- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello,
Hoping the community can help me with an issue I'm trying to solve. Our customer is trying to migrate away from one RADIUS based solution to another RADIUS based solution, doing so incrementally. They mentioned "Multiple Login Options" which seems to do what we want to do.
I setup Multiple Login Options as per the guide (this is for R80.10 with a client supported for the multiple login options) with two profiles, both RADIUS but pointing towards different RADIUS servers. This all looks correct, but it does not work - when using the MLO settings the authentication fails with "Failed to generate RADIUS auth request" but works fine when we use the legacy authentication settings. When attempting to use the MLO options the RADIUS server is not contacted at all.
My question here is thus:
1. Can anyone else think of a way to migrate away (in a staged manner) from one RADIUS based authentication solution to another other than what's suggested above?
2. I believe my configuration may not be setup correctly, but it is as far as I can tell as per the documentation. How does the firewall handle authentciation when using third party auth? (I was of the understanding both user and password were sent to the RADIUS server, but I don't think this is happening) I understand the old fashioned way of doings but this appears to be different.
3. Is MLO designed to work with profiles where each one points to different authentication servers using the same protocol? (I can see it being aimed more towards customers that use a mix of AD and say RSA SecurID tokens)
Any help appreciated.
Thanks
Daniel
I think Multiple Login Options is meant to support two different types of authentication, not two types of the same authentication.
But just in case, does this older SK apply? FireWall-1 drops FTP Server usernames with @ symbol
I had thought as much, but couldn't find much out about "proper" deployment.
Yeah, support had mentioned that to me - but there's no @ in the username, plus with the age of the article I thought it might not be relevant.
It refers to the FTP Security Server, which no one should be using at this point
Hi Daniel,
I have the same customer scenario than yours. Someone in support suggested to use an intermediate or proxy Radius that would redirect towards original or new Radius servers, based upon some user attribute (ideally user group). But it seems too complicated to me. Did you find any other smater solution for your migration?
Many thanks in advance.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY