Failover using two authproxies

lkeyes1 · ‎12-09-2020

Looking to configure a simple failover ability for two authentication proxies such that if the first one fails the second one will service an authentication request. We don’t need load balancing, we’re just looking for redundancy. We have authproxies on two separate VMs. If both are running will the second one simply take the request if the first one fails? Thanks.

jamieis · ‎12-10-2020

Hi @lkeyes,

Please see our KB article Best practices for setting up the Duo Authentication Proxy for high availability and disaster recovery for our guidance on setting up multiple authentication proxies for the same services.

lkeyes1 · ‎12-10-2020

HI, Jamie…thanks for your note. My question actually grew out of reading that document, as it wasn’t clear to me what the scenario would be without a load balancer.

My example is the authproxy that we’re currently using for VPN logins using the Sophos-SSL client. Currently we have a authproxy.cfg set so the proxy can access either of our domain controllers host or host_2 to authenticate, and that failover works fine (if host isn’t available…authentication happens on host_2).

We actually have a chain with ldap/DC1/DC2 for authentication… (i.e. if the DUO fails for some reason…it can fallback to not using DUO if necessary. Typically we remove the DC1/DC2 in the chain, thus forcing people to use DUO, and not having access if their DUO authentication fails. It is this piece that we want to make more robust, and I’m assuming that if we put our 2nd proxy in the chain it will authenticate if the 1st proxy fails.

I wanted to hear if someone else had done this, and any experience that they had. Maybe this is patently obvious… sorry for the newbie questions! — L