Hi Chris,

Not yet. First I wanted to know if anyone else from community faced this issue as well.

If not I will direct this to TAC.

--

Best

m.

Hi Eduardo,

Jackpot ! This fixed the issue.

It's very very interesting that regarding having version 1 (taken from show radius-server command) it worked fine with web access to mgmt portal with password longer then 16 characters 🙂

Because of that I didn't even consider that there could be need to change any setting regarding to radiu from cli. If it worked with longer passwords for web it was clear to me that it us version 2 🙂

To be honest I completely don't get it why it worked for web login ... but it is not as important, as that it now works for vpn as well, after manual change of version from cli.

Thank you, case closed.

--

Best

m.

Further to this I've asked internally that we consider the following related enhancements for future versions.

- Radius 2.0 as default

- Version selection via the Web UI.

If this is important for you please follow-up with your local SE accordingly as an RFE - thanks.

Would you by any chance be using DUO mfa for the spark? im seeing same issues with Radius authentication
I can do ad authentication without aproblem but not radius @ Duo

Hi skandshus,

No, this was FreeRadius.

Now I even don't use it anymore as 2FA is inside Gaia Embedded fw.

If you see the same issue that I had ... it should be because of Radius version 1. If you've already changed this version to 2 on Spark side then probably it's something else on Duo side.

m.

How so i 2FA inside embedded? are you talking about the sms feature they got?

2FA via e-mail and sms has been around for several years, but in fw R81.10.07 Check Point added another 2FA based on OTP like GoogleAuthenticator, Microsoft Authenticator, etc.

Before R81.10.07 we had to use some external mechanisms like linux with freeradius and google authenticator to have OTP ... but since R81.10.07 google authenticator "server" is included in Spark's fw.

Take a look at this: https://support.checkpoint.com/results/sk/sk179615

Of course now there is no sense to use R81.10.07 ... R81.10.08 is better ... and even best in my opinion R81.10.10 where we also have 2FA for web gui and "nicer" gui 😀

m.

LOL i havent ever gotten back to that. i remeber when it was only sms, and then after that, ive never visited that again

now i see we can do Email too & google authenticator.

Are you sure Microsoft Authenticator is working too? i guess its not microsoft-365 integration but a regular OTP if you use Microsoft? right?

Just to be clear. is this ONLY for administration login? the MFA cant be used for remote access?

Regarding Microsoft Authenticator I'm not 100% sure because I didn't use it but I believe that it can be used as regular OTP like Google Authenticator.

From Check Point's documentation:

"You can use either the Microsoft Authenticator or the Google Authenticator"

So... it should work 🙂

I use neither ... because I like FreeOTP 🙂

This 2FA provided in R81.10.07 was only for ... Remote Access. 2FA for mgmt access was introduced in R81.10.10.

So in case you want it for RA, which I believe is the case, you can use it since R81.10.07.

m.