Summary
The documentation of Checkpoint states that not more than 16 characters can be used with Radius v1.
If a Checkpoint firewall is configured to use RADIUS v1, and a password of more than 16 characters is used, the authentication on OneSpan Authentication server will fail.
In the Audit file, you will get the error: ”Authentication processing error“
The full trace file will contain an error: “Cannot set password field. Possible shared secret mismatch?”
Details
In our example a checkpoint firewall is configured to use RADIUS version 1.
When the password is smaller than or equal to 16 characters, the authentications are successful.
When the password is longer than 16 characters, the authentication fails. In this particular case, a DIGIPASS for Mobile with One Time Password (OTP) of 8 digits was used. When the OTP of 8 digits is combined with a static password of 8 characters or less, the authentication is accepted.
When the static password is longer than 8 digits (so the total password is longer than 16 digits) the Authentication request is rejected.
Below an excerpt from the trace file when a password of 17 characters long was used:
[2009/08/26|15:48:00][02376][VINFO][CUDPSocket::recvfrom] > Packet received from <183.220.45.50 : 2601> size<74> bytes.
[2009/08/26|15:48:00][02364][DEBUG][RadiusValidationTask::processRequest] > Performing server license check
[2009/08/26|15:48:00][02364][DEBUG][ComponentStore::fetchElement] > Existing Component record [Authentication Server:183.220.96.144] returned from Component cache
[2009/08/26|15:48:00][02364][DEBUG][RadiusValidationTask::processRequest] > Looking for RADIUS Client with Shared Secret
[2009/08/26|15:48:00][02364][DEBUG][ComponentStore::fetchElement] > Existing Component record [RADIUS Client:183.220.45.50] returned from Component cache
[2009/08/26|15:48:00][02236][DEBUG][DPPIProtocolHandlerFactory::getHandler] > Created PAP handler
[2009/08/26|15:48:00][02236][INFO ][adt_record] > Audit: {Info} {RADIUS} {I-006001} {A RADIUS Access-Request has been received.} {0x9CE2E67EAA7168420872D1B24C8C655A}
[2009/08/26|15:48:00][02236][INFO ][adt_record] > Audit: {Source Location:183.220.96.144, Request ID:200, Client Location:183.220.45.50:2601, Password Protocol:PAP, Action:Process, Input Details:User-Name:n99999, NAS-IPAddress:200.40.112.67,
User-Password:******, Authenticator:0x9D3691CB048E010A9F0DFAE46E3F52F1}
[2009/08/26|15:48:00][02236][MAJOR][DPPIPapHandler::authenticate] > Cannot set password field. Possible shared secret mismatch?
[2009/08/26|15:48:00][02236][VINFO][CUDPSocket::sendto] > Packet sent to <183.220.45.50 : 2601> size <20> bytes.
[2009/08/26|15:48:00][02236][INFO ][adt_record] > Audit: {Info} {RADIUS} {I-007003} {A RADIUS Access-Reject has been issued.} {0x9854CEA48A719BBB047CA88C2FBBC1FE}
[2009/08/26|15:48:00][02236][INFO ][adt_record] > Audit: {Source Location:183.220.96.144, Request ID:200, Client Location:183.220.45.50:2601, Password Protocol:PAP, Reason:Authentication processing error, Output Details:}
In that full trace file we see a MAJOR problem: “cannot set password field. Possible shared secret mismatch.”
But shared secret has not been changed, so we are sure the shared secret is correct.
Solution/explanation
The problem lies in the way Watchguard puts the password in the RADIUS Access Request packet when the password is longer than 16 characters.
According to the documentation of Watchguard, Radius version 1.0 (RFC 2138) compatible Radius limits authentication to 16 characters.
You need to check the Watchquard Firewall to see which version of Radius it is using.
In the Firewall configuration you need to set the Radius version to 2.
You also need to use a Radius version 2.0 (RFC 2865) compatible Radius Server. OneSpan Authenticatin Server is able to handle Radius v1 and v2 requests.
_________________________________________________________________________________________________________________
Security Status: External
Document type: Known Issue
Applies to: Authentication Server
Old Reference: 140025