Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
toha
Explorer

Radius authentication broken

Users are unable to login to VPN with Radius with Azure MFA extension installed. Users receive 3 text messages but are not able to type in the numbers. Users are prompted with "Access denied - wrong username and password"

We use Quantum Spark 1570 Appliance and Check Point VPN client.

If I disable MFA extension users are also prompted with "Access denied - wrong username and password"

0 Kudos
10 Replies
AkosBakos
Advisor

Hi @toha 

This auth method ever worked before?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Is the appliance locally or centrally managed and which firmware version/build is used?

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Agree with the questions guys asked, we need bit more details.

Andy

0 Kudos
PhoneBoy
Admin
Admin

Most likely it is because of the mitigations related to BLAST RADIUS: https://support.checkpoint.com/results/sk/sk182516 
To the best of my knowledge, we have not implemented RADIUS Message-Authentication on the Check Point side, at least outside of the context of a specific fix from TAC.
Please open a TAC case: https://help.checkpoint.com 

0 Kudos
toha
Explorer

Hi guys

Sorry for the lack of details in my question, I was pushed from all directions to get this issue resolved.
I have found a Check Point SK that descripes the issue and provides a fix.

RADIUS authentication fails (checkpoint.com)

but the solution is not available in R81.10 'VPN Remote Access - RADIUS attribute to be ignored' is not visible.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

As @PhoneBoy  wrote: Open a TAC case !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
toha
Explorer

When support has expired it is not an option.
Currently getting prices to get support again.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Usually, the 30 days grace period is enough time to renew it.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
toha
Explorer

I know but we are talking years here 😄

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This will cost a lot as you have to pay for the time without support. Also, without services the SMB is pretty useless from a security standpoint - VPN can be created witth software, too, and you are not allowed to upgrade to a new firmware version.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events