Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GaryJ
Participant

Radius Authentication on Check Point 1570 Appliance

Hello,

 

I have setup Radius authentication on a Check Point 1570 appliance with a backend FreeRadius server using local accounts.

Furthermore, the Radius server is also using Google Authenticator so that VPN users can use MFA when logging into the VPN.

 

The solution works fine as the user can enter their password + code and login.

A problem occurs when they set a password longer than 12 characters which would make the password a total of 18 characters with the 6 digit MFA code.

Testing has shown that it's not an issue with the FreeRadius server as it accepts the 12+6 password and it's not a problem with the Linux server as I can login via SSH with a password of 18 characters or more.

Bit more testing shows that when logging into the VPN with a password of 10 characters and 6 digit MFA code (16 in total), works fine. Anything more that this, then the firewall rejects the login with an authentication failure.

This indicates that the 1570 firewall is running Radius v1 where passwords are limited to 16 characters and not Radius 2 (as expected), which does have this issue. There is nothing in the Check Point documentation that indicates the above. As it is 2021, I cannot imagine why anyone would sell a product with an authentication protocol that was obsolete over 20 years ago.

Can anyone confirm this as it will cause a big issue as my company has a policy of 12 character minimum and the 6 digit MFA code will push this over the 16 character limit for Radius 1.

Thank You,

Gary

4 Replies
PhoneBoy
Admin
Admin

Unfortunately, it looks like on the SMB appliances, it's an RFE.
See the bottom of: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solu... 

 

the_rock
Leader
Leader

Sk phoneboy provided is actually a limitation. I never seen this problem on regular CP firewalls (5400, 6200...) for Radius auth, even with password 15-20 characters.

0 Kudos
PhoneBoy
Admin
Admin

That's what the SK says: regular gateways support it, SMB ones do not.
No, don't know the reason for this. 

the_rock
Leader
Leader

Thats what I meant, sorry, worded it wrong : )

0 Kudos