cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2762
Views
0
Helpful
1
Replies

RADIUS with multiple "clients"

albinon1nja
Level 1
Level 1

We currently have a RADIUS setup for our SonicWall SSL VPN as well as our Amazon Workspaces environments. Right now, they are pointing to a single RADIUS client, which is our main domain controller. For redundancy, I would like to add in a second RADIUS client for our backup domain controller and hopefully have it round robin between the two for failover purposes. Before I test this out, is it possible? If I just label both with the same [radius_client] name, will it just choose one or the other?

Thanks in advance!

1 Accepted Solution

Accepted Solutions

DuoKristina
Cisco Employee
Cisco Employee

You cannot configure round-robin within the authproxy.cfg file.

You can add additional primary authentication hosts in radius_client by specifying them as host_2, etc. If the Duo proxy can’t contact the firt host, it will try the next one.

This is documented here.

Note that all hosts specified in radius_client must use the same secret.

You mention that your primary auth server is your domain controller. Are you actually using ad_client? Just like radius_client, you can add additional host_2, host_3, etc. entries for failover hosts. Unlike radius_client, the ad_client hosts don’t use a shared secret, but do need to accept the same service account username and password.

If you really want round-robin, you can create a DNS entry or virtual IP that points to multiple primary authentication servers, and then use that hostname or VIP in your authproxy.cfg ad_client or radius_client section as the host.

Thanks for trying Duo!

Duo, not DUO.

View solution in original post

1 Reply 1

DuoKristina
Cisco Employee
Cisco Employee

You cannot configure round-robin within the authproxy.cfg file.

You can add additional primary authentication hosts in radius_client by specifying them as host_2, etc. If the Duo proxy can’t contact the firt host, it will try the next one.

This is documented here.

Note that all hosts specified in radius_client must use the same secret.

You mention that your primary auth server is your domain controller. Are you actually using ad_client? Just like radius_client, you can add additional host_2, host_3, etc. entries for failover hosts. Unlike radius_client, the ad_client hosts don’t use a shared secret, but do need to accept the same service account username and password.

If you really want round-robin, you can create a DNS entry or virtual IP that points to multiple primary authentication servers, and then use that hostname or VIP in your authproxy.cfg ad_client or radius_client section as the host.

Thanks for trying Duo!

Duo, not DUO.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links