pfSense

Just here to push this up. This feature would be very useful on enterprise environments.

Denis Grilli wrote in #note-4:

Just here to push this up. This feature would be very useful on enterprise environments.

I concur! Please make this a higher priority.

This feature should also include the ability to define specific failover behavior if the configured authentication servers are either unreachable or return auth failures.

I've been thinking about this a bit lately since we've added something similar in the upcoming TNSR release.

Like there, we could have a way to define "server groups" and then rather than offering a list of all auth servers, we offer the groups where users can now select servers. Inside each group you could only list the servers you want to use and the order in which they should be queried.

And then for example GUI/system auth you'd pick it by group, same with OpenVPN server auth, IPsec user auth, etc.

Chris Linstruth wrote in #note-6:

This feature should also include the ability to define specific failover behavior if the configured authentication servers are either unreachable or return auth failures.

For local auth this could happen naturally if the auth server groups had individual entries for each server plus "Local" and then you could set a group to only include remote servers and not the local auth, which would then be excluded.

But beyond that it would also be helpful to have a choice between "use the next server on any failure" vs "use the next server only if the first is unreachable" so users can consider an auth failure a failure at any point.