pfSense - IKEv2 with EAP-RADIUS: Any fallback option if the RADIUS server is down?

Question

I'm deploying an IKEv2 VPN authenticating against a RADIUS service within a pfSense 2.3-RELEASE box. But I'm afraid of the complications of this approach when the RADIUS server is down.

Since the RADIUS is behind the pfSense box, in an event of a failure, I'll lose the ability to connect to the IKEv2 VPN and left without any option to enter the LAN.

I could do a simple workaround with some fallback mode with a local user account within the pfSense box, but the problem is this "fallback mode". This even exist?

What are the options in this case?

score 0 · Answer 1 · answered Feb 12 '20 at 14:42

In VPN/IPsec/Mobile Clients, in User Authentication, highlight all Sources that you wish to use, click Save, then Apply. If you highlight 2 AD Domain Controllers, either one will authenticate if the other one is down. I tested this by shutting down each DC and verifying the other DC would authenticate IKEv2 VPN users. This can also be checked in the DC log file specified in NPS/Accounting/Log File Properties.

score 0 · Answer 2 · answered May 28 '16 at 08:53

0

I haven't configured radius, but I am authenticating IPSec against AD with pfsense.

On the mobile client tab you can select multiple auth points. The list runs top down.

answered May 28 '16 at 08:53

James Phisher

1

pfSense - IKEv2 with EAP-RADIUS: Any fallback option if the RADIUS server is down?

2 Answers2