11-13-2019 12:35 PM
Hi,
We use DUO as our MFA for Cisco Anyconnect and it’s been working without issue. I am using RADIUS authentication for this. In the documentation and knowledge base I saw that you can list multiple radius_client sections and matching radius_server_auto sections. I am wanting to add a second and third radius_client. My question is, if the first [radius_client] goes down and someone tries to log in then how long does the auth proxy wait before moving on to the second [radius_client2] ? I saw an optional timeout command for [ad_client] but nothing like that for [radius_client]. Any help would be appreciated!
Solved! Go to Solution.
11-18-2019 12:12 PM
It will never move on. You can only specify one radius_client
or ad_client
section in a server section. The *_client
sections are independent; there is no failover between.
What you actually want is to add backup hosts to your single radius_client
section, like…
[radius_client]
host_1=1.2.3.4
host_2=1.2.3.5
secret=bothhostsmustusethesamesecret
With that config, then if host_1
doesn’t respond then it will move on to host_2
.
This configuration is described in the Authentication Proxy reference section for radius_client.
11-18-2019 12:12 PM
It will never move on. You can only specify one radius_client
or ad_client
section in a server section. The *_client
sections are independent; there is no failover between.
What you actually want is to add backup hosts to your single radius_client
section, like…
[radius_client]
host_1=1.2.3.4
host_2=1.2.3.5
secret=bothhostsmustusethesamesecret
With that config, then if host_1
doesn’t respond then it will move on to host_2
.
This configuration is described in the Authentication Proxy reference section for radius_client.
09-09-2021 12:37 PM
Hi Kristina,
I would like to know how is the behavior of the Authentication Proxy regarding backup servers. Are the hosts declared dead for a period of time, how long are they declared dead? connections will be attempted every time?
Thanks for your comments.
Regards,
09-09-2021 12:48 PM
What kind of backup servers?
If you mean a list of RADIUS or AD hosts in the radius_client
or ad_client
config sections, the proxy will try the hosts in the order listed at every auth. It does not mark a host as failed and then not use it anymore.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: