Hi guys.

In the near future I will have to achieve a task with authorizing Wifi connections from remote location with RADIUS.
Mikrotik AP_01 (10.20.200.150) is connected to Mikrotik gateway RTR_01 (10.20.200.1). Gateway has a running Wireguard tunnel to main site where is a running RADIUS server and the traffic through this tunnel is masquarade (10.20.1.2).
On that server I am planning to use conditions like "if the client's name is XXX and connection is Wireless than..." (plus some others which are clear to me).
Which device in this scenario will be the client? XXX should be AP_01 or RTR_01? If AP_01 than in the RADIUS client section I should assing/use IP address 10.20.1.2, right?

If someone will be looking for this scenario...
The traffic comes to the RADIUS server with IP of the router, because of masquarading which is quite obvious. The server looks at the sender IP address of the packet, it's not an address writen somewhere inside the data part of the packet (it's what I have asked before), so the RADIUS client address in this scenario should be 10.20.1.2.
In the internet I found informations that you can use different RADIUS client authorization passwords for different devices with the same IP but it didn't work out in my case. So I had to use the same password for all AP's and configure only one RADIUS client.

I am not satisfied with this solution - I mean, it does work... But I think about mangling packets from AP's and send it through VPN tunnel to the other site without IP's masquarading so I can have one RADIUS client per one device.