5

I'm deploying an IKEv2 VPN authenticating against a RADIUS service within a pfSense 2.3-RELEASE box. But I'm afraid of the complications of this approach when the RADIUS server is down.

Since the RADIUS is behind the pfSense box, in an event of a failure, I'll lose the ability to connect to the IKEv2 VPN and left without any option to enter the LAN.

I could do a simple workaround with some fallback mode with a local user account within the pfSense box, but the problem is this "fallback mode". This even exist?

What are the options in this case?

Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91

2 Answers2

0

In VPN/IPsec/Mobile Clients, in User Authentication, highlight all Sources that you wish to use, click Save, then Apply. If you highlight 2 AD Domain Controllers, either one will authenticate if the other one is down. I tested this by shutting down each DC and verifying the other DC would authenticate IKEv2 VPN users. This can also be checked in the DC log file specified in NPS/Accounting/Log File Properties.

Will
  • 1
0

I haven't configured radius, but I am authenticating IPSec against AD with pfsense.

On the mobile client tab you can select multiple auth points. The list runs top down.