Using a Backup Server¶
The RADIUS Authentication App can be configured to use a backup server in case the primary is unavailable. The app will use the backup server if the primary does not authenticate the user. A backup server can be defined using the setup screen or by adding a backup server in the conf file. Below is an example:
[default] secret=changeme identifier=server1 server=auth.server1.acme.com # Backup settings below backup_server=auth.server2.acme.com backup_server_secret=changeme2
Here are some notes about the way the app behaves:
- The backup RADIUS server will be contacted whenever a user fails to authenticate to the primary RADIUS server even if the user was unable to authenticate due to an incorrect password (as opposed to a RADIUS server failure). This is done to allow authentication to succeed in cases where the primary authentication server is misconfigured and denying users access unnecessarily. Furthermore, it isn't always possible to determine why a RADIUS server denies authentication so it is best just to try the backup RADIUS before disallowing access (it is safer).
- Users may notice a slight delay when attempting to authenticate when the primary RADIUS server is unavailable since the app has to try the first RADIUS server first and it may take up to 5 seconds for the request to timeout before the secondary server is used.
- If the secret for the backup server is not defined, then the secret from the primary server will be used for the backup too.
You can determine if the backup server is being used by examining the logs with the sourcetype "radius_auth". The following log message will return logs indicating that the backup server is being used:
index=_internal "Authentication to secondary RADIUS server" sourcetype="radius_auth"