This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tom_Heesmans
Contributor
‎2019-04-02 05:38 AM
Jump to solution

RADIUS GAIA secondary unit not able to login

Hi,

I'm using R80.20 and have configured RADIUS for GAIA on my primary and secondary unit. However when trying to login to the secondary unit, RADIUS fails to log me in. When I do a failover to the secondary unit RADIUS is functioning as expected but the other CheckPoint fails to log me.

So the primary unit can only authenticate through RADIUS. Any idea's on how to fix this or can someone explain why this is happening? (by the way, in all cases RADIUS shows an accepted authentication)

0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Authority
Authority
‎2019-04-02 11:22 AM
Jump to solution

By default, all outgoing traffic in ClusterXL mode is hiding behind VIP.

NTP, syslog, LDAP, RADIUS should go via VIP, not via members IP.

Outgoing connections from cluster members are sent with cluster Virtual IP address instead of member...

There are a couple of ways how to exclude the RADIUS port to be hidden behind VIP. The best way is to create a NAT rule.

What is NAS IP configured on both nodes?

Kind regards,
Jozko Mrkvicka

View solution in original post

4 Replies
JozkoMrkvicka
Authority
Authority
‎2019-04-02 11:22 AM
Jump to solution

By default, all outgoing traffic in ClusterXL mode is hiding behind VIP.

NTP, syslog, LDAP, RADIUS should go via VIP, not via members IP.

Outgoing connections from cluster members are sent with cluster Virtual IP address instead of member...

There are a couple of ways how to exclude the RADIUS port to be hidden behind VIP. The best way is to create a NAT rule.

What is NAS IP configured on both nodes?

Kind regards,
Jozko Mrkvicka
Tom_Heesmans
Contributor
‎2019-04-26 04:34 AM
In response to JozkoMrkvicka
Jump to solution

NAT rule solved the issue.
0 Kudos
Udupi_krishna
Contributor
‎2019-04-02 10:46 PM
Jump to solution

The solution and documentation provided by Jozko would be the ideal approach to this problem, but try running a zdebug + drop on the Active firewall while you attempt authentication to the Secondary.

Chances are the Radius access/accept packet might be dropped by the Active firewall since the return traffic would be sent to the Cluster VIP.

In some of the cases I worked with, setting the kernel parameter fwha_forw_packet_to_not_active to 1 fixed the issue. But this also depends on the drop logs seen on the Active firewall.

 

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2019-04-27 01:26 AM
In response to Udupi_krishna
Jump to solution

Yes, the whole point of kernel parameter fwha_forw_packet_to_not_active set to 1 is to forward traffic from Active node towards Standby. I have also tested this solution, worked, BUT it is not recommended way and should be implemented as last resort.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events