How long of a delay before moving to next radius_client?

Hi,

We use DUO as our MFA for Cisco Anyconnect and it’s been working without issue. I am using RADIUS authentication for this. In the documentation and knowledge base I saw that you can list multiple radius_client sections and matching radius_server_auto sections. I am wanting to add a second and third radius_client. My question is, if the first [radius_client] goes down and someone tries to log in then how long does the auth proxy wait before moving on to the second [radius_client2] ? I saw an optional timeout command for [ad_client] but nothing like that for [radius_client]. Any help would be appreciated!

It will never move on. You can only specify one radius_client or ad_client section in a server section. The *_client sections are independent; there is no failover between.

What you actually want is to add backup hosts to your single radius_client section, like…

[radius_client]
host_1=1.2.3.4
host_2=1.2.3.5
secret=bothhostsmustusethesamesecret

With that config, then if host_1 doesn’t respond then it will move on to host_2.

This configuration is described in the Authentication Proxy reference section for radius_client.