This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GaryJ
Participant
‎2021-05-12 04:47 AM

Radius Authentication on Check Point 1570 Appliance

Hello,

 

I have setup Radius authentication on a Check Point 1570 appliance with a backend FreeRadius server using local accounts.

Furthermore, the Radius server is also using Google Authenticator so that VPN users can use MFA when logging into the VPN.

 

The solution works fine as the user can enter their password + code and login.

A problem occurs when they set a password longer than 12 characters which would make the password a total of 18 characters with the 6 digit MFA code.

Testing has shown that it's not an issue with the FreeRadius server as it accepts the 12+6 password and it's not a problem with the Linux server as I can login via SSH with a password of 18 characters or more.

Bit more testing shows that when logging into the VPN with a password of 10 characters and 6 digit MFA code (16 in total), works fine. Anything more that this, then the firewall rejects the login with an authentication failure.

This indicates that the 1570 firewall is running Radius v1 where passwords are limited to 16 characters and not Radius 2 (as expected), which does have this issue. There is nothing in the Check Point documentation that indicates the above. As it is 2021, I cannot imagine why anyone would sell a product with an authentication protocol that was obsolete over 20 years ago.

Can anyone confirm this as it will cause a big issue as my company has a policy of 12 character minimum and the 6 digit MFA code will push this over the 16 character limit for Radius 1.

Thank You,

Gary

4 Replies
PhoneBoy
Admin
Admin
‎2021-05-14 03:22 PM

Unfortunately, it looks like on the SMB appliances, it's an RFE.
See the bottom of: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solu... 

 

the_rock
Legend
Legend
‎2021-05-14 03:32 PM

Sk phoneboy provided is actually a limitation. I never seen this problem on regular CP firewalls (5400, 6200...) for Radius auth, even with password 15-20 characters.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-05-14 03:36 PM
In response to the_rock

That's what the SK says: regular gateways support it, SMB ones do not.
No, don't know the reason for this. 

the_rock
Legend
Legend
‎2021-05-14 03:37 PM
In response to PhoneBoy

Thats what I meant, sorry, worded it wrong : )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events