Document 188496

August 3, 2011
Article Version: 1.0
Description:
This article demonstrates how to setup Radius authentication failover between multiple
SafeWord authentication servers. Please note that there are many different ways a radius
server can be configured for failover, however in this case, the built-in SafeWord failover
mechanism will be used.
Steps to reproduce
In this scenario, we are using three different servers, including two independent SafeWord
authentications servers and a radius server. Moreover, the radius server is setup to failover to either
one of the authentication server in case one is unavailable.
Cause:
Failover between SafeWord authentication servers can fail for different reasons that might not be
apparent. In many cases the problem is related to the communication between the authentication
engine (AAA) and the Radius server. These communication problems include but not limited to
following:
1234-
Swec.md5 error, which is related to ssl communication via the SafeWord eaap protocol.
Firewall between the Radius server and the SafeWord authentication server.
Missing authentication server information in the NFuseStrongAuthenticator.cfg file.
Missing authentication engine in the SafeWord RADIUS Server Configuration
Solution:
In this article we will not focus on the on 1 and 2 because there are other articles dealing with these
specific topics, instead, will look into 3 and 4.
August 3, 2011
Article Version: 1.0
To configure SafeWord Radius for failover, please follow the steps below:
1- Open the SafeWord RADIUS Server Configuration page
2- Click on the Authentication engine and list you SafeWord authentication servers by IP address.
Please note the IP needs to be saved to commit the change and click OK.
August 3, 2011
Article Version: 1.0
3- Now, click on Radius client and add your radius client. For example, a Juniper VPN device can be
listed here with the same secret key as the one setup on juniper for radius authentication.
Please note that the client has to have a configuration for the radius server.
August 3, 2011
Article Version: 1.0
4- Finally ensure that both SafeWord authentication servers are listed in the
NFuseStrongAuthenticator.cfg file, located in the SafeWord installation directory (C:\Program
Files\Aladdin\SafeWord\Common) on SafeWord radius server.
Applies to all versions of SafeWord except SafeWord RemoteAccess