- Products
- Learn
- Local User Groups
- Partners
- More
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi,
I have setup 1590 appliance to work with RADIUS server for 2ND factor for RAVPN users.
Radius server is Ubuntu 20.04 with FreeRadius service on it.
Radius server part works as a charm, it communicates with Google Authenticator and makes authentication decisions according to user/pass/OTP policy setup.
Problem is that on our CP 1590 appliance side. After successful Radius authentication (RADIUS packets are exchanged between CP 1590 device and Radius server), RAVPN client gets disconnected every time (RAVPN connection is never completed).
SMB appliances use RADIUS v1, and because of that password length together with OTP from goolge authenticator should not be over 16 characters long (it is limitation on SMB appliances they can not use Radius v2).
In security logs we get:
Action: Failed Log In
Reason: Authenticated by RADIUS
Second authentication method: DynamicID
Surely, this is where the problem is.
Our endpoint security VPN client shows: User XXX authenticated by Radius authentication
Check Point 1590 setup:
1. local users with ravpn permission created (according to Radius server - to match username and password with Radius server local users database)
2. Put users in user group with RAVPN permissions
3. Checked option - Require users to confirm their identity using two-factor authentication
Did not checked SMS option as we do not use SMS DynamicID (left it default):
4. Changed auth method on RAVPN client to Radius server
5. We created authentication server (Radius):
Kindly ask You for a hint how to make this work?
All suggestions are welcome.
Thanks!
Milos
1 Solution
Accepted Solutions
As addition to my first message, if I check on 1590 GW the option - Require users to confirm their identity using two-factor authentication,
on VPN client I got these two auth options:
With both auth. options from picture, RAVPN user gets successfully authenticated, but VPN tunnel establishment is not being started by 1590 appliance at all (no tunnel test traffic (port 18234) , it's like that VPND is not being triggered by these auth options), and at the end client gets disconnected with messages like this:
Local/AD user (Default):
Radius user:
On the contrary, if I do not check on 1590 GW the option - Require users to confirm their identity using two-factor authentication, on VPN client there are many auth options (username/pass, SecureID, certs,...). But no radius at all.
VPN client side logs during testing with test radius user:
| User | Count |
|---|---|
| 13 | |
| 8 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 |
Fri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationTue 16 Sep 2025 @ 02:00 PM (EDT)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - AmericasWed 17 Sep 2025 @ 04:00 PM (AEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - APACWed 17 Sep 2025 @ 03:00 PM (CEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - EMEAThu 18 Sep 2025 @ 03:00 PM (CEST)
Bridge the Unmanaged Device Gap with Enterprise Browser - EMEAFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationTue 16 Sep 2025 @ 02:00 PM (EDT)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - AmericasWed 17 Sep 2025 @ 04:00 PM (AEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - APACWed 17 Sep 2025 @ 03:00 PM (CEST)
Securing Applications with Check Point and AWS: A Unified WAF-as-a-Service Approach - EMEAThu 18 Sep 2025 @ 03:00 PM (CEST)
Bridge the Unmanaged Device Gap with Enterprise Browser - EMEA