Check Point Blast-RADIUS Compatibility
Check Point VPN LoginTC integration stops working after upgrading LoginTC RADIUS Connector to 4.0.11 with Blast-RADIUS mitigations
Technical Support
Last Update há 10 meses
Symptoms
Users are unable to log in and Check Point shows "RADIUS servers not responding"
Further inspection of the following log files:
- $FWDIR/log/vpnd.elg
- $MDS_FWDIR/log/mds.elg
- fwm.elg
Shows error messages related to the RADIUS Message-Authenticator attribute:
- RADIUS attribute 80 not recognized, response dropped
- attr_get_from_buf: unexpected attr len. probably an unknown RADIUS attr (type=80).: Cannot allocate memory
Cause
The LoginTC RADIUS Connector version 4.0.11 (and newer) contains mitigations against the Blast-RADIUS vulnerability. As of this version, the LoginTC RADIUS Connector returns the Message-Authenticator attribute. Check Point does not recognize the RADIUS attribute and fails to process the RADIUS responses from the LoginTC RADIUS Connector.
Solution
- https://community.checkpoint.com/t5/General-Topics/Blast-RADIUS-CVE-2024-3596/td-p/220148/highlight/true
- https://support.checkpoint.com/results/sk/sk182516
Until this package is made available and applied to your Check Point, you can temporarily configure Check Point to ignore the Message-Authenticator attribute: