Loading...
Loading...
Authenticating a Remote Access connection fails when using RADIUS authentication.;SmartView Tracker log shows " reason: Client Encryption: RADIUS servers not responding ".;When capturing the RADIUS traffic (tcpdump and fw monitor), the RADIUS request is sent out by the firewall. The response from the RADIUS server is sent back to the firewall. In the log file from the RADIUS server and in the packet captures, the response of the RADIUS server is positive, i.e., "accept".;Debug of VPND and CVPND daemons shows: " act_on_response(rp=xxxxx): packet integrity failed ". " request_handle_tick(rp=xxxxx): transmit timeout reached " " request_handle_tick(rp=xxxxx): server is down. Try another if available. ";RADIUS is configured via clish/WebUI for SSH/WebUI access. Users are able to login to CLI/Webui using a user defined on the RADIUS server without issue.;In addition, from 6-0001730821: Collected vpnd debugs, as per sk89940 show wrong MD5 calculation of hash, when configuring a shared secret for a RADIUS object. When Security gateway authenticates the user with a RADIUS server, the reply hash appears different than the stored hash: [vpnd 31418 [12 Aug 9:19:49][AU] request_send(rp=e2886b0): auth packet sent to ip= [vpnd 31418 [12 Aug 9:19:49][AU] check_respond_auth: Calculated md5: 000: d5 c6 4c e2 03 66 de ca 2b af 7c 21 6f 71 2d 2c ..L..f..+..!oq-, [vpnd 31418 [12 Aug 9:19:49][AU] check_respond_auth: Received md5: 000: 7b bc a1 7f 8f b2 c6 67 81 77 01 aa 39 f8 0c cf .......g.w..9... [vpnd 31418 [12 Aug 9:19:49][AU] check_respond_auth: Comparison result: -1 [vpnd 31418 [12 Aug 9:19:49][AU] act_on_response(rp=e2886b0): packet integrity failed
The firewall stores a special hash created when we send the RADIUS request, and firewall authenticates the RADIUS reply against the stored hash. If they do not match, the debug print should show: act_on_response(rp=xxxxxxxx): packet integrity failed If you have RADIUS configured for SSH/WebUI logins, then the password configured in clish should match the Shared Secret defined for the RADIUS server object in SmartDashboard/Console. The pre-shared secret the Security Gateway will send to the RADIUS server for authentication in conjunction with software blades (Identity Awareness / Remote Access / Mobile Access) will be the one configured in the RADIUS Server Object in SmartConsole. For this scenario, the Security Gateway will only send the shared secret defined in clish/webui for logons to SSH/Webui. Using complicated shared key with Special characters in the shared secret (*, (,), #, $ %..) will break connection with the Radius server even when request-Accept is seen.
Click on a version to see all relevant bugs
Check Point Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.