Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
toha
Explorer

Radius MFA NPS extension

I have Quantum Spark 1530 configured with Radius to a Windows Server.
Firewall is running R81.10.10.
MFA NPS extension have been upgraded to latest version on NPS server.
New certificate for NPS have been created and old have been deleted.
Internal firewall certificates have been reinitialized.
Time and date on NPS server has been verified.
Radius timeout have been set to 30 sec.
NPS server have been rebooted

When trying to connect with VPN to the firewall, the client prompts the user with incorrect username or password and the user receives 3 text messages from Microsoft with passcodes. All different codes.

It seems to me that the firewall sends multiple Radius requests.

 

Any suggestions?

0 Kudos
22 Replies
User88083582
Participant

I had the same problem.

The temporary solution was to uninstall the Windows July 9, 2024-KB5040437 update from the NPS server.

PhoneBoy
Admin
Admin

Note that we only support PAP authentication per: https://support.checkpoint.com/results/sk/sk166359
I'd also use tcpdump to capture the traffic to/from the RADIUS server to see if you can find any clues.
Otherwise, I suggest a TAC case.

0 Kudos
toha
Explorer

This setup has worked for several years

0 Kudos
G_W_Albrecht
Legend Legend
Legend

if it is not supported, it may still work - but also could cease to work anytime!

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
User88083582
Participant

I had the same problem with the same configuration (CHKPT <- RADIUS -> NPS with MFA NPS extension).

The temporary solution was to uninstall the Windows July 9, 2024-KB5040437 update from the NPS server.

toha
Explorer

I dont have that specific update you refer to

0 Kudos
User88083582
Participant

in my case I don't use number matching code, but only Approval notification.

In the new version of the NPS extension it is necessary to use the registry hack
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-number-match#nps-extensio...

Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
Create the following String/Value pair:
Name: OVERRIDE_NUMBER_MATCHING_WITH_OTP
Value = TRUE or FALSE (I don't remember, I solved it in another company, I have an older version of the extension)
Restart the NPS Service.

the user must have the Default authentication method to App notification

 

if you want to test RADIUS communication without MFA, you can temporarily block MFA extension by renaming

AuthorizationDLLs and ExtensionDLLs in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters

and restarting the NPS service

0 Kudos
JP_Rex
Collaborator
Collaborator

We have the Same issue with Gaia.
Re: Blast-RADIUS - CVE-2024-3596 - Check Point CheckMates

there might be a workaround on the windows site.

Configure requiremsgauth for remote servers
This configuration enables NPS Proxy to drop potentially vulnerable response messages without the Message-Authenticator attribute. 
 
0 Kudos
Duane_Toler
Advisor

This is RADIUS attribute 80.  I had a customer that was having MFA failures.

In a pinch, you can configure the gateways to ignore attribute 80 with the edit in https://support.checkpoint.com/results/sk/sk42184  (SmartConsole - Global Properties - Advanced - Firewall - Authentication - radius_ignore and set it to "80".  Install policy.

Reset that to "0" when you're able to take care of it through other means.

 

0 Kudos
martinsl
Explorer

Hello

After a lot of tweaking also considered to change this attribute in checkpoint radius settings.
radius_ignore 80, after that Checkpoint mobile VPN client on end devices worked with RADIUS MFA.
Before we had a attribute 0 and MFA pop-ups didnt show up.

I have a question: What does this attribute do? Does it effect somehow some security risks or not?
Is there little bit more information what this attribute changes.

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

Message-Authenticator, which is something being required in response to CVE-2024-3596 (Blast Radius).
More details in this thread: https://community.checkpoint.com/t5/General-Topics/Blast-RADIUS-CVE-2024-3596/m-p/220148
While it is not integrated into the JHF yet, there is a hotfix for this available via TAC.

0 Kudos
FirewallerRS
Participant

hi, have you found a solution to this problem yet?

0 Kudos
User88083582
Participant

hi @FirewallerRS 

I'm waiting for the official solution for now. I don't have a patch applied to NPS at the moment (Windows July 9, 2024-KB5040437)

0 Kudos
User88083582
Participant

the next update also broke RADIUS on NPS (August 13, 2024—KB5041160)

0 Kudos
CGG
Explorer

Any update? We have the same issue and neither of those patches are applied. 

0 Kudos
PhoneBoy
Admin
Admin

Recommend engaging TAC: https://help.checkpoint.com 

0 Kudos
FirewallerRS
Participant

After the installation of KB 5040437 July 9 and also after the installation of KB 5041160 August 13 (cumulative), the two factor authentication via NPS to AZURE did not work anymore. The error was, the authentication factor came via Micrososft Authentication App, but after the confirmation did not work anymore. I was able to solve the problem temporarily by going to the firewall in the global proerties. -> Global Properties-Advanced- FireWall-1-Authentication-Radius- then set radius_ignore to the value 80.

 

User88083582
Participant

the problem is that on Quantum Spark 1600 with fw R81.10.10 (996002993) there is no option which is mentioned in https://support.checkpoint.com/results/sk/sk42184 

"VPN Remote Access - RADIUS attribute to be ignored." does not exists in Advanced Settings

0 Kudos
User88083582
Participant

R81.10.15 is out.

https://support.checkpoint.com/results/sk/sk182438

this version already contains: "VPN Remote Access - RADIUS attribute to be ignored." and is set to ignore attribute 80

tested and works with fully updated NPS server.

0 Kudos
PhoneBoy
Admin
Admin

Sure enough, it's there in the Advanced Settings:

image.png

0 Kudos
User88083582
Participant

in R81.10.15 it is there, but in R81.10.10 I didn't have it.

0 Kudos
PhoneBoy
Admin
Admin

True, it did not.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events