Radius Public IP address

RouterOS General
1

Hi all,

I have a core router setup to use radius and the usermanager of routeros. Currently, everything is working fine in-network but the radius and usermanager is set to use 127.0.0.1 as the ip addresses of the radius and usermanager.

I have a satellite network that I would like to redirect to the radius/usermanager of the core router. The two networks are physically separated and the radius requests have to go over the internet.

I have setup a log and have been trying to get the radius to respond to requests but I keep getting the RADIUS is not responding error. In the firewall log, I can see the request come in pointing to the public ip of the router and going to port 1812 but I see no response going out.

Direct questions: Do I have to put the ip address of the radius and usermanager router to the public ip address of the core router for it to respond? Could I leave the 127 entries and just add a secondary entry using the public ip address?

Vague question: Do this seem like a firewall issue or a routing issue?
Looking for where to focus my searching for what might be blocking response requests.

2

I’ve never used user manager, but speaking for RADIUS in general - the service needs to know that the remote NAS is a valid configured RADIUS client. Usually you have to specify either the remote machine’s specific IP address or a range of IP addresses, and a RADIUS secret that the client/server will use when communicating.

Make sure that you’ve provisioned this remote client in userman.

Then make sure that you don’t have any outbound filter rules or packet marking mangle rules which would prevent the replies from being sent to the NAS. If the rules look good, then increase the debugging level in your logs for user manager, and see if any hints can be found in the logs.

3

Thank you ZeroByte! I was thinking about the radius address backwards. I was thinking the address was where the radius server was located not which radius client to talk with. Sometimes it hard to decipher the mikrotik wiki entries. It now seems to be working.