Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP + AD fail-over auth

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ Offline
      jimp Rebel Alliance Developer Netgate
      last edited by

      Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • B Offline
        BloodyIron
        last edited by

        Yum! I'll look into that right now ;o

        @jimp:

        Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.

        1 Reply Last reply Reply Quote 0
        • B Offline
          BloodyIron
          last edited by

          Fail-over isn't working for me :(

          I setup a second auth server pointing to the second DC. When I do diagnostics auth test, it does work. But when I turn off DC1 and try to auth through VPN it just times out and complains about a TLS key failing to negotiate.

          Any more keen ideas? D:

          @jimp:

          Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.

          1 Reply Last reply Reply Quote 0
          • A Offline
            abidkhanhk
            last edited by

            What i did…based on my network layout.

            We have multiple sites and our main site has the Primary DC which then replicated to other sites..

            All sites are connected thru IPSEC,

            Each site has its own DC, which in turn authenticates for the local pfbox with its own ovpn server.

            Distributed client configurations are set to have multiple sites so incase the primary box in datacentre dies, this way when 1st fails it will connect to the 2nd and 3rd.

            The traffic will then be routed over IPSEC to appropriate destinations...

            its a bit of stretched network but this has worked for our needs.
            cheers

            1 Reply Last reply Reply Quote 0
            • E Offline
              evelio
              last edited by

              Are there any updates on this? I also have two active directory authentication backends selected on the openvpn server config. However when the first server goes down (the first on the list), I dont  see on the logs any attempts to contact the second server. Are there any workarounds for this?

              Using

              2.2.4-RELEASE (amd64)
              built on Sat Jul 25 19:59:52 CDT 2015
              FreeBSD 10.1-RELEASE-p15

              Regards
              Evelio

              1 Reply Last reply Reply Quote 0
              • S Offline
                sven_apsware
                last edited by

                I'd like to bump this post.
                Facing the same issue.

                2.3.1-RELEASE (amd64)
                built on Tue May 17 18:46:53 CDT 2016
                FreeBSD 10.3-RELEASE-p3

                Any update would be nice since this is even tracked in redmine without any comment. (Tickets #3022 and #5906)

                1 Reply Last reply Reply Quote 0
                • jimpJ Offline
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Set your Server timeout lower on the LDAP server entries, otherwise it won't time out before OpenVPN does.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    sven_apsware
                    last edited by

                    Will try this the day after tomorrow - but thank you in advance!

                    Is there any recommended value? It currently defaults to 25 seconds while I don't know, what the value is for OpenVPN.
                    I obviously don't want to go too low here.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      We have lowered that to 5 seconds for new server entries made on the current version of pfSense. The best timeout value depends on your LDAP server. If it's fast and responsive, then a few seconds is plenty.

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        sven_apsware
                        last edited by

                        Alright, that's something to work with  :)
                        Again - thank you very much!
                        Will report back, once this is tested.

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          sven_apsware
                          last edited by

                          Managed to test this already - with great success!
                          Thanks for your help.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.