Duo Security - HA Radius Servers

November 18, 2015 0 Comments duo-security, ubuntu

If you are using Duo Security MFA (highly recommended), you may want high-availability for your Duo Radius servers.  Duo doesn't currently have a "supported" solution for this, but keepalived worked great after a quick call to support.  This is also assuming you have followed Duo's instructions to install their radius server (found here)

First, install keepalived (basic instructions for Ubuntu 14.04:  https://raymii.org/s/tutorials/Keepalived-Simple-IP-failover-on-Ubuntu.html)

Radius server #1 config:

vrrp_instance VIP_1 {
 state MASTER
 interface eth0
 virtual_router_id 100
 priority 101
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

Radius server #2 config:

vrrp_instance VIP_1 {
 state BACKUP
 interface eth0
 virtual_router_id 100
 priority 100
 preempt_delay 30
 advert_int 1
authentication {
 auth_type PASS
  auth_pass password
  }
virtual_ipaddress  {
10.0.0.1 dev eth0
 }
}

After this was completed, keepalived was up and running, and I could ping/ssh to the VIP, but, Duo was not responding to radius requests on the VIP!? After trying several different options, I called into Duo Support to see if anything could be done.  The support engineer and I discovered that the "interface=" command in authproxy.cfg could be used to bind to an IP address other than the default eth0 address.  This is what I added to the top of the authproxy.cfg for Duo Radius:

[main]
interface=10.0.0.1

[ad_client]
...etc

After I restarted the duoauthproxy service, radius requests completed successfully using the VIP and my HA solution is complete!  Testing shows 1-second failover times between both servers with keepalived.

View the VIP assigned to eth0:

ip addr show eth0