RADIUS - /user aaa

Quick question…

I currently have multiple RADIUS servers setup for my network. I’d like to have my routers ACL’s authenticated via the same servers. Is there a way to setup a user or group that is only allowed to authenticate with Mikrotik devices with the RADIUS server set to “login”? What I’m trying to avoid is any user in the standard RADIUS database from being able to access my routers.

I think I need to setup a separate RADIUS server and user database and proxy the requests to that new server from the existing server using REALMS.. but I was wondering if there’s another way to do it without having to duplicate the server and user database.

It doesn’t look like there’s much I can specify on the RADIUS client to tell the server to only user a specific RADIUS user group.

Anyway - any suggestions are appreciated.

Yes, but it all really depends on the RADIUS configuration on the server. It’s fairly simple to tell on the server whether an ACCESS-REQUEST is an administrative login attempt or a user service login. Depending on service you can tell by the Calling-Station-Id, or you can set up a realm or domain for the login RADIUS client instance like you described. Instead of proxying those requests to another server you can handle them on the same server and either use different data sources or define different queries against the same data sources that check additional parameters.