Multiple radius_server_auto same radius_ip

i’m trying to protect 2 different applications with radius authentication from the same host, is this possible?

(DUO APP 1 allows all users)
;User access to application
[radius_server_auto]
ikey =aaabbb
api_host = nunyabiz.duosecurity.com
failmode = safe
client = ad_client
radius_ip_1 = 1.2.3.4
port = 18120
skey_protected = blah blah blah
radius_secret_protected_1 =blah blah blah

(DUO APP 2 only allows members of certain AD group)
;admin access to console UI
[radius_server_auto2]
ikey =xxxyyy
api_host = nunyabiz.duosecurity.com
failmode = safe
client = ad_client
radius_ip_1 = 1.2.3.4
port = 18121
skey_protected = blah blah blah
radius_secret_protected_1 =blah blah blah

the reason i want to differentiate the applications is for logging within DUO.
based off of AUTH PROXY reference, i’m concerned about this quote:

If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

when i log in to the admin gui, will it fail because it will try to connect on port 18120?

Pretty sure you should be fine, as long as the two application on your host can differentiate between which port to use when. The “overlapping” IP ranges quote - assuming here, but with a high confidence-factor - is if you are using the same port. You aren’t.

1 Like

leftHanded,

While it is possible for two [radius_server_xxx] sections to listen on the same port, we don’t recommend or officially support this configuration for a couple of reasons. One of them you already pointed out: creating a unique server section for each application AND configure it to listen on a unique port will give you application specific logging in the Duo authentication logs.

The second reason has to do with overlapping radius_ips that may exist in other [radius_server_xxx] sections listening on the same port. Many customers place multiple auth proxies behind a load balancer where typically the load balancer VIP becomes the source IP for all requests. As gnyce pointed out from our documentation: If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

Bottom line, we always recommend configuring each [radius_server_xxx] to listen on a unique port. As long as the application is configured to send the radius request to the specified port to match the auth proxy config, this will give you the desired behavior.

More details in this KB: https://help.duo.com/s/article/1124

Hope this helps answer your question!

1 Like