This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DavidCr
Explorer
‎2020-01-22 03:35 AM

RADIUS Authentication problems with some Domains

Hello,

 

In our company, we've got a MultiDomain Server with many domains inside it and I'm facing a really strange problem ...

Today, I've configured the access via a Radius Server (FortiAuthenticator), which is NOW redirecting the authentication requests to a Domain Controller. Furthermore, before today, we could enter the MDS using local users placed on the FortiAuthenticator. Let's say I've just added a new step between the FortiAuthenticator and the Domain Controller, before that, the authentication was just made by the FortiAuthenticator (configured as a Radius Server in the MDS).

Additionally, in our company we've got a HA solution based on an Active-Passive nodes, and two environments, lets call them North and South. Here is the thing, when I access the MDS with my Domain Controller username I can log into the Northern Nodes, but not into the Southern Nodes. In stead I got prompted with "Failed to connect to the server ...". Am I missing something? Is this a network problem, routing, firewalls... ? I don't really know how the authentication flows, so It might be.

Thank you!!!

 

David.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-01-22 09:30 PM

Your description is a little confusing.
So you have two MDS environments you're referring to as North and South.
They are set to authenticate via RADIUS to FortiAuthenticator which sounds like is now talking to Active Directory.
When you use your AD account on North, it's fine, but on South, it's not, and you get the "Failed to connect to server" message.

If it's SmartConsole you're seeing that in, make sure you have connectivity on TCP ports 443, 18191, and 19009 to the relevant IP addresses.
Without that, nothing will authenticate.
Then I would check for RADIUS packets from the South modes towards FortiAuthenticator.
Then of course check FortiAuthenticator to see if/how it authenticated the user,
0 Kudos
DavidCr
Explorer
‎2020-01-22 11:28 PM
In response to PhoneBoy

Sorry If my description of the problem is a little bit confusing, this environment is itself!

I'll clarify the matter: I've got one MDS, from where I can connect to every single domain, no matter if it's placed on north or south.

The RADIUS part you explain on your post is right but I want to add that FortiAuthenticator is talking to the AD, and also it allows you to authenticate via local users (user created locally into the FortiAuthenticator), at the same time.

Now that this part is "clear", I'm able to authenticate to every domain, both north and south, using my username created locally on the FortiAuthenticator, but when I access the MDS through my "remote" username, placed on the AD, I'm able to authenticate and log into the North Domains only.

I'll check all the communications again and see if I'm missing something,

Thank you very much for your reply!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events