This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LM-Rafael
Collaborator
‎2025-01-26 04:51 AM

RADIUS Server Authentication VPN on Quantum Spark 1600

Hi,

i want to setup RADIUS Authentication for VPN. My device is a Quantum Spark 1600 with latest Gaia OS. Actually i get no error von Windows Server NPS Server -> Event ID 6272 Access Granted but the connection hang at 47% and after some seconds it will stop to connect with Message: Username or Password are wrong. And i get no IP Adress from RADIUS Server. What can i do? Where is the correct log files and what have anybody an link to an how to?

Thanks

Rafael

0 Kudos
8 Replies
Chris_Atkinson
Employee Employee
Employee
‎2025-01-26 07:45 AM

Did you try increasing the radius timeout and is the request arriving at the NPS with the correct source / NAS IP address that is permitted to act as a radius client?

Where required their is a build of R81.10.15 available from TAC that mitigates BlastRADIUS also. 

CCSM R77/R80/ELITE
0 Kudos
LM-Rafael
Collaborator
‎2025-01-26 07:58 AM
In response to Chris_Atkinson

Hi Chris,

i found some information in the log files see under the attachments (username: adminmu) and information from eventviewer:

Der Netzwerkrichtlinienserver hat einem Benutzer den Zugriff gewährt.
 
Benutzer:
Sicherheits-ID: ADMUS\adminmu
Kontoname: adminmu
Kontodomäne: ADMUS
Vollqualifizierter Kontoname: ad.mustermann.gmbh/mustermann.gmbh/Benutzer/Service Benutzer/Administrator Mustermann
 
Clientcomputer:
Sicherheits-ID: NULL SID
Kontoname: -
Vollqualifizierter Kontoname: -
ID der Empfangsstation: -
ID der Anrufstation: -
 
NAS:
NAS-IPv4-Adresse: 89.206.221.134
NAS-IPv6-Adresse: -
NAS-ID: -
NAS-Porttyp: -
NAS-Port: -
 
RADIUS-Client:
Clientanzeigename: MUSNFWC-FRA-01-01
Client-IP-Adresse: 10.8.8.1
 
Authentifizierungsdetails:
Name der Verbindungsanforderungsrichtlinie: Verbindungen für virtuelles privates Netzwerk (VPN)
Netzwerkrichtlinienname: Verbindungen für virtuelles privates Netzwerk (VPN)
Authentifizierungsanbieter: Windows
Authentifizierungsserver: MUSSDC-FRA-01.ad.mustermann.gmbh
Authentifizierungstyp: PAP
EAP-Typ: -
Kontositzungs-ID: -
Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
 

Thanks

Rafael

vpn_log.pdf
Preview file
321 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-01-28 06:28 AM
In response to LM-Rafael

Open a SR# with CP TAC to get this resolved asap !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LM-Rafael
Collaborator
‎2025-01-27 12:57 PM
In response to Chris_Atkinson

First i increase the timeout limit.

I see only in Eventlog that the User get access (access granted) for User Adminmu. Everything looks fine but not working.

Do you have an sk for setup A Windows RADIUS NPS server??

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2025-01-27 03:36 PM
In response to LM-Rafael

Not aware of a specific SK but there are discussions here from others who have it working.

Typically the issues align to one of those I eluded to above or ignoring specific radius attributes depending on the patch level of the NPS / AD environment.

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-28 06:23 AM

If you are using a fully patched NPS server, then it is very likely this is failing because of the mitigations deployed as a result of the Blast RADIUS issue: https://support.checkpoint.com/results/sk/sk182516 
You need to do one of the following:

  • Disable Message Authenticator codes on the RADIUS Server
  • Upgrade to a firmware version that has RADIUS Message Authenticator support (as @Chris_Atkinson noted, this needs to be procured from TAC for Quantum Spark appliances)
  • Configure the gateway to ignore RADIUS attribute 80: https://support.checkpoint.com/results/sk/sk42184 
0 Kudos
LM-Rafael
Collaborator
‎2025-01-28 10:22 AM
In response to PhoneBoy

Hi,

both is not working. I cant find under advanced settings "VPN Remote Access - RADIUS attribute to be ignored." (sk42184 - RADIUS authentication fails in Remote Access VPN, Identity Awareness, Mobile Access or Sma...) and this is also not working: sk182516 - Check Point response to CVE-2024-3596 - Blast-RADIUS attack.

I have contact TAC and now i wait for response.

I have no ideas what can i do to solve this problem.

Thanks

Rafael

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-28 12:57 PM
In response to LM-Rafael

The RADIUS Server can require the Message Authenticator codes and fail also, I believe.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top