RADIUS Health Check status ProxySG appliance is "Unknown" even though RADIUS test configuration works

book

Article ID: 168980

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Authentication realm health checks on the ProxySG appliance are created on a per-realm basis and not a per-server basis. They report on the status of the last authentication attempt that was performed in that realm. When the status of RADIUS realm is unknown, it means the proxy is not aware of the last time that users were authenticated using this RADIUS realm. The same behavior applies to other authentication realm health checks.

Cause

The authentication health check status is mainly based on the result of the last authentication attempt made by a user against a particular realm. If a realm is defined but not referenced within policy, no users will authenticate against the realm and thus the health check is unaware of the authentication status (status unknown).

The test configuration does not update the health check value because it checks for credential validity with the RADIUS server and not the actual authentication policy itself. If the ProxySG appliance was able to successfully complete authentication using either the primary or the secondary authentication server configured for the realm, the realm is reported as healthy.

Resolution

Install a web authentication rule in ProxySG policy to authenticate users via RADIUS. After a user successfully authenticates, the health check status changes to healthy ("OK").