This setup has worked for several years

if it is not supported, it may still work - but also could cease to work anytime!

I dont have that specific update you refer to

in my case I don't use number matching code, but only Approval notification.

In the new version of the NPS extension it is necessary to use the registry hack
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match#nps-extensio...

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
Create the following String/Value pair:
Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
Value = TRUE or FALSE (I don't remember, I solved it in another company, I have an older version of the extension)
Restart the NPS Service.

the user must have the Default authentication method to App notification

if you want to test RADIUS communication without MFA, you can temporarily block MFA extension by renaming

AuthorizationDLLs and ExtensionDLLs in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters

and restarting the NPS service

We have the Same issue with Gaia.
Re: Blast-RADIUS - CVE-2024-3596 - Check Point CheckMates

there might be a workaround on the windows site.

This is RADIUS attribute 80.  I had a customer that was having MFA failures.

In a pinch, you can configure the gateways to ignore attribute 80 with the edit in https://support.checkpoint.com/results/sk/sk42184  (SmartConsole - Global Properties - Advanced - Firewall - Authentication - radius_ignore and set it to "80".  Install policy.

Reset that to "0" when you're able to take care of it through other means.

Hello

After a lot of tweaking also considered to change this attribute in checkpoint radius settings.
radius_ignore 80, after that Checkpoint mobile VPN client on end devices worked with RADIUS MFA.
Before we had a attribute 0 and MFA pop-ups didnt show up.

I have a question: What does this attribute do? Does it effect somehow some security risks or not?
Is there little bit more information what this attribute changes.

Thanks!

Message-Authenticator, which is something being required in response to CVE-2024-3596 (Blast Radius).
More details in this thread: https://community.checkpoint.com/t5/General-Topics/Blast-RADIUS-CVE-2024-3596/m-p/220148
While it is not integrated into the JHF yet, there is a hotfix for this available via TAC.

hi, have you found a solution to this problem yet?

hi @FirewallerRS 

I'm waiting for the official solution for now. I don't have a patch applied to NPS at the moment (Windows July 9, 2024-KB5040437)

the next update also broke RADIUS on NPS (August 13, 2024—KB5041160)

Any update? We have the same issue and neither of those patches are applied. 

Recommend engaging TAC: https://help.checkpoint.com 

After the installation of KB 5040437 July 9 and also after the installation of KB 5041160 August 13 (cumulative), the two factor authentication via NPS to AZURE did not work anymore. The error was, the authentication factor came via Micrososft Authentication App, but after the confirmation did not work anymore. I was able to solve the problem temporarily by going to the firewall in the global proerties. -> Global Properties-Advanced- FireWall-1-Authentication-Radius- then set radius_ignore to the value 80.

the problem is that on Quantum Spark 1600 with fw R81.10.10 (996002993) there is no option which is mentioned in https://support.checkpoint.com/results/sk/sk42184 

"VPN Remote Access - RADIUS attribute to be ignored." does not exists in Advanced Settings

R81.10.15 is out.

https://support.checkpoint.com/results/sk/sk182438

this version already contains: "VPN Remote Access - RADIUS attribute to be ignored." and is set to ignore attribute 80

tested and works with fully updated NPS server.

Sure enough, it's there in the Advanced Settings:

in R81.10.15 it is there, but in R81.10.10 I didn't have it.

True, it did not.