Hi,
I have setup 1590 appliance to work with RADIUS server for 2ND factor for RAVPN users.
Radius server is Ubuntu 20.04 with FreeRadius service on it.
Radius server part works as a charm, it communicates with Google Authenticator and makes authentication decisions according to user/pass/OTP policy setup.
Problem is that on our CP 1590 appliance side. After successful Radius authentication (RADIUS packets are exchanged between CP 1590 device and Radius server), RAVPN client gets disconnected every time (RAVPN connection is never completed).
SMB appliances use RADIUS v1, and because of that password length together with OTP from goolge authenticator should not be over 16 characters long (it is limitation on SMB appliances they can not use Radius v2).
In security logs we get:
Action: Failed Log In
Reason: Authenticated by RADIUS
Second authentication method: DynamicID
Surely, this is where the problem is.
Our endpoint security VPN client shows: User XXX authenticated by Radius authentication
Check Point 1590 setup:
1. local users with ravpn permission created (according to Radius server - to match username and password with Radius server local users database)
2. Put users in user group with RAVPN permissions
3. Checked option - Require users to confirm their identity using two-factor authentication
Did not checked SMS option as we do not use SMS DynamicID (left it default):
4. Changed auth method on RAVPN client to Radius server
5. We created authentication server (Radius):
Kindly ask You for a hint how to make this work?
All suggestions are welcome.
Thanks!
Milos
As addition to my first message, if I check on 1590 GW the option - Require users to confirm their identity using two-factor authentication,
on VPN client I got these two auth options:
With both auth. options from picture, RAVPN user gets successfully authenticated, but VPN tunnel establishment is not being started by 1590 appliance at all (no tunnel test traffic (port 18234) , it's like that VPND is not being triggered by these auth options), and at the end client gets disconnected with messages like this:
Local/AD user (Default):
Radius user:
On the contrary, if I do not check on 1590 GW the option - Require users to confirm their identity using two-factor authentication, on VPN client there are many auth options (username/pass, SecureID, certs,...). But no radius at all.
VPN client side logs during testing with test radius user:
| User | Count |
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 | |
| 1 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
