Mikrotik only allows ONE IP for Radius authentication.
Secondary IP’s are ONLY for failover.
Is it possible to add a feature that more than 1 RADIUS server can be added for NOT FAILOVER purposes.
So that it round-robin authenticate.
e.g.
RADIUS 10.0.0.1 ISP1
RADIUS 10.0.0.2 ISP2
RADIUS 10.0.0.3 ISP3
user@isp3.com authenticates, first checks at ISP1 (10.0.0.1) .. fails after (X ms) user@isp3.com authenticates, checks at ISP2 (10.0.0.2) .. fails after (X ms) user@isp3.com authenticates, checks at ISP2 (10.0.0.3) .. successful.
This will be a great feature for 3rd world countries where multiple ISPs share ONE mikrotik network, but each of them want to use their own Physical Radius server such as Userman/RBM, etc.
That would be done better with huntgroups, I think. Basically you’d be able to say that everything for realm or domain isp3.com should go to a specific RADIUS server. That way the other RADIUS server instances don’t have to send an ACCESS-REJECT.
Usually you would do this using Radius-Proxy. One RADIUS server will get the request, and forward it to other RADIUS servers based on things like a postfix/prefix or the like.
So requests for ...@isp1.com could be forwarded to a RADIUS server at IP a.b.c.d, while requests for ...@isp2.com would go to a RADIUS server at IP e.f.g.h.
I have 2 RADIUS servers setup on one router for authenticating PPP connections to different servers. One server for OpenVPN/FreeRADIUS and one to Windows AD for PPTP.
Works like a champ.
EDIT: ^^^ What he said. That is the proper way to use RADIUS.
EDIT2: But you dont even need a separate RADIUS server for it. Just specify the domain/realm in the RADIUS configuration to auth anyone with @domain.com to that specific server. Or, have 2 servers setup with the same domain/realm for failover.