Options

AuthPoint IKEv2 redundant Radius Server

JSAVJSAV
in AuthPoint - General

Hi,

Is it possible to have a backup radius server when using AuthPoint for IKEv2 VPN? For instance, say if the one Radius server happens to go down, the authentication of the firebox resource will use secondary radius server?

I see you can only have one NPS server for MS-CHAPv2 for firebox resource so not sure this is possible.

Current setup is AuthPoint MFA of IKEv2 VPN with local AD users.

Thanks.

Comments

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi JSAV

    You can define Primary and Secondary gateways in AuthPoint.
    See:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/gateways.html

    You can also set up Primary and Backup RADIUS servers on the Firebox.
    See:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/WG-Cloud/Devices/managed/auth_fb_radius.html

    At this current point in time, if you're using AuthPoint to connect to NPS you can only specify one IP, but you can specify a FQDN in that place, you can use round robin or any other method to utilize multiple NPS servers.

    -James Carson
    WatchGuard Customer Support

  • Options
    JSAVJSAV

    We are currently using AuthPoint to connect to our NPS server using the firebox as our resource with MSCHAPv2. So in theory, I would create 2 DNS A records, one fore each radius server IP and use the same FQDN, which I would use that FQDN in the firebox resource MSCHAPv2 spot. Then create a SNAT Load-Balancer from Any-External and assign it to a policy for incoming traffic on port 1812?

    Thanks for your input, been trying to wrap my head around best way to utilize one radius server locally and one that is in Azure.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JSAV
    You'd create one DNS record as there's only the place to enter one in Authpoint -- you'd need to round robin or similar load balance that however you wish.

    -James Carson
    WatchGuard Customer Support

  • Options
    kimmo.pohjoisahokimmo.pohjoisaho

    One way to also do this is to enable the Looback interface in the Firebox and then do S.NAT with server load balancing from the
    Loopback IP to the two NPS servers and configure the AuthPoint to connect to the Loopback IP.

  • Options
    JSAVJSAV

    I tried using the loopback interface with a SNAT to load balance from the loopback interface but it seems when the radius authentication comes in, it doesn't use my policy to load balance from loopback with port 1812.

    I get the other DNS record way which is doable and just not utilize the fireboxes load balance feature to route between multiple NPS servers.

    Thanks for the information.

Sign In to comment.