This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tom_Heesmans
Contributor
‎2019-04-02 05:38 AM

RADIUS GAIA secondary unit not able to login

Jump to solution

Hi,

I'm using R80.20 and have configured RADIUS for GAIA on my primary and secondary unit. However when trying to login to the secondary unit, RADIUS fails to log me in. When I do a failover to the secondary unit RADIUS is functioning as expected but the other CheckPoint fails to log me.

So the primary unit can only authenticate through RADIUS. Any idea's on how to fix this or can someone explain why this is happening? (by the way, in all cases RADIUS shows an accepted authentication)

0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Leader
Leader
‎2019-04-02 11:22 AM

Jump to solution

By default, all outgoing traffic in ClusterXL mode is hiding behind VIP.

NTP, syslog, LDAP, RADIUS should go via VIP, not via members IP.

Outgoing connections from cluster members are sent with cluster Virtual IP address instead of member...

There are a couple of ways how to exclude the RADIUS port to be hidden behind VIP. The best way is to create a NAT rule.

What is NAS IP configured on both nodes?

Kind regards,
Jozko Mrkvicka

View solution in original post

4 Replies
JozkoMrkvicka
Leader
Leader
‎2019-04-02 11:22 AM

Jump to solution

By default, all outgoing traffic in ClusterXL mode is hiding behind VIP.

NTP, syslog, LDAP, RADIUS should go via VIP, not via members IP.

Outgoing connections from cluster members are sent with cluster Virtual IP address instead of member...

There are a couple of ways how to exclude the RADIUS port to be hidden behind VIP. The best way is to create a NAT rule.

What is NAS IP configured on both nodes?

Kind regards,
Jozko Mrkvicka
Tom_Heesmans
Contributor
‎2019-04-26 04:34 AM
In response to JozkoMrkvicka

Jump to solution
NAT rule solved the issue.
0 Kudos
Udupi_krishna
Contributor
‎2019-04-02 10:46 PM

Jump to solution

The solution and documentation provided by Jozko would be the ideal approach to this problem, but try running a zdebug + drop on the Active firewall while you attempt authentication to the Secondary.

Chances are the Radius access/accept packet might be dropped by the Active firewall since the return traffic would be sent to the Cluster VIP.

In some of the cases I worked with, setting the kernel parameter fwha_forw_packet_to_not_active to 1 fixed the issue. But this also depends on the drop logs seen on the Active firewall.

 

0 Kudos
JozkoMrkvicka
Leader
Leader
‎2019-04-27 01:26 AM
In response to Udupi_krishna

Jump to solution

Yes, the whole point of kernel parameter fwha_forw_packet_to_not_active set to 1 is to forward traffic from Active node towards Standby. I have also tested this solution, worked, BUT it is not recommended way and should be implemented as last resort.

Kind regards,
Jozko Mrkvicka
0 Kudos