Is it possible to setup more than one radius?

ebh74 · December 7, 2008, 4:04pm

Hi everyone,

I am wondering how to configure RouterOS 3.0 to route AAA requests to multiple radius servers based on the user prefix:

user@domain1.com ==> radius 1
user@domain2.com ==> radius 2
and so on…

Thanking you in advance,
Edd!

Chupaka · December 7, 2008, 5:01pm

ROS cannot do that. you can just setup one of your RADIUS to redirect requests addressed to different domain

ebh74 · December 7, 2008, 5:42pm

Thank you Chupaka for the swift reply!

I understand that I have to setup a radiusd as a distribution proxy that routes requests to subsequent ones. However, after the initial routing decision based on the suffix of the original request, will the communications keep flowing via the proxy radius or directly between the sub-radius and the NAS?

1- NAS sends user@domain1.com to the radius-proxy
2- The radius-proxy decideds to forward the request to radius-domain1
3- Radius-domain1 talks directly to the NAS or all traffic keeps flowing via the radius-proxy?

Edd!

Chupaka · December 8, 2008, 7:33am

of course, all traffic flows via proxy

SurferTim · December 8, 2008, 6:04pm

I do this. I don’t use the user@domain.com tho, but I have tried it, and it does work. I use VAPs and assign a different hotspot/domain to each. I set the ‘/ip hotspot profile default-radius-domain’ to a unique domain name. Then enter multiple radius servers in the radius section and assign the domain name to the appropriate radius sever.
But the docs say the way you want to do it will work too. Enter two radius servers in the radius section, then in the radius section, assign domain=domain1.com to one, and domain=domain2.com to the other.

ebh74 · December 8, 2008, 7:18pm

Hi SurferTim,

I have tried to use the domain option as described in the reference manual but not a single request was sent to the second radius. I have monitored the traffic on both sides. I think the domain thing is limited to Hotspot scenarios.

Can you please detail the setup that you are using?

Thank you,
Edd!

SurferTim · December 8, 2008, 9:09pm

Mine works fine. Just checked it. Insure in your ‘/ip hotspot profile’ set split-user-domain=yes (default is no).
user@test1.com
and
user@test2.com
Both went to the correct radius server. (Different passwords).

ADD: You might want to go into your errors.txt file and edit the “RADIUS server not responding” message to something that indicates the user’s domain may be incorrect. That is the message you get if the domain is not in the ‘/radius domain’ list. I tried user@test3.com.