Re: DUO VPN with Sonicwall and two domain (RADIUS)

zimol · ‎02-03-2022

Hi all!

we have this situation (all in the same subnet 192.168.10.x):

1 Sonicwall firewall , VPN configured SSL with 2 radius (SRV-A and SRV-B)
1 Domain controller XXX.local (DC-A)
1 DUO Proxy authenticator in XXX domain (SRV-A)
1 Domain controller YYY.local (DC-B)
1 DUO Proxy authenticator in YYY domain (SRV-B)

sonicwall configured correctly with the 2 radius.
In sonicwall i test users in both proxy and its work (i receive push for each duo accounts)

when i try to connect in vpn with netextender only with an user present in SRV-A domain it works
when i try to connect in vpn with netextender only with an user present in SRV-B domain don’t works. For make it works i need to disable SRV-A radius on sonicwall

The problem is: if i try to connect in VPN , sonicwall search only in the first radius server.
When it don’t find username it don’t use the second radius server, but stop with username invalid.

any clue?

Thank you!

Emanuele

DuoKristina · ‎02-04-2022

Your Sonicwall device may not support chaining authentication domains for failover i.e. “If user is not found in the first RADIUS domain, search the second one”.

Also, the Authentication Proxy doesn’t support LDAP referrals between domains. It does support searches through multiple domains in an AD forest if you use Global Catalog.

If you are using an SRA/SMA you can create the two different RADIUS domains, each pointing to a different Duo RADIUS proxy, and then associate both of those RADIUS domains with your VPN portal. Users who sign in can select which RADIUS domain they want to use when they sign in.

Duo, not DUO.