Check Point Blast-RADIUS Compatibility

Check Point VPN LoginTC integration stops working after upgrading LoginTC RADIUS Connector to 4.0.11 with Blast-RADIUS mitigations

Technical Support

Last Update há 4 meses

Symptoms

Users are unable to log in and Check Point shows "RADIUS servers not responding"


Further inspection of the following log files:

  • $FWDIR/log/vpnd.elg
  • $MDS_FWDIR/log/mds.elg
  • fwm.elg


Shows error messages related to the RADIUS Message-Authenticator attribute:

  • RADIUS attribute 80 not recognized, response dropped
  • attr_get_from_buf: unexpected attr len. probably an unknown RADIUS attr (type=80).: Cannot allocate memory

Cause

The LoginTC RADIUS Connector version 4.0.11 (and newer) contains mitigations against the Blast-RADIUS vulnerability. As of this version, the LoginTC RADIUS Connector returns the Message-Authenticator attribute. Check Point does not recognize the RADIUS attribute and fails to process the RADIUS responses from the LoginTC RADIUS Connector.

Solution

Check Point has indicated that they will be releasing a Jumbo Hotfix Accumulator package to address Blast-RADIUS:


Until this package is made available and applied to your Check Point, you can temporarily configure Check Point to ignore the Message-Authenticator attribute:



Was this article helpful?

2 out of 2 liked this article

Still need help? Message Us