Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tiagobigode
Explorer

Radius - load balance

Jump to solution

We set up VPN in our environment. And we are using Radius authentication. We will activate MFA, we use Idaptive.
We have four Radius servers. Is it possible to balance Radius connections? Round-robin?
R:

Is it possible to check if the server is available before sending the connection?
R:

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Yes, you can create RADIUS Server Group--a specific type of object that contains all your RADIUS Server objects.
However, it's more of an "HA" setup where it tries the most high-priority one first, then if no response, it tries the next one, etc.

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
Yes, you can create RADIUS Server Group--a specific type of object that contains all your RADIUS Server objects.
However, it's more of an "HA" setup where it tries the most high-priority one first, then if no response, it tries the next one, etc.

View solution in original post

tiagobigode
Explorer

I understand, there is no balancing using Round-robin. In our scenario we have 7k users and we are having a crash problem because one server is not able to handle all connections.
We need a load balancer.

0 Kudos
rlamerico
Contributor

Hello PhoneBoy,

I have made this configuration on my environment, created a RADIUS group, and added both radius servers inside them with priority 1 to first and priority 2 to the second, but when the first server is down firewall doesn´t recognize that this server is down and doesn´t forward the connection to the second server, Does have any specific configuration to do on this case?

PS. If I configure my authentication to use directly the radius servers it works.

0 Kudos
PhoneBoy
Admin
Admin

You might need a TAC case to understand why this isn’t working.

Timothy_Hall
Champion
Champion

You probably need to adjust the values of radius_retrant_timeout and radius_retrant_num to shorten up how long the firewall waits before going on to the next server, see sk42449: How to change a failover timeout of RADIUS Server

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
rlamerico
Contributor

Hi Timothy_Hall,

This information is not clear to me ( print with my configuration below ), today I have an MFA configured on these RADIUS servers and my user have until 60 seconds to inform the radius challenger and as I could understand field "radius_user_timeout" is responsible by it, but I have 750 seconds configured on this field.

Do you know how values I need to configure on properties below to have a failover in 60 seconds for example?

radius_retrant_num


radius_retrant_timeout

Screenshot_225.png

 

0 Kudos
the_rock
Authority
Authority

You want radius auth request to fail over to your other server in 60 seconds if first one time sout or does not respond, correct? Thats the setting you are looking for?

the_rock
Authority
Authority

Im pretty sure its retrant timeout setting, but you may wish to confirm 100% with TAC.

0 Kudos
rlamerico
Contributor

Hi the_rock,

Exactly, if one server stay down the firewall send the authentication to another server inside de RADIUS group.

0 Kudos
the_rock
Authority
Authority

So phoneboy mentioned last year to create radius group for this, which works 100%, as I seen it with customers before, but again, for timeout setting, Im 95% sure its what I advised, but to be 100% positive, maybe better get confirmation from TAC.

rlamerico
Contributor

Thanks everyone,

I will raise a case with TAC to check this issue.

0 Kudos