Using a Backup Server » History » Version 3
Luke Murphey, 10/11/2012 05:22 AM
1 | 1 | Luke Murphey | h1. Using a Backup Server |
---|---|---|---|
2 | 1 | Luke Murphey | |
3 | 3 | Luke Murphey | The RADIUS Authentication App can be configured to use a backup server in case the primary is unavailable. The app will use the backup server if the primary does not authenticate the user. A backup server can be defined using the setup screen or by adding a backup server in the conf file. Below is an example: |
4 | 1 | Luke Murphey | |
5 | 3 | Luke Murphey | <pre> |
6 | 3 | Luke Murphey | <code class="python"> |
7 | 3 | Luke Murphey | [default] |
8 | 3 | Luke Murphey | secret=changeme |
9 | 3 | Luke Murphey | identifier=server1 |
10 | 3 | Luke Murphey | server=auth.server1.acme.com |
11 | 3 | Luke Murphey | |
12 | 3 | Luke Murphey | # Backup settings below |
13 | 3 | Luke Murphey | backup_server=auth.server2.acme.com |
14 | 3 | Luke Murphey | backup_server_secret=changeme2 |
15 | 3 | Luke Murphey | </code> |
16 | 3 | Luke Murphey | </pre> |
17 | 3 | Luke Murphey | |
18 | 3 | Luke Murphey | Here are some notes about the way the app behaves: |
19 | 2 | Luke Murphey | |
20 | 2 | Luke Murphey | * The backup RADIUS server will be contacted whenever a user fails to authenticate to the primary RADIUS server even if the user was unable to authenticate due to an incorrect password (as opposed to a RADIUS server failure). This is done to allow authentication to succeed in cases where the primary authentication server is misconfigured and denying users access unnecessarily. Furthermore, it isn't always possible to determine why a RADIUS server denies authentication so it is best just to try the backup RADIUS before disallowing access (it is safer). |
21 | 2 | Luke Murphey | * Users may notice a slight delay when attempting to authenticate when the primary RADIUS server is unavailable since the app has to try the first RADIUS server first and it may take up to 5 seconds for the request to timeout before the secondary server is used. |
22 | 2 | Luke Murphey | * If the secret for the backup server is not defined, then the secret from the primary server will be used for the backup too. |
23 | 1 | Luke Murphey | |
24 | 1 | Luke Murphey | You can determine if the backup server is being used by examining the logs with the sourcetype "radius_auth". The following log message will return logs indicating that the backup server is being used: |
25 | 1 | Luke Murphey | |
26 | 1 | Luke Murphey | <pre> |
27 | 1 | Luke Murphey | index=_internal "Authentication to secondary RADIUS server" sourcetype="radius_auth" |
28 | 1 | Luke Murphey | </pre> |