Re: Radius MFA NPS extension

toha

I have Quantum Spark 1530 configured with Radius to a Windows Server.
Firewall is running R81.10.10.
MFA NPS extension have been upgraded to latest version on NPS server.
New certificate for NPS have been created and old have been deleted.
Internal firewall certificates have been reinitialized.
Time and date on NPS server has been verified.
Radius timeout have been set to 30 sec.
NPS server have been rebooted

When trying to connect with VPN to the firewall, the client prompts the user with incorrect username or password and the user receives 3 text messages from Microsoft with passcodes. All different codes.

It seems to me that the firewall sends multiple Radius requests.

Any suggestions?

User88083582

I had the same problem.

The temporary solution was to uninstall the Windows July 9, 2024-KB5040437 update from the NPS server.

PhoneBoy

Note that we only support PAP authentication per: https://support.checkpoint.com/results/sk/sk166359
I'd also use tcpdump to capture the traffic to/from the RADIUS server to see if you can find any clues.
Otherwise, I suggest a TAC case.

toha

This setup has worked for several years

G_W_Albrecht

if it is not supported, it may still work - but also could cease to work anytime!

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist

User88083582

I had the same problem with the same configuration (CHKPT <- RADIUS -> NPS with MFA NPS extension).

The temporary solution was to uninstall the Windows July 9, 2024-KB5040437 update from the NPS server.

toha

I dont have that specific update you refer to

User88083582

in my case I don't use number matching code, but only Approval notification.

In the new version of the NPS extension it is necessary to use the registry hack
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match#nps-extensio...

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
Create the following String/Value pair:
Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
Value = TRUE or FALSE (I don't remember, I solved it in another company, I have an older version of the extension)
Restart the NPS Service.

the user must have the Default authentication method to App notification

if you want to test RADIUS communication without MFA, you can temporarily block MFA extension by renaming

AuthorizationDLLs and ExtensionDLLs in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters

and restarting the NPS service

JP_Rex

We have the Same issue with Gaia.
Re: Blast-RADIUS - CVE-2024-3596 - Check Point CheckMates

there might be a workaround on the windows site.

Configure requiremsgauth for remote servers

This configuration enables NPS Proxy to drop potentially vulnerable response messages without the Message-Authenticator attribute.

KB5040268: How to manage the Access-Request packets attack vulnerability associated with CVE-2024-35...
but I 'm no windows admin.
Regards
Peter

Duane_Toler

This is RADIUS attribute 80. I had a customer that was having MFA failures.

In a pinch, you can configure the gateways to ignore attribute 80 with the edit in https://support.checkpoint.com/results/sk/sk42184 (SmartConsole - Global Properties - Advanced - Firewall - Authentication - radius_ignore and set it to "80". Install policy.

Reset that to "0" when you're able to take care of it through other means.

Are you a member of CheckMates?

Radius MFA NPS extension