Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1165
Views
0
Helpful
3
Replies

How long of a delay before moving to next radius_client?

Go to solution
kmanning1
Level 1
Level 1

‎11-13-2019 12:35 PM

Hi,

We use DUO as our MFA for Cisco Anyconnect and it’s been working without issue. I am using RADIUS authentication for this. In the documentation and knowledge base I saw that you can list multiple radius_client sections and matching radius_server_auto sections. I am wanting to add a second and third radius_client. My question is, if the first [radius_client] goes down and someone tries to log in then how long does the auth proxy wait before moving on to the second [radius_client2] ? I saw an optional timeout command for [ad_client] but nothing like that for [radius_client]. Any help would be appreciated!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎11-18-2019 12:12 PM

It will never move on. You can only specify one radius_client or ad_client section in a server section. The *_client sections are independent; there is no failover between.

What you actually want is to add backup hosts to your single radius_client section, like…

[radius_client]
host_1=1.2.3.4
host_2=1.2.3.5
secret=bothhostsmustusethesamesecret

With that config, then if host_1 doesn’t respond then it will move on to host_2.

This configuration is described in the Authentication Proxy reference section for radius_client.

Duo, not DUO.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎11-18-2019 12:12 PM

It will never move on. You can only specify one radius_client or ad_client section in a server section. The *_client sections are independent; there is no failover between.

What you actually want is to add backup hosts to your single radius_client section, like…

[radius_client]
host_1=1.2.3.4
host_2=1.2.3.5
secret=bothhostsmustusethesamesecret

With that config, then if host_1 doesn’t respond then it will move on to host_2.

This configuration is described in the Authentication Proxy reference section for radius_client.

Duo, not DUO.
0 Helpful

Go to solution
vgarciar
Cisco Employee
Cisco Employee
In response to DuoKristina

‎09-09-2021 12:37 PM

Hi Kristina,

I would like to know how is the behavior of the Authentication Proxy regarding backup servers. Are the hosts declared dead for a period of time, how long are they declared dead? connections will be attempted every time?

Thanks for your comments.
Regards,

0 Helpful

Go to solution
DuoKristina
Cisco Employee
Cisco Employee
In response to vgarciar

‎09-09-2021 12:48 PM

What kind of backup servers?

If you mean a list of RADIUS or AD hosts in the radius_client or ad_client config sections, the proxy will try the hosts in the order listed at every auth. It does not mark a host as failed and then not use it anymore.

Duo, not DUO.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents