This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Howard_Gyton
Advisor
‎2025-09-01 03:27 AM

RADIUS authentication fails due to replacement servers

We have two RADIUS servers that are used for VPN authentication, and authentication to the firewall manager. running 81.20.

I have built two new RADIUS servers, importing the config from the current servers.  Old servers are Server 2016, new ones are Server 2025.

I have disabled the NICs on the 2016 servers, and given the new servers the same IP's that they had, in effect swapping servers -03 & -04 with servers -07 & -08.

What we found was all other aspects of authentication are working fine, but it breaks the VPN, and I cannot authenticate to SmartConsole either.  Local admin accounts work fine.

Making the old servers live again fixes things.

The only thing  I can think of is the label of the server in the database.  I left the names as -03 & -04, so are there some additional checks that Check Point does that other systems do not?

For example, one of the objects:

Screenshot 2025-09-01 112302.jpg

We have a similar process for other Eduroam servers, and we haven't yet renamed their objects, and they are still working.  Our Aruba wireless system, for example.  My assumption was that as long as the shared secret was correct, the label of the object didn't matter, but perhaps in this case it does?

 

 

0 Kudos
5 Replies
Amir_Senn
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-09-01 04:40 AM

I suggest going to old Radius object in the objects bar -> right click -> where used.

Perhaps this can help discover if it's being referenced in other object.

Kind regards, Amir Senn
0 Kudos
Howard_Gyton
Advisor
‎2025-09-01 04:54 AM
In response to Amir_Senn

The only places those two objects are used are in a group called "AD-Radius", which is in turn used for VPN authentication:

Screenshot 2025-09-01 125030.png

Also for administrator user account authentication:

Screenshot 2025-09-01 125220.jpg

I would have thought these would be fine inheriting the IP addresses.  When I get the opportunity to try again, I may rename the the 03/04 objects to 07/08, and re-test.  If that fails I'll log a ticket with our support partner.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-01 03:39 PM

Just a thought...is the same protocl ms-chap2 used?

Andy

Best,
Andy
0 Kudos
Howard_Gyton
Advisor
‎2025-09-02 01:40 AM
In response to the_rock

I'll double check now, but yes, they should be as I ran an export of the NPS config. and imported these exports into the two new NPS servers, so they should be identical.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-09-02 04:19 AM
In response to Howard_Gyton

K, fair enough, but I would still confirm, just to be sure. What do you see if you do tcpdump for port 1812?

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events