Two authentifications sources

Security Gateway Discussions
Post Reply
bonnet
Posts: 3
Joined: 06 Mar 2015, 12:43

Two authentifications sources

Post by bonnet » 06 Mar 2015, 13:07

Hi,

I want to use two authentications sources for an L2TP VPN :
  1. Local database
  2. Radius (Windows server 2012 with NAP)
Currently, my Clavister only uses the local database. I want to add a Radius authentication without removing the local database authentication. I made two authentication rules :
Clavister-Authentification.png
Clavister-Authentification.png (6.47 KiB) Viewed 3254 times
Both rules match the L2TP authentication, but only the first one is used. I want to use the second rule if the first fail.

How I can do it ?

Peter
Posts: 697
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Tow authentifications sources

Post by Peter » 09 Mar 2015, 10:54

Hello.

That is not possible as similar to IP rules, the user auth rules are read from the top to the bottom, once a match has been found it will not continue down in the "ruleset". I assume you want to use this as a sort of backup solution? In case the Radius server is unreachable you can still use the local database.

Two alternatives:

1. If you have a second public IP address, setup a second L2TP/IPsec server that listens on the secondary IP (requires version 10.20 and up).
2. Configure a second L2TP/IPsec server. You have to use Certificates + ID lists on the second IPsec tunnel though (also make sure that the Cert tunnel is placed above the PSK one).

So two servers, then you can create two User Auth rules one for Radius and another that uses local database.

Best regards
/Peter

bonnet
Posts: 3
Joined: 06 Mar 2015, 12:43

Re: Two authentifications sources

Post by bonnet » 09 Mar 2015, 12:24

Thank you.

I want to migrate the authentication process. Currently, all users use local database and I want to migrate authentication on the active directory. None of these users have the same password between local database and active directory. I can't let any user without VPN and I can't modify all VPN at the same time. That's why I wanted to use two authentication methods at the same time for the migration process.

Post Reply