Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcyn
Collaborator
Collaborator
Jump to solution

Spark R81.10 and support for Radius 2.0 .... well not entirely true

Hi CheckMates,

There are couple of topics on this community regarding 2FA via radius on Sparks.
A few of you noticed an issue with Spark and radius with fw older then R81.10.
It was due to Spark below R81.10 supports only radius 1.0.
From R81.10 it supports radius 2.0 and issues with passwords longer then 16 characters should be gone.

Well ... as far as I see not entirely 🙂

On last Saturday I was configuring my new Spark 1570.
Because I'm a huge fan of 2FA it was pretty sure that I will configure radius.
So I did it ... and faced an issue.

I have R81.10.05 (996001002) and it's locally mgmt.
On radius server I have user with password longer then 10 characters (+6 OTP = 16) ...
I had no issues with logging in to mgmt portal, but I was not able to log in using the same user to VPN (wrong credentials).
After some diggings I noticed in radius logs something like that as password "1234567890abcdef\12\34\56\23" - so soon after exactly 16 characters there is "a mess" - which is exactly the same as it looks like with radius 1.0.

It looks like Spark supports radius 2.0 but not for VPN (here it is still radius 1.0 constraint) 🙂

 

Falks from R&D maybe you can take a look at this ?

--
Best
m.

0 Kudos
1 Solution

Accepted Solutions
Eduardo_Eiros
Contributor

Hi

¿Have you configured the Radius Server with version 2.0?

It  must be done in cli "set radius server"  --   set radius-server (checkpoint.com)

Hope it helps. 

View solution in original post

5 Replies
Chris_Atkinson
Employee Employee
Employee

Did you report this via TAC and have an SR number that can be shared for follow-up?

 

CCSM R77/R80/ELITE
0 Kudos
marcyn
Collaborator
Collaborator

Hi Chris,

Not yet. First I wanted to know if anyone else from community faced this issue as well.

If not I will direct this to TAC.

--

Best

m.

0 Kudos
Eduardo_Eiros
Contributor

Hi

¿Have you configured the Radius Server with version 2.0?

It  must be done in cli "set radius server"  --   set radius-server (checkpoint.com)

Hope it helps. 

marcyn
Collaborator
Collaborator

Hi Eduardo,

Jackpot ! This fixed the issue.

It's very very interesting that regarding having version 1 (taken from show radius-server command) it worked fine with web access to mgmt portal with password longer then 16 characters 🙂

Because of that I didn't even consider that there could be need to change any setting regarding to radiu from cli. If it worked with longer passwords for web it was clear to me that it us version 2 🙂

To be honest I completely don't get it why it worked for web login ... but it is not as important, as that it now works for vpn as well, after manual change of version from cli.

Thank you, case closed.

--

Best

m.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Further to this I've asked internally that we consider the following related enhancements for future versions.

- Radius 2.0 as default

- Version selection via the Web UI.

If this is important for you please follow-up with your local SE accordingly as an RFE - thanks.

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events