OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: sfty1 on June 04, 2019, 04:57:53 pm

Title: Multiple Radius Server for OpenVPN
Post by: sfty1 on June 04, 2019, 04:57:53 pm

Hi,

authentication trough radius server is working fine. I have two Microsoft NPS attached, for the case, when one goes down.

Now I tested to deactivate the first Radius server. The problem is, that OpenVPN is still waiting for the first Radius Server, forever. It's not asking the second one. Only when the first Radius Server is rejecting the access, the second one will be asked. But I like to use this in a HA Scenario.

Any clue?

config:

Code: [Select]

auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Active Directory RADIUS DC1,Active Directory Radius DC2,Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls ‘my+company+OpenVPN+Server' 1"
thanks

Title: Re: Multiple Radius Server for OpenVPN
Post by: mimugmail on June 05, 2019, 07:02:03 am

You could try UDP loadbalancing via nginx plugin:
https://wiki.opnsense.org/manual/how-tos/nginx_streams.html

Title: Re: Multiple Radius Server for OpenVPN
Post by: sfty1 on June 11, 2019, 09:58:45 am

Thank you for the idea. But UDP via nginx is failing. Any access is denied. I don't know why. Maybe nginx is not the right tool to balance the radius protocol.

Backend NPS:
Only difference in the error log is:
Security ID:         NULL SID

Title: Re: Multiple Radius Server for OpenVPN
Post by: mimugmail on June 11, 2019, 10:24:28 am

And did you also try relayd? Should also be capable of using UDP.
FreeRadius also has a proxy function but no idea if it's inteded to do loadbalancing/failover/HA