Radius with 2/more servers defined...

evert · December 3, 2004, 11:32am

Hi!

What if I define more than 1 radius server in Mikrotik, will it then try them in listed order and let the user on as long as 1 server says ‘yes’, or will ALL servers have to accept the user?

edzix · December 3, 2004, 12:15pm

radius clients have priorities in order they are listed. And if one of them accepts the user, no authentication will be done to another RADIUS server. Only if the first RADIUS server is down, the 2nd one will be asked to help.

Edgars

evert · December 3, 2004, 12:30pm

So if the first server is up but denies the user, then the 2nd server will not be tried?

edzix · December 3, 2004, 1:21pm

exactly!

Edgars

evert · December 3, 2004, 1:37pm

So if I want with RADIUS2 in case RADIUS1 doesn’t have the user in the database (the system here would be contacting different RADIUS servers with different databases), then this is not possible with Mikrotik?

edzix · December 3, 2004, 2:29pm

from MikroTik side - no, but from RADIUS server side probably possible (at least in Freeradius there is such a feature).

Edgars

YazzY · December 3, 2004, 4:23pm

You can make your radius server read from two different databases as well or make your database answer to two different radius servers or add new radiu server to the list of RouterOS and if the first one fails, the second one will be then asked for the same user.
Just like with local and remote (radius) users, if there is no local user, then the radius server is used for the lookup.
In case you have a local user, the radius lookup will be skipped.

mag · December 4, 2004, 8:06am

may be radius realms are the feature whats needed here: a radius can act as proxy for other realms.

it does not make sense to have different user databases on radius’es within the same realm.

regards.
matthias

evert · December 6, 2004, 8:56am

Well…

In my case it does. We have a system with a local RADIUS server for people who want to use their prepaid cards for Internet access. But we also have customers who should have access to our system because they’re a member of a certain organisation. These records are being kept by another/external RADIUS server.

Eugene · December 6, 2004, 9:02am

Then use RADIUS proxiing. FreeRADIUS has such feature:

Proxy or replicate the request to another RADIUS server, based on any criteria, not just ‘@realm’.

evert · December 6, 2004, 9:42am

Has XTradius also an option for this?

Eugene · December 6, 2004, 9:48am

AFAIK, yes.

mag · December 6, 2004, 10:23am

thats exactly what realms are good for.

it’s possible to use “realm” in a more extended view, i.e. /@
where and both could describe a particular realm, customer, organisation unit, etc.

regards.
matthias