Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2770
Views
0
Helpful
1
Replies

RADIUS with multiple "clients"

Go to solution
albinon1nja
Level 1
Level 1

‎12-18-2017 12:07 PM

We currently have a RADIUS setup for our SonicWall SSL VPN as well as our Amazon Workspaces environments. Right now, they are pointing to a single RADIUS client, which is our main domain controller. For redundancy, I would like to add in a second RADIUS client for our backup domain controller and hopefully have it round robin between the two for failover purposes. Before I test this out, is it possible? If I just label both with the same [radius_client] name, will it just choose one or the other?

Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎12-19-2017 06:37 AM

You cannot configure round-robin within the authproxy.cfg file.

You can add additional primary authentication hosts in radius_client by specifying them as host_2, etc. If the Duo proxy can’t contact the firt host, it will try the next one.

This is documented here.

Note that all hosts specified in radius_client must use the same secret.

You mention that your primary auth server is your domain controller. Are you actually using ad_client? Just like radius_client, you can add additional host_2, host_3, etc. entries for failover hosts. Unlike radius_client, the ad_client hosts don’t use a shared secret, but do need to accept the same service account username and password.

If you really want round-robin, you can create a DNS entry or virtual IP that points to multiple primary authentication servers, and then use that hostname or VIP in your authproxy.cfg ad_client or radius_client section as the host.

Thanks for trying Duo!

Duo, not DUO.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
DuoKristina
Cisco Employee
Cisco Employee

‎12-19-2017 06:37 AM

You cannot configure round-robin within the authproxy.cfg file.

You can add additional primary authentication hosts in radius_client by specifying them as host_2, etc. If the Duo proxy can’t contact the firt host, it will try the next one.

This is documented here.

Note that all hosts specified in radius_client must use the same secret.

You mention that your primary auth server is your domain controller. Are you actually using ad_client? Just like radius_client, you can add additional host_2, host_3, etc. entries for failover hosts. Unlike radius_client, the ad_client hosts don’t use a shared secret, but do need to accept the same service account username and password.

If you really want round-robin, you can create a DNS entry or virtual IP that points to multiple primary authentication servers, and then use that hostname or VIP in your authproxy.cfg ad_client or radius_client section as the host.

Thanks for trying Duo!

Duo, not DUO.
0 Helpful
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents