Redundant RADIUS servers for authentication : bug ???

JanRovner · June 19, 2014, 7:00am

Hello,
we use RADIUS features for wireless client authentication: station MACs are checked by RouterOS AP against a (single) configured RADIUS server, and everything works fine.

/radius add address=radius_server_ip1 secret=oursecret service=wireless

However, the RADIUS server is a single point of failure of our system. We have set up a redundant (additional, backup, secondary, … - call it as you like) RADIUS server and need to use it in APs.

When I simply add the server, hoping for some round-robin failover behavior, like:

/radius add address=radius_server_ip1 secret=oursecret service=wireless
/radius add address=radius_server_ip2 secret=oursecret service=wireless

in case, that the first server is unavailable, the clients are not authenticated until the first RADIUS server is disabled, i.e. the operational RADIUS server becomes the first one in the server list.

I have found several discussions about this problem (see http://forum.mikrotik.com/t/secondary-radius-server/30238/1), but I don’t want to use such “ugly” scripts, because of poor maintenance and functionality: pinging the server does not mean that the RADIUS service is operational.

Q: Am the only one who wants to have a redundant RADIUS servers? Does anyone got it working somehow? Or is it just a RouterOS bug?

Thank you for any info.

mpreissner · June 19, 2014, 11:38am

Try using a FQDN instead of an IP address for the RADIUS server. You can then assign the same FQDN in DNS to multiple IP’s which will result in a round-robin load balancing of authentication traffic. If one of the servers goes down, traffic should simply redirect to the one that’s still online.

Of course, this assumes that ROS will accept a hostname instead of an IP address…I’m not sure if it does or not, but it might be worth a try. As long as you keep your RADIUS servers in sync, you shouldn’t run into any issues.

DLNoah · June 19, 2014, 2:20pm

We have redundant RADIUS for dhcp and hotspot working exactly as you detailed. If you look at the output of “/radius monitor” for each server, are you seeing requests increment on the secondary when the primary is offline?

lambert · June 19, 2014, 5:15pm

RouterOS does not store a hostname for that configuration field. Which results in a lot of people writing, and rewriting, scripts to periodically resolve the hostname and update the configuration field.

mpreissner · June 19, 2014, 5:16pm

Good to know!