<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hello Michael,<div><br></div><div>You brought up some very good points. </div><div><br></div><div>I'm currently only using the authentication in RADIUS by utilising the username/password in the Radcheck table. I also make use of Radacct table to see for how long a user was connected, from which location the connection was made and to which VPN server the user is connected. Other than that all VPN servers are the same and don't differ.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">> If your VPN servers do not differ I would set up two RADIUS server (for<br>> redundancy) that use the one database (master / slave setup for redundancy).</blockquote><div><br></div><div>I have found this <a href="https://thenetworkcable.wordpress.com/2014/11/28/creating-redundant-freeradius-servers-with-mysql-replication/">blog post</a> that explains how to run two freeradius and two mysql servers in replication.</div><div>So it seems that two databases are needed after all. But you advised to just use one database with two FreeRadius in replication. Do I have to do anything specifically in the configs to make them work in replication with a single database? Or is it as simple as creating an AWS Loadbalancer that points to both freeradius servers as round-robin? And in turn all VPN servers are pointing to the same Load balancer endpoint? I suppose nothing stops me of having two database/replication in this scenario to make it more resilient, isn't it?</div><div><br></div><div>Many Thanks,</div><div>Houman</div><div><br></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 21 Aug 2019 at 08:52, Michael Schwartzkopff <<a href="mailto:ms@sys4.de">ms@sys4.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Am 21.08.19 um 08:20 schrieb Houman:<br>
> Hello,<br>
><br>
> I have multiple StrongSwan VPN servers setup and each of them has its own<br>
> FreeRadius server. Each of the freeradius servers then points to the<br>
> central database in a separate location. This works without any problem.<br>
> But I wonder if this is the right approach after all.<br>
><br>
> Maybe I should have only one FreeRadius server installed next to the<br>
> database, and have each VPN server connect to the central freeradius server<br>
> instead?<br>
><br>
> As in setting *accounting = yes* and *address= [remote IP of freeradius<br>
> server]* in /etc/strongswan.d/charon/eap-radius.conf for each VPN.<br>
><br>
> What is the most optimal way?<br>
><br>
> Many Thanks,<br>
> Houman<br>
><br>
<br>
As always, it depends ...<br>
<br>
First of all you need to write down, what you want to achieve.<br>
<br>
Then you have to find the best solution for you. The "best" might be the<br>
most simple, the easiest to maintain, the one with the least effort in<br>
setting up, the one that has least components, the one with the least<br>
complexity or a combination of everything.<br>
<br>
What do you want to acchieve? Authentication / Authorization of VPN<br>
client through a central backend database? Do you need accouting?<br>
<br>
If your VPN servers do not differ I would set up two RADIUS server (for<br>
redundancy) that use the one database (master / slave setup for redundancy).<br>
<br>
If your VPN servers differ and the outcome of your Authorization depends<br>
on the VPN server, I would set up different virtual RADIUS servers.<br>
<br>
But everything depends on your setup. Be sure you know what you want.<br>
<br>
<br>
Mit freundlichen Grüßen,<br>
<br>
-- <br>
<br>
[*] sys4 AG<br>
<br>
<a href="https://sys4.de" rel="noreferrer" target="_blank">https://sys4.de</a>, +49 (89) 30 90 46 64<br>
Schleißheimer Straße 26/MG,80333 München<br>
<br>
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263<br>
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief<br>
Aufsichtsratsvorsitzender: Florian Kirstein<br>
<br>
<br>
</blockquote></div>