I have an MX with two WANs from different ISPs. WAN1 is primary.
I authenticate my SSID via RADIUS from a RADIUS-as-a-Service on the internet. This is working.
I configured Client VPN with RADIUS authentication and it's working.
My RADIUS-as-a-Service has an option for MFA (TOTP). I want to turn on MFA for Client VPN connections but not wireless connections. I can specify different RADIUS server IPs in the SSID settings and the Client VPN settings. Got that.
My RaaS has multiple public static IPs and recognizes by Source IP. So I would like to RADIUS traffic from SSID auth requests to go out WAN1, and RADIUS traffic for Client VPN auth requests to go out WAN2. That way my RADIUS service knows to only ask for MFA from requests coming from WAN2's IP.
I made the Traffic Shaping rules in Flow Preferences accordingly. But it looks like RADIUS traffic does not obey these rules. Does anyone know if RADIUS traffic are supposed to obey traffic shaping rules?
My Rules are basically:
Protocol:Any Source:Any Destination:RaaS-IP-1 DestPort:Any Preferred uplink:WAN1
Protocol:Any Source:Any Destination:RaaS-IP-2 DestPort:Any Preferred uplink:WAN2
I can tell that all RADIUS traffic looks like it's coming from WAN1. This is because the shared key I use for WAN1 works for both wireless and Client VPN. When I use the shared key meant for WAN2, it doesn't work.