Solved: Re: Two radius servers behind a Meraki device

SteveDW · ‎12-08-2022

Hello, I have successfully setup a VPN and am using an existing DUO authentication proxy server configured behind a Meraki MX100 device (inside the network). We are using DUO MFA with Cisco AnyConnect. The intent is to install a second Debian based Radius server. I installed a copy of the authproxy.cfg file from the production server onto the second server. The “radius_ip_1=192.168.x.x” IP address is the address of the Meraki device or default gateway. The new server is running and passes the connectivity test. Does there need to be any different or additional changes made to the authproxy.cfg file to accommodate the second server? The second radius server will be added to the client VPN AnyConnect section within the Meraki with the intent of using a different TCP/IP port number. Will this work? I cannot locate anything specific to this within DUO’s knowledge base. I appreciate any input. Thank you.

DuoKristina · ‎12-09-2022

Each Duo Authentication Proxy server you might set up for RADIUS or LDAP authentication functions independently with no awareness of the other. There is nothing to add to the authproxy.cfg file about the server(s).

Oh, but if you plan to send requests to the second proxy server on a different port you need to make sure the RADIUS config on that server is listening on the different port (so add port=nnnn to the radius_server_whatever section on the second server set to the different port you want to use).

Not sure what your are trying to accomplish overall, but if you have one Meraki device and just want to have it communicate with two Duo RADIUS servers for authentication you don’t actually need to set up a second Duo proxy server. You can add multiple RADIUS config sections so they listen concurrently on different ports on a single Authentication Proxy server.

Can the Proxy be configured for multiple Duo applications?

Duo, not DUO.

View solution in original post

DuoKristina · ‎12-09-2022

Each Duo Authentication Proxy server you might set up for RADIUS or LDAP authentication functions independently with no awareness of the other. There is nothing to add to the authproxy.cfg file about the server(s).

Oh, but if you plan to send requests to the second proxy server on a different port you need to make sure the RADIUS config on that server is listening on the different port (so add port=nnnn to the radius_server_whatever section on the second server set to the different port you want to use).

Not sure what your are trying to accomplish overall, but if you have one Meraki device and just want to have it communicate with two Duo RADIUS servers for authentication you don’t actually need to set up a second Duo proxy server. You can add multiple RADIUS config sections so they listen concurrently on different ports on a single Authentication Proxy server.

Can the Proxy be configured for multiple Duo applications?

Duo, not DUO.

SteveDW · ‎12-09-2022

Hello DuoKristina, and thank you very much for the response. I really appreciate it. My thought was to add high availability for the DUO platform. One of the servers is in the cloud (AWS). The idea is to have one on-premises and another in the cloud. This adds redundancy should one of the two go down.

SteveDW · ‎12-13-2022

DUOKristina, thank you for your feedback. It helped alot. Merry Christmas.

DuoKristina · ‎12-14-2022

I hope you have a great holiday too!

Duo, not DUO.