Community discussions

MUM Europe 2020
 
User avatar
evert
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Jul 15, 2004 3:06 pm
Location: Sarpsborg, Norway
Contact:

Radius with 2/more servers defined...

Fri Dec 03, 2004 1:32 pm

Hi!

What if I define more than 1 radius server in Mikrotik, will it then try them in listed order and let the user on as long as 1 server says 'yes', or will ALL servers have to accept the user?
Regards,
Evert
 
edzix
Member
Member
Posts: 335
Joined: Thu Jul 01, 2004 3:01 pm
Location: Latvia

Fri Dec 03, 2004 2:15 pm

radius clients have priorities in order they are listed. And if one of them accepts the user, no authentication will be done to another RADIUS server. Only if the first RADIUS server is down, the 2nd one will be asked to help.

Edgars
 
User avatar
evert
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Jul 15, 2004 3:06 pm
Location: Sarpsborg, Norway
Contact:

Fri Dec 03, 2004 2:30 pm

Only if the first RADIUS server is down, the 2nd one will be asked to help.

Edgars
So if the first server is up but denies the user, then the 2nd server will not be tried?
Regards,
Evert
 
edzix
Member
Member
Posts: 335
Joined: Thu Jul 01, 2004 3:01 pm
Location: Latvia

Fri Dec 03, 2004 3:21 pm

exactly!

Edgars
 
User avatar
evert
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Jul 15, 2004 3:06 pm
Location: Sarpsborg, Norway
Contact:

Fri Dec 03, 2004 3:37 pm

So if I want with RADIUS2 in case RADIUS1 doesn't have the user in the database (the system here would be contacting different RADIUS servers with different databases), then this is not possible with Mikrotik?
Regards,
Evert
 
edzix
Member
Member
Posts: 335
Joined: Thu Jul 01, 2004 3:01 pm
Location: Latvia

Fri Dec 03, 2004 4:29 pm

from MikroTik side - no, but from RADIUS server side probably possible (at least in Freeradius there is such a feature).

Edgars
 
User avatar
YazzY
Member Candidate
Member Candidate
Posts: 140
Joined: Fri May 28, 2004 3:26 pm
Location: Norway, Østfold
Contact:

Fri Dec 03, 2004 6:23 pm

You can make your radius server read from two different databases as well or make your database answer to two different radius servers or add new radiu server to the list of RouterOS and if the first one fails, the second one will be then asked for the same user.
Just like with local and remote (radius) users, if there is no local user, then the radius server is used for the lookup.
In case you have a local user, the radius lookup will be skipped.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Sat Dec 04, 2004 10:06 am

may be radius realms are the feature whats needed here: a radius can act as proxy for other realms.

it does not make sense to have different user databases on radius'es within the same realm.

regards.
   matthias
 
User avatar
evert
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Jul 15, 2004 3:06 pm
Location: Sarpsborg, Norway
Contact:

Mon Dec 06, 2004 10:56 am


it does not make sense to have different user databases on radius'es within the same realm.
Well... 8)

In my case it does. We have a system with a local RADIUS server for people who want to use their prepaid cards for Internet access. But we also have customers who should have access to our system because they're a member of a certain organisation. These records are being kept by another/external RADIUS server.
Regards,
Evert
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Mon Dec 06, 2004 11:02 am

Then use RADIUS proxiing. FreeRADIUS has such feature:
Proxy or replicate the request to another RADIUS server, based on any criteria, not just '@realm'.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
evert
Member Candidate
Member Candidate
Topic Author
Posts: 130
Joined: Thu Jul 15, 2004 3:06 pm
Location: Sarpsborg, Norway
Contact:

Mon Dec 06, 2004 11:42 am

Has XTradius also an option for this?
Regards,
Evert
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Mon Dec 06, 2004 11:48 am

AFAIK, yes.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Mon Dec 06, 2004 12:23 pm

...
We have a system with a local RADIUS server for people who want to use their prepaid cards for Internet access. But we also have customers who should have access to our system because they're a member of a certain organisation. These records are being kept by another/external RADIUS server.
thats exactly what realms are good for.

it's possible to use "realm" in a more extended view, i.e. <prefix>/<user>@<realm>
where <prefix> and <realm> both could describe a particular realm, customer, organisation unit, etc.

regards.
   matthias

Who is online

Users browsing this forum: anav, eworm, Selbie and 128 guests