This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mraybone
Explorer
Thursday

Message-Authenticator RADIUS attribute (Okta) for Endpoint VPN...

Hello!

R81.20 take 89

Our Endpoint Security VPN uses an Okta RADIUS integration.  We have been asked to upgrade the Okta (Windows) agents to the latest version 2.24.2 (from 2.17).  When we do this, VPN authentication fails and we see an error in the Okta logs of:

"The Message-Authenticator attribute was expected but not found in the request"

Okta have suggested we need to "upgrade the downstream integration"....
"If the downstream integration is not presently configured to send a Message-Authenticator attribute to the Okta RADIUS Agents, it will need to be reconfigured to include the Message-Authenticator attribute or upgraded so that they can support message-authenticator"

And in their words, this would be a "Gateway/VPN device (like Cisco ASA, F5 VPN, etc.)".  Or in our case, I'm assuming the Check Point firewall.

I can't seem to find anything about how to "configure it to send a Message-Authenticator attribute".  I did find an SK... sk182516 - Check Point Response to CVE-2024-3596 - Blast-RADIUS attack (5th section of the table) but this seems to be to do with what the Firewall should do if it encounters the Message-Authenticator attribute, not to do with actually including it in a request.

Love and packets,
Mark

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
Thursday

That SK is the correct one.
Prior to the releases listed, we didn't support sending or receiving the message authenticator attributes.
I assume if you upgrade to the relevant release and enable the setting to require message authenticator attributes will also send them.
If you find otherwise, I suggest a TAC case.

0 Kudos
Mraybone
Explorer
Thursday
In response to PhoneBoy

Ok thanks for the info - another Okta article I read suggested that along with the Firewall and Okta agent change, a 3rd change is also required on the Okta side.  After following the SK with no luck before, I think that's probably why.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events