cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2017
Views
2
Helpful
3
Replies

Multiple radius_server_auto same radius_ip

leftHanded
Level 1
Level 1

i’m trying to protect 2 different applications with radius authentication from the same host, is this possible?

(DUO APP 1 allows all users)
;User access to application
[radius_server_auto]
ikey =aaabbb
api_host = nunyabiz.duosecurity.com
failmode = safe
client = ad_client
radius_ip_1 = 1.2.3.4
port = 18120
skey_protected = blah blah blah
radius_secret_protected_1 =blah blah blah

(DUO APP 2 only allows members of certain AD group)
;admin access to console UI
[radius_server_auto2]
ikey =xxxyyy
api_host = nunyabiz.duosecurity.com
failmode = safe
client = ad_client
radius_ip_1 = 1.2.3.4
port = 18121
skey_protected = blah blah blah
radius_secret_protected_1 =blah blah blah

the reason i want to differentiate the applications is for logging within DUO.
based off of AUTH PROXY reference, i’m concerned about this quote:

If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

when i log in to the admin gui, will it fail because it will try to connect on port 18120?

3 Replies 3

gnyce
Level 1
Level 1

Pretty sure you should be fine, as long as the two application on your host can differentiate between which port to use when. The “overlapping” IP ranges quote - assuming here, but with a high confidence-factor - is if you are using the same port. You aren’t.

rynothopter
Level 1
Level 1

leftHanded,

While it is possible for two [radius_server_xxx] sections to listen on the same port, we don’t recommend or officially support this configuration for a couple of reasons. One of them you already pointed out: creating a unique server section for each application AND configure it to listen on a unique port will give you application specific logging in the Duo authentication logs.

The second reason has to do with overlapping radius_ips that may exist in other [radius_server_xxx] sections listening on the same port. Many customers place multiple auth proxies behind a load balancer where typically the load balancer VIP becomes the source IP for all requests. As gnyce pointed out from our documentation: If two server configurations have the same or overlapping IP ranges, the request will go to whichever comes first in the file.

Bottom line, we always recommend configuring each [radius_server_xxx] to listen on a unique port. As long as the application is configured to send the radius request to the specified port to match the auth proxy config, this will give you the desired behavior.

More details in this KB: https://help.duo.com/s/article/1124

Hope this helps answer your question!

bobtrapps
Level 1
Level 1

We are doing the same thing, 2 different applications with 1 .cfg file. If I am adding a second entry for radius_server_challenge, is the syntax radius_server_challenge_1 or radius_server_challenge2, or something completely different?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links