Check Point Blast-RADIUS Compatibility
Check Point VPN LoginTC integration stops working after upgrading LoginTC RADIUS Connector to 4.0.11 with Blast-RADIUS mitigations
Technical Support
Last Update há 4 meses
Symptoms
Users are unable to log in and Check Point shows "RADIUS servers not responding"
Further inspection of the following log files:
- $FWDIR/log/vpnd.elg
- $MDS_FWDIR/log/mds.elg
- fwm.elg
Shows error messages related to the RADIUS Message-Authenticator attribute:
- RADIUS attribute 80 not recognized, response dropped
- attr_get_from_buf: unexpected attr len. probably an unknown RADIUS attr (type=80).: Cannot allocate memory
Cause
The LoginTC RADIUS Connector version 4.0.11 (and newer) contains mitigations against the Blast-RADIUS vulnerability. As of this version, the LoginTC RADIUS Connector returns the Message-Authenticator attribute. Check Point does not recognize the RADIUS attribute and fails to process the RADIUS responses from the LoginTC RADIUS Connector.
Solution
- https://community.checkpoint.com/t5/General-Topics/Blast-RADIUS-CVE-2024-3596/td-p/220148/highlight/true
- https://support.checkpoint.com/results/sk/sk182516
Until this package is made available and applied to your Check Point, you can temporarily configure Check Point to ignore the Message-Authenticator attribute: