When I use radius server for VPN authentication, it would be great if I could choose vpn profile in radius response.

For example: I 'm using Mikrotik as VPN concentrator for AD users. I want use different vpn profile for management users (AD groups), for "normal" users and for domain admins. In this time it is impossible with radius authentication.

I imagine, that Mikrotik VPN defines and accepts new parameter (for example) "vpn-profile" in response from radius server, which select one of existing vpn profiles on Mikrotik.

Opinions?

Hello, any luck with that? I also need to split VPN users to atleast two groups for admins and users.

Thanks.

Short I have not tested IT.

The Wiki States on: (https://wiki.mikrotik.com/wiki/Manual:RADIUS_Client)

"RouterOS has a RADIUS client which can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile."

Key point being Attributes being recieved override the Profile.
Lets look att what attributes we may send (https://wiki.mikrotik.com/wiki/Manual:R ... dictionary)

Perhaps Something with Mikrtotik-Group or Mikrotik-Address-List or Sending Different Mikrotik_DHCP_Option_Set's would make you solve the problem.
All ordinary Radius attribute will influence Just giving diffrent nets to difrent kinds of users would make easy managed sullution in acl's later on in other equipments as well.
If One user would test both As an Ordinary user and an Admin use realms differentiate to what you want to achieve.

Have you tried Framed-Pool and then setup firewalls based on assigned IP?

Yes i did and I can confirm that it works.

Based on manual for RADIUS, I send Mikrotik-Address-List attributte with custom value for different type of users and then firewall it based on dynamic address list.