This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tiagobigode
Explorer
‎2020-03-13 06:58 AM
Jump to solution

Radius - load balance

We set up VPN in our environment. And we are using Radius authentication. We will activate MFA, we use Idaptive.
We have four Radius servers. Is it possible to balance Radius connections? Round-robin?
R:

Is it possible to check if the server is available before sending the connection?
R:

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-03-15 07:10 PM
Jump to solution

Yes, you can create RADIUS Server Group--a specific type of object that contains all your RADIUS Server objects.
However, it's more of an "HA" setup where it tries the most high-priority one first, then if no response, it tries the next one, etc.

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2020-03-15 07:10 PM
Jump to solution

Yes, you can create RADIUS Server Group--a specific type of object that contains all your RADIUS Server objects.
However, it's more of an "HA" setup where it tries the most high-priority one first, then if no response, it tries the next one, etc.
tiagobigode
Explorer
‎2020-03-16 07:01 AM
In response to PhoneBoy
Jump to solution

I understand, there is no balancing using Round-robin. In our scenario we have 7k users and we are having a crash problem because one server is not able to handle all connections.
We need a load balancer.

0 Kudos
rlamerico
Contributor
‎2021-08-26 08:36 PM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy,

I have made this configuration on my environment, created a RADIUS group, and added both radius servers inside them with priority 1 to first and priority 2 to the second, but when the first server is down firewall doesn´t recognize that this server is down and doesn´t forward the connection to the second server, Does have any specific configuration to do on this case?

PS. If I configure my authentication to use directly the radius servers it works.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-26 08:59 PM
In response to rlamerico
Jump to solution

You might need a TAC case to understand why this isn’t working.

Timothy_Hall
Legend Legend
Legend
‎2021-08-27 05:02 AM
In response to rlamerico
Jump to solution

You probably need to adjust the values of radius_retrant_timeout and radius_retrant_num to shorten up how long the firewall waits before going on to the next server, see sk42449: How to change a failover timeout of RADIUS Server

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
rlamerico
Contributor
‎2021-08-30 07:50 AM
In response to Timothy_Hall
Jump to solution

Hi Timothy_Hall,

This information is not clear to me ( print with my configuration below ), today I have an MFA configured on these RADIUS servers and my user have until 60 seconds to inform the radius challenger and as I could understand field "radius_user_timeout" is responsible by it, but I have 750 seconds configured on this field.

Do you know how values I need to configure on properties below to have a failover in 60 seconds for example?

radius_retrant_num


radius_retrant_timeout

Screenshot_225.png

 

0 Kudos
the_rock
Legend
Legend
‎2021-08-30 08:08 AM
In response to rlamerico
Jump to solution

You want radius auth request to fail over to your other server in 60 seconds if first one time sout or does not respond, correct? Thats the setting you are looking for?

the_rock
Legend
Legend
‎2021-08-30 08:16 AM
In response to the_rock
Jump to solution

Im pretty sure its retrant timeout setting, but you may wish to confirm 100% with TAC.

0 Kudos
rlamerico
Contributor
‎2021-08-30 08:16 AM
In response to the_rock
Jump to solution

Hi the_rock,

Exactly, if one server stay down the firewall send the authentication to another server inside de RADIUS group.

0 Kudos
the_rock
Legend
Legend
‎2021-08-30 08:18 AM
In response to rlamerico
Jump to solution

So phoneboy mentioned last year to create radius group for this, which works 100%, as I seen it with customers before, but again, for timeout setting, Im 95% sure its what I advised, but to be 100% positive, maybe better get confirmation from TAC.

rlamerico
Contributor
‎2021-08-30 07:21 PM
In response to the_rock
Jump to solution

Thanks everyone,

I will raise a case with TAC to check this issue.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events