Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcyn
Collaborator
Collaborator
Jump to solution

Spark R81.10 and support for Radius 2.0 .... well not entirely true

Hi CheckMates,

There are couple of topics on this community regarding 2FA via radius on Sparks.
A few of you noticed an issue with Spark and radius with fw older then R81.10.
It was due to Spark below R81.10 supports only radius 1.0.
From R81.10 it supports radius 2.0 and issues with passwords longer then 16 characters should be gone.

Well ... as far as I see not entirely 🙂

On last Saturday I was configuring my new Spark 1570.
Because I'm a huge fan of 2FA it was pretty sure that I will configure radius.
So I did it ... and faced an issue.

I have R81.10.05 (996001002) and it's locally mgmt.
On radius server I have user with password longer then 10 characters (+6 OTP = 16) ...
I had no issues with logging in to mgmt portal, but I was not able to log in using the same user to VPN (wrong credentials).
After some diggings I noticed in radius logs something like that as password "1234567890abcdef\12\34\56\23" - so soon after exactly 16 characters there is "a mess" - which is exactly the same as it looks like with radius 1.0.

It looks like Spark supports radius 2.0 but not for VPN (here it is still radius 1.0 constraint) 🙂

 

Falks from R&D maybe you can take a look at this ?

--
Best
m.

0 Kudos
1 Solution

Accepted Solutions
Eduardo_Eiros
Contributor

Hi

¿Have you configured the Radius Server with version 2.0?

It  must be done in cli "set radius server"  --   set radius-server (checkpoint.com)

Hope it helps. 

View solution in original post

11 Replies
Chris_Atkinson
Employee Employee
Employee

Did you report this via TAC and have an SR number that can be shared for follow-up?

 

CCSM R77/R80/ELITE
0 Kudos
marcyn
Collaborator
Collaborator

Hi Chris,

Not yet. First I wanted to know if anyone else from community faced this issue as well.

If not I will direct this to TAC.

--

Best

m.

0 Kudos
Eduardo_Eiros
Contributor

Hi

¿Have you configured the Radius Server with version 2.0?

It  must be done in cli "set radius server"  --   set radius-server (checkpoint.com)

Hope it helps. 

marcyn
Collaborator
Collaborator

Hi Eduardo,

Jackpot ! This fixed the issue.

It's very very interesting that regarding having version 1 (taken from show radius-server command) it worked fine with web access to mgmt portal with password longer then 16 characters 🙂

Because of that I didn't even consider that there could be need to change any setting regarding to radiu from cli. If it worked with longer passwords for web it was clear to me that it us version 2 🙂

To be honest I completely don't get it why it worked for web login ... but it is not as important, as that it now works for vpn as well, after manual change of version from cli.

Thank you, case closed.

--

Best

m.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Further to this I've asked internally that we consider the following related enhancements for future versions.

- Radius 2.0 as default

- Version selection via the Web UI.

If this is important for you please follow-up with your local SE accordingly as an RFE - thanks.

CCSM R77/R80/ELITE
skandshus
Advisor
Advisor

Would you by any chance be using DUO mfa for the spark? im seeing same issues with Radius authentication
I can do ad authentication without aproblem but not radius @ Duo

0 Kudos
marcyn
Collaborator
Collaborator

Hi skandshus,

No, this was FreeRadius.

Now I even don't use it anymore as 2FA is inside Gaia Embedded fw.

If you see the same issue that I had ... it should be because of Radius version 1. If you've already changed this version to 2 on Spark side then probably it's something else on Duo side.

m.

0 Kudos
skandshus
Advisor
Advisor

How so i 2FA inside embedded? are you talking about the sms feature they got?

0 Kudos
marcyn
Collaborator
Collaborator

2FA via e-mail and sms has been around for several years, but in fw R81.10.07 Check Point added another 2FA based on OTP like GoogleAuthenticator, Microsoft Authenticator, etc.

Before R81.10.07 we had to use some external mechanisms like linux with freeradius and google authenticator to have OTP ... but since R81.10.07 google authenticator "server" is included in Spark's fw.

Take a look at this: https://support.checkpoint.com/results/sk/sk179615

Of course now there is no sense to use R81.10.07 ... R81.10.08 is better ... and even best in my opinion R81.10.10 where we also have 2FA for web gui and "nicer" gui 😀

m.

0 Kudos
skandshus
Advisor
Advisor

LOL i havent ever gotten back to that. i remeber when it was only sms, and then after that, ive never visited that again

 

now i see we can do Email too & google authenticator.

Are you sure Microsoft Authenticator is working too? i guess its not microsoft-365 integration but a regular OTP if you use Microsoft? right?

 

 

Just to be clear. is this ONLY for administration login? the MFA cant be used for remote access?

0 Kudos
marcyn
Collaborator
Collaborator

Regarding Microsoft Authenticator I'm not 100% sure because I didn't use it but I believe that it can be used as regular OTP like Google Authenticator.

From Check Point's documentation:

"You can use either the Microsoft Authenticator or the Google Authenticator"

So... it should work 🙂

I use neither ... because I like FreeOTP 🙂

 

This 2FA provided in R81.10.07 was only for ... Remote Access. 2FA for mgmt access was introduced in R81.10.10.

So in case you want it for RA, which I believe is the case, you can use it since R81.10.07.

m.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events