Hi all,
I'd like to share a small open-source project that might be useful for those running Keycloak as their identity provider alongside MikroTik routers.
keyrad is a standalone RADIUS server written in Go — not a wrapper around FreeRADIUS, but a native RADIUS implementation. It authenticates users directly against Keycloak using JWT access tokens and maps roles, groups, and scopes to RADIUS attributes, including Vendor-Specific Attributes (VSA).
For MikroTik setups this means, you can, for example:
- Assign Mikrotik-Group (vendor 14988, attr 3) based on Keycloak roles
- Set Mikrotik-Rate-Limit (attr 8) dynamically per user group
- Use regex matching for group rules (e.g. re:^vpn_.*)
- Standard attributes like Service-Type, Framed-IP, Filter-Id work as well
Typical use cases: WPA2-Enterprise WiFi, VPN gateway auth, hotspot login — all driven by your existing Keycloak instance, no additional user database needed.
Note: MikroTik-specific VSA support is implemented but has not yet been extensively tested against real MikroTik hardware. Feedback from the community on this would be very welcome.
Version 2.0 was just released.
Feedback and contributions welcome. Happy to answer questions!
Cheers,
Marco