I'm deploying an IKEv2 VPN authenticating against a RADIUS service within a pfSense 2.3-RELEASE box. But I'm afraid of the complications of this approach when the RADIUS server is down.
Since the RADIUS is behind the pfSense box, in an event of a failure, I'll lose the ability to connect to the IKEv2 VPN and left without any option to enter the LAN.
I could do a simple workaround with some fallback mode with a local user account within the pfSense box, but the problem is this "fallback mode". This even exist?
What are the options in this case?
I haven't configured radius, but I am authenticating IPSec against AD with pfsense.
On the mobile client tab you can select multiple auth points. The list runs top down.
In VPN/IPsec/Mobile Clients, in User Authentication, highlight all Sources that you wish to use, click Save, then Apply. If you highlight 2 AD Domain Controllers, either one will authenticate if the other one is down. I tested this by shutting down each DC and verifying the other DC would authenticate IKEv2 VPN users. This can also be checked in the DC log file specified in NPS/Accounting/Log File Properties.