do the trick.
Less secure though..

0 Kudos
Dan_Roddy
Collaborator

Yes, I have the same issue using ADquery. One DC did not get patched and is still working and I am getting alot of pushback from TAC saying the patch did not cause the issue. If that is so, why is my unpatched DC working with ADquery?
0 Kudos
Thomas_Eichelbu
Collaborator

Hello, 

i have also raised a TAC ticket, but it still gets pushed back ...
Its not a Check Point issues, Check Point is dealing accordingly to the RFC´s.
Anyway we have a patch "KB4487026". After applying this patch, it affects RADIUS authenticatiom. NTLMv2 doesnt work anymore. Only with PAP ...

So i will put on some more pressure ... to get a solution or at least a detailed technical explanation.

best regards

0 Kudos