This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Daniel_Collins
Contributor
‎2018-10-03 06:39 AM

Multiple Login Options - RADIUS

Hello,


Hoping the community can help me with an issue I'm trying to solve. Our customer is trying to migrate away from one RADIUS based solution to another RADIUS based solution, doing so incrementally. They mentioned "Multiple Login Options" which seems to do what we want to do.

I setup Multiple Login Options as per the guide (this is for R80.10 with a client supported for the multiple login options) with two profiles, both RADIUS but pointing towards different RADIUS servers. This all looks correct, but it does not work - when using the MLO settings the authentication fails with "Failed to generate RADIUS auth request" but works fine when we use the legacy authentication settings. When attempting to use the MLO options the RADIUS server is not contacted at all.

My question here is thus:

1. Can anyone else think of a way to migrate away (in a staged manner) from one RADIUS based authentication solution to another other than what's suggested above?

2. I believe my configuration may not be setup correctly, but it is as far as I can tell as per the documentation. How does the firewall handle authentciation when using third party auth? (I was of the understanding both user and password were sent to the RADIUS server, but I don't think this is happening) I understand the old fashioned way of doings but this appears to be different.

3. Is MLO designed to work with profiles where each one points to different authentication servers using the same protocol? (I can see it being aimed more towards customers that use a mix of AD and say RSA SecurID tokens)

Any help appreciated.

Thanks

Daniel

Reply
4 Replies
PhoneBoy
Admin
Admin
‎2018-10-04 03:53 PM

I think Multiple Login Options is meant to support two different types of authentication, not two types of the same authentication.

But just in case, does this older SK apply? FireWall-1 drops FTP Server usernames with @ symbol 

0 Kudos
Reply
Daniel_Collins
Contributor
‎2018-10-05 01:00 AM
In response to PhoneBoy

I had thought as much, but couldn't find much out about "proper" deployment.

Yeah, support had mentioned that to me - but there's no @ in the username, plus with the age of the article I thought it might not be relevant.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2018-10-05 07:59 AM
In response to Daniel_Collins

It refers to the FTP Security Server, which no one should be using at this point Smiley Happy

0 Kudos
Reply
npulido
Explorer
‎2020-11-12 08:41 AM

Hi Daniel,

I have the same customer scenario than yours. Someone in support suggested to use an intermediate or proxy Radius that would redirect towards original or new Radius servers, based upon some user attribute (ideally user group). But it seems too complicated to me. Did you find any other smater solution for your migration?

Many thanks in advance.

0 Kudos
Reply