Multiple RADIUS servers

vanikcz · June 7, 2021, 10:14pm

Hi there,
I have following scenario:
Multiple Microsoft Active Directory forests behind one Mikrotik router. Each forest in its own segment. Each forest is having its own Directory servers with NPS role (RADIUS server) installed. Is there any chance to have multiple RADIUS servers defined in Mikrotik to use with L2TP VPN from different domains?
I know the multiple radius servers can be added for resiliency reasons, but can I segment it based on domain of user?

Best Regards, Jan

rextended · June 7, 2021, 10:50pm

You can add various RAID server, but only one can be used for each service.

The single services supported are:
dhcp dot1x hotspot ipsec login ppp wireless

vanikcz · June 8, 2021, 7:13am

Thank you, It would be nice if I can authenticate user@domain.one against domain.one RADIUS server, user@domain.two against domain.two RADIUS server.

The only solution for now is to create users manually and sync passwords from oustide the router, am I right?

tdw · June 8, 2021, 8:53am

Install FreeRADIUS on a local machine, configure as a proxy server to direct requests to the appropriate NPS instance based on the request realm

almdandi · June 9, 2021, 9:43pm

I think you can use the “domain” property on the radius client for that. Create one radius client for each domain you have.

tdw · June 9, 2021, 10:21pm

It probably needs some testing - it isn’t clear if that setting adds a realm / user domain if none is present in the username, and/or will direct requests for a realm / user domain to a particular server.

joegoldman · June 10, 2021, 1:10am

It adds it as an extra domain attribute for Windows servers that require domain validation (from the wiki)

The best bet is to run a proxy radius that can read and split based on realm. FreeRADIUS should be a quick and easy one to get going

Mikrotik → FreeRADIUS —^v> Multiple NPS based on realm.

almdandi · June 10, 2021, 6:06pm

the realm field adds an attribute (MT-Realm). I’m not 100% sure if the domain field adds a radius attribute. RouterOS automatically adds a “MS-CHAP-Domain” attribute if it discovers a domain in the username.

For ppp connections both styles domain/username and username@domain works. For IKEv2 only username@domain works. I opened a support ticket and they said they will fix it in the next beta release but 6.49beta46 did not fix the problem.

millenium7 · June 11, 2021, 5:33am

Ummm.... you can. We did this when we acquired another company, so we could steer all RADIUS auth requests from old company to the old server whilst we migrated them over to our infrastructure

I can't remember if it was the 'domain' or the 'realm' field, but it acts like a filter
If you enter "domain.one" (or maybe "@domain.one" it will only match when that is the domain