- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi CheckMates,
There are couple of topics on this community regarding 2FA via radius on Sparks.
A few of you noticed an issue with Spark and radius with fw older then R81.10.
It was due to Spark below R81.10 supports only radius 1.0.
From R81.10 it supports radius 2.0 and issues with passwords longer then 16 characters should be gone.
Well ... as far as I see not entirely 🙂
On last Saturday I was configuring my new Spark 1570.
Because I'm a huge fan of 2FA it was pretty sure that I will configure radius.
So I did it ... and faced an issue.
I have R81.10.05 (996001002) and it's locally mgmt.
On radius server I have user with password longer then 10 characters (+6 OTP = 16) ...
I had no issues with logging in to mgmt portal, but I was not able to log in using the same user to VPN (wrong credentials).
After some diggings I noticed in radius logs something like that as password "1234567890abcdef\12\34\56\23" - so soon after exactly 16 characters there is "a mess" - which is exactly the same as it looks like with radius 1.0.
It looks like Spark supports radius 2.0 but not for VPN (here it is still radius 1.0 constraint) 🙂
Falks from R&D maybe you can take a look at this ?
--
Best
m.
Hi
¿Have you configured the Radius Server with version 2.0?
It must be done in cli "set radius server" -- set radius-server (checkpoint.com)
Hope it helps.
Did you report this via TAC and have an SR number that can be shared for follow-up?
Hi Chris,
Not yet. First I wanted to know if anyone else from community faced this issue as well.
If not I will direct this to TAC.
--
Best
m.
Hi
¿Have you configured the Radius Server with version 2.0?
It must be done in cli "set radius server" -- set radius-server (checkpoint.com)
Hope it helps.
Hi Eduardo,
Jackpot ! This fixed the issue.
It's very very interesting that regarding having version 1 (taken from show radius-server command) it worked fine with web access to mgmt portal with password longer then 16 characters 🙂
Because of that I didn't even consider that there could be need to change any setting regarding to radiu from cli. If it worked with longer passwords for web it was clear to me that it us version 2 🙂
To be honest I completely don't get it why it worked for web login ... but it is not as important, as that it now works for vpn as well, after manual change of version from cli.
Thank you, case closed.
--
Best
m.
Further to this I've asked internally that we consider the following related enhancements for future versions.
- Radius 2.0 as default
- Version selection via the Web UI.
If this is important for you please follow-up with your local SE accordingly as an RFE - thanks.
Would you by any chance be using DUO mfa for the spark? im seeing same issues with Radius authentication
I can do ad authentication without aproblem but not radius @ Duo
Hi skandshus,
No, this was FreeRadius.
Now I even don't use it anymore as 2FA is inside Gaia Embedded fw.
If you see the same issue that I had ... it should be because of Radius version 1. If you've already changed this version to 2 on Spark side then probably it's something else on Duo side.
m.
How so i 2FA inside embedded? are you talking about the sms feature they got?
2FA via e-mail and sms has been around for several years, but in fw R81.10.07 Check Point added another 2FA based on OTP like GoogleAuthenticator, Microsoft Authenticator, etc.
Before R81.10.07 we had to use some external mechanisms like linux with freeradius and google authenticator to have OTP ... but since R81.10.07 google authenticator "server" is included in Spark's fw.
Take a look at this: https://support.checkpoint.com/results/sk/sk179615
Of course now there is no sense to use R81.10.07 ... R81.10.08 is better ... and even best in my opinion R81.10.10 where we also have 2FA for web gui and "nicer" gui 😀
m.
LOL i havent ever gotten back to that. i remeber when it was only sms, and then after that, ive never visited that again
now i see we can do Email too & google authenticator.
Are you sure Microsoft Authenticator is working too? i guess its not microsoft-365 integration but a regular OTP if you use Microsoft? right?
Just to be clear. is this ONLY for administration login? the MFA cant be used for remote access?
Regarding Microsoft Authenticator I'm not 100% sure because I didn't use it but I believe that it can be used as regular OTP like Google Authenticator.
From Check Point's documentation:
"You can use either the Microsoft Authenticator or the Google Authenticator"
So... it should work 🙂
I use neither ... because I like FreeOTP 🙂
This 2FA provided in R81.10.07 was only for ... Remote Access. 2FA for mgmt access was introduced in R81.10.10.
So in case you want it for RA, which I believe is the case, you can use it since R81.10.07.
m.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
4 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 |
Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewWed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY