Duo Security – HA Radius Servers

If you are using Duo Security MFA (great solution btw), you may want high-availability for your Duo Radius servers.  Duo doesn’t currently have a “supported” solution for this, but keepalived worked great after a quick call to support.  This is also assuming you have followed Duo’s instructions to install their radius server (found HERE)

Using Ubuntu 14.04, install keepalived (basic instructions: https://raymii.org/s/tutorials/Keepalived-Simple-IP-failover-on-Ubuntu.html)

Radius server #1 config:

vrrp_instance VIP_1 {
 state MASTER
 interface eth0
 virtual_router_id 100
 priority 101
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

Radius server #2 config:

vrrp_instance VIP_1 {
 state BACKUP
 interface eth0
 virtual_router_id 100
 priority 100
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

After this was completed, keepalived was up and running, and I could ping/ssh to the VIP. BUT, Duo was not responding to radius requests on the VIP!?  After trying several different options, I called into Duo Support to see if anything could be done.  The support engineer and I discovered that the “interface=” command in authproxy.cfg could be used to bind to an IP address other than the default eth0 address.  This is what I added to the top of the authproxy.cfg:

[main]
interface=10.0.0.1

[ad_client]
...etc

After I restarted the duoauthproxy service, radius requests completed successfully using the VIP and my HA solution is complete!  Testing shows 1-second failover times between both servers with keepalived.

View the VIP assigned to eth0:

ip addr show eth0
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s