This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bryce_Myers
Collaborator
‎2017-08-14 11:03 AM

Radius on Gaia Embedded

Does anyone here have Radius configured on their Gaia Embedded boxes?

I have it working fine from the CLI, but when someone tries to login to the WebUI it instantly returns "invalid username or password".  I am currently running R77.20.51 on these boxes.  I did a tcpdump and I see the radius traffic when a CLI attempt is made, but no radius traffic when an attempt is made from the WebUI.

I went through the Gaia Embedded documentation related to radius and I didn't see anything about this being a known limitation.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2017-08-14 11:51 AM

It appears that certain characters in the RADIUS shared secret are problematic for logging in via the WebUI.

This was an issue targeted to be resolved in the R77.20.60 release, which can be downloaded here: R77.20.60 for Small and Medium Business Appliances 

If this doesn't resolve the issue, I recommend opening a TAC case.

0 Kudos
Bryce_Myers
Collaborator
‎2017-08-14 12:16 PM
In response to PhoneBoy

Thanks Dameon -- I'm opening up a case with our engineers and I'll see if they have the same "fix".

0 Kudos
Bryce_Myers
Collaborator
‎2017-11-30 11:10 AM
In response to PhoneBoy

R77.20.60 fixed our Radius issues.

The issue wasn't with the shared secret, rather which characters the WebUI will accept vs the CLI.

Prior to R77.20.60 if you used certain special characters in the WebUI - it would instantly tell you bad username/password.

0 Kudos
Pedro_Espindola
Advisor
‎2017-08-14 12:59 PM

I have no problem with it. All I did was run this commands in clish:

set radius-server priority 1 ipv4-address X.X.X.X udp-port 1812 shared-secret <shared-secret> timeout 5
set administrators radius-auth enable use-radius-groups false permission read-write

Try to use a shared-secret with only letters and numbers for testing as Dameon suggested.

0 Kudos
Kurtis_Johnson
Employee
Employee
‎2017-09-11 10:05 AM

Also note, there are advanced settings for modifying the RADIUS timeouts.  When using 2FA, you would be best to allow users more time to answer phone call/text or enter a TOTP code.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top