- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: RADIUS Server Authentication VPN on Quantum Sp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
RADIUS Server Authentication VPN on Quantum Spark 1600
Hi,
i want to setup RADIUS Authentication for VPN. My device is a Quantum Spark 1600 with latest Gaia OS. Actually i get no error von Windows Server NPS Server -> Event ID 6272 Access Granted but the connection hang at 47% and after some seconds it will stop to connect with Message: Username or Password are wrong. And i get no IP Adress from RADIUS Server. What can i do? Where is the correct log files and what have anybody an link to an how to?
Thanks
Rafael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try increasing the radius timeout and is the request arriving at the NPS with the correct source / NAS IP address that is permitted to act as a radius client?
Where required their is a build of R81.10.15 available from TAC that mitigates BlastRADIUS also.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
i found some information in the log files see under the attachments (username: adminmu) and information from eventviewer:
Thanks
Rafael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Open a SR# with CP TAC to get this resolved asap !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First i increase the timeout limit.
I see only in Eventlog that the User get access (access granted) for User Adminmu. Everything looks fine but not working.
Do you have an sk for setup A Windows RADIUS NPS server??
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not aware of a specific SK but there are discussions here from others who have it working.
Typically the issues align to one of those I eluded to above or ignoring specific radius attributes depending on the patch level of the NPS / AD environment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using a fully patched NPS server, then it is very likely this is failing because of the mitigations deployed as a result of the Blast RADIUS issue: https://support.checkpoint.com/results/sk/sk182516
You need to do one of the following:
- Disable Message Authenticator codes on the RADIUS Server
- Upgrade to a firmware version that has RADIUS Message Authenticator support (as @Chris_Atkinson noted, this needs to be procured from TAC for Quantum Spark appliances)
- Configure the gateway to ignore RADIUS attribute 80: https://support.checkpoint.com/results/sk/sk42184
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
both is not working. I cant find under advanced settings "VPN Remote Access - RADIUS attribute to be ignored." (sk42184 - RADIUS authentication fails in Remote Access VPN, Identity Awareness, Mobile Access or Sma...) and this is also not working: sk182516 - Check Point response to CVE-2024-3596 - Blast-RADIUS attack.
I have contact TAC and now i wait for response.
I have no ideas what can i do to solve this problem.
Thanks
Rafael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The RADIUS Server can require the Message Authenticator codes and fail also, I believe.
