This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple Radius server for failover

Hello all,

I would like to setup a second Radius server for WPA2 Enterprise authentication under:

Wireless Protection -> Global Settings -> Advanced -> Radius Server

 

This is a single point of failure and I don´t know how it is possible to configure a second Radiusserver.

The possible use of a Radius proxy just move the possible single point of failure to anoter system.

Has anybody a solution for that?

 

Thanks in advance for your help



This thread was automatically locked due to age.
  • When configuring your Radius server in Authentication Services -> Servers , you can specify a "Availability Group" instead of a single hostname or ip address.

    (This is available since 9.404)

  • Thanks reinerh.

     

    unfortuantely, you can't set the group for enterprise authentication.

    It seems like that this is either a bug or a feature which needs to be requested.

    please correct me if i'm wrong.

     

    thanks!

    Rene

  • Hi René,

    You can't use a regular Network Group, but you can use an Availability Group in a RADIUS server definition on the 'Servers' tab of 'Authentication Services'. 

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thanks for your answer, unfortunately in advanced enterprise authentication for WLAN i can’t choose a different server rather then the host definition I created as a radius server.

    I’m not sure why it only shows this single host definition when trying to change the server for wlan.

    The availability group has been created already for normal radius authentication used by VPN or webadmin/usersdmin Portal and world fine.

    Greets

    René

  • René, you're going to do a facepalm when you see that you were stuck in an incorrect thought process.  Change the server definition used for advanced enterprise authentication on the 'Servers' tab of 'Authentication Services' so that it will use an Availability Group instead of a Host.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

     

    thanks - that got me the right picture :)

     

    Greets

  • Be careful with such a configuration and test yourself completely

     

    ### Dienst-Überwachungs-Daemon

    _________ provoked Restart RADIUS-Server 1 (10.1.0.10), RADIUS-Server 2 (10.1.0.240) still online

    2019:12:02-14:12:15 vpn-muc service_monitor[27181]: id="4000" severity="info" sys="System" sub="loadbalancing" name="REF_NetAvaRadiuAvail UDP 10.1.0.10:1812 changed state to OFFLINE"

    2019:12:02-14:12:15 vpn-muc service_monitor[27181]: id="4000" severity="info" sys="System" sub="loadbalancing" name="Set Availability Group REF_NetAvaRadiuAvail to 10.1.0.240"

     

    ### Wireless Protection

    2019:12:02-14:12:16 vpn-muc awed[5442]: [MASTER] start processing configuration change -> In my Test-LAB (SG115w), all Clients in all SSIDs!! will lost the WLAN-Connection! O.ô

    2019:12:02-14:12:16 vpn-muc awed[5442]: [MASTER] end processing configuration change

    ...

     

    The Sophos Support named it "by design".

    No Bug, no incorrect Configuration

     

    CB