This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Axel_Winterberg
Participant
‎2024-06-11 01:36 PM

After Upgrade with R81.20 JHF T65 (CVE-2024-24919) Gateway is blocking 1 Factor - RADIUS

Hi guys,

we have a VSX Cluster (2x 23800 appliances).

I have upgraded to R81.20 with latest recommended Hotfix T65 .

It seems, that the Gateway is blocking the 1 Factor Authentication to the RADIUS Server.

I noticed, that upgraded GWs are blocking 1 Factor for InternalUsers. That can be allowed by 

"blockSFAInternalUsers -a".

Unfortunately this does not work for RADIUS Server.

Error Message is:

Failed Login Factor:   1st factor - RADIUS

Reason:           RADIUS servers not responding

When failover to the GW without the T65, authentication works fine.

Any Ideas?             

0 Kudos
6 Replies
Duane_Toler
Advisor
‎2024-06-11 01:49 PM

Are these user accounts locally-defined, but with Authentication set to "RADIUS"?  I bet that's what it is.  As for a fix, I wager that it's a TAC case.

(I'm conjecturing and making a lot of assumptions for the below suggestion)

However, if you do have users defined this way, you ought to consider using the multi-authentication profiles instead and have users deferred to RADIUS that way.  You can set multiple profiles for multiple types of authentications, then have the VPN client select that login method to select the right authentication.  You can combine the multi-auth profile with an LDAP AU to link them to an Access Role for policy enforcement.

 

0 Kudos
Axel_Winterberg
Participant
‎2024-06-11 01:59 PM
In response to Duane_Toler

No, the Users are not locally defined on the Gateways.

The Gateway with T65 is blocking 1 Factor Authentication with the RADIUS.
Unfortunately, I am not the admin of the RADIUS. So I can not change the authentication mode.

I have opened a SR for this issue. Waiting for a respons from CP.

 

0 Kudos
Duane_Toler
Advisor
‎2024-06-11 02:07 PM
In response to Axel_Winterberg

Are you still using the classic "generic*" user instead?

 

As for the authentication options, these are configured per gateway, not on the RADIUS servers:

  • Double-click a gateway for gateway properties
  • VPN Clients, on the left
  • Authentication

 

0 Kudos
Axel_Winterberg
Participant
‎2024-06-11 03:39 PM
In response to Duane_Toler

It is a VSX-Cluster. So the configuration is on the Management-Server.

We have decided to uninstall the T65 Hotfix. After Reboot SIngle Factor Authentication

with RADIUS works fine. So I also have upgraded the other member to R81.20.

Our maintenance window is closed, now.  Next evening I will install T65 again,

to do some troubleshooting with TAC.

0 Kudos
Lesley
Advisor
Advisor
‎2024-06-11 02:15 PM

Packet capture would maybe help if you load it in Wireshark, then you can compare the radius request between the working and non working gateway. Maybe there is a hint(or hint for TAC)

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Axel_Winterberg
Participant
‎2024-06-11 03:42 PM
In response to Lesley

Yes, we have collected some tcpdumps. 

We could see, that there is communication between GW and Radius.
I strongly believe, that the T65 is preventing to use single factor Authentication.

TAC engineer will check this with R&D.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events