Community discussions

MikroTik App
 
vanikcz
newbie
Topic Author
Posts: 36
Joined: Wed Oct 14, 2015 11:06 pm

Multiple RADIUS servers

Tue Jun 08, 2021 1:14 am

Hi there,
I have following scenario:
Multiple Microsoft Active Directory forests behind one Mikrotik router. Each forest in its own segment. Each forest is having its own Directory servers with NPS role (RADIUS server) installed. Is there any chance to have multiple RADIUS servers defined in Mikrotik to use with L2TP VPN from different domains?
I know the multiple radius servers can be added for resiliency reasons, but can I segment it based on domain of user?

Best Regards, Jan
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Multiple RADIUS servers

Tue Jun 08, 2021 1:50 am

You can add various RAID server, but only one can be used for each service.

The single services supported are:
dhcp dot1x hotspot ipsec login ppp wireless
 
vanikcz
newbie
Topic Author
Posts: 36
Joined: Wed Oct 14, 2015 11:06 pm

Re: Multiple RADIUS servers

Tue Jun 08, 2021 10:13 am

You can add various RAID server, but only one can be used for each service.

The single services supported are:
dhcp dot1x hotspot ipsec login ppp wireless
Thank you, It would be nice if I can authenticate user@domain.one against domain.one RADIUS server, user@domain.two against domain.two RADIUS server.

The only solution for now is to create users manually and sync passwords from oustide the router, am I right?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Multiple RADIUS servers

Tue Jun 08, 2021 11:53 am

Install FreeRADIUS on a local machine, configure as a proxy server to direct requests to the appropriate NPS instance based on the request realm
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun May 03, 2015 5:22 pm

Re: Multiple RADIUS servers

Thu Jun 10, 2021 12:43 am

I think you can use the "domain" property on the radius client for that. Create one radius client for each domain you have.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Multiple RADIUS servers

Thu Jun 10, 2021 1:21 am

It probably needs some testing - it isn't clear if that setting adds a realm / user domain if none is present in the username, and/or will direct requests for a realm / user domain to a particular server.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Multiple RADIUS servers

Thu Jun 10, 2021 4:10 am

It probably needs some testing - it isn't clear if that setting adds a realm / user domain if none is present in the username, and/or will direct requests for a realm / user domain to a particular server.
It adds it as an extra domain attribute for Windows servers that require domain validation (from the wiki)

The best bet is to run a proxy radius that can read and split based on realm. FreeRADIUS should be a quick and easy one to get going

Mikrotik -> FreeRADIUS ---^v> Multiple NPS based on realm.
 
almdandi
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun May 03, 2015 5:22 pm

Re: Multiple RADIUS servers

Thu Jun 10, 2021 9:06 pm

the realm field adds an attribute (MT-Realm). I'm not 100% sure if the domain field adds a radius attribute. RouterOS automatically adds a "MS-CHAP-Domain" attribute if it discovers a domain in the username.

For ppp connections both styles domain/username and username@domain works. For IKEv2 only username@domain works. I opened a support ticket and they said they will fix it in the next beta release but 6.49beta46 did not fix the problem.
 
millenium7
Long time Member
Long time Member
Posts: 538
Joined: Wed Mar 16, 2016 6:12 am

Re: Multiple RADIUS servers

Fri Jun 11, 2021 8:33 am

You can add various RAID server, but only one can be used for each service.

The single services supported are:
dhcp dot1x hotspot ipsec login ppp wireless
Thank you, It would be nice if I can authenticate user@domain.one against domain.one RADIUS server, user@domain.two against domain.two RADIUS server.

The only solution for now is to create users manually and sync passwords from oustide the router, am I right?
Ummm.... you can. We did this when we acquired another company, so we could steer all RADIUS auth requests from old company to the old server whilst we migrated them over to our infrastructure

I can't remember if it was the 'domain' or the 'realm' field, but it acts like a filter
If you enter "domain.one" (or maybe "@domain.one" it will only match when that is the domain

Who is online

Users browsing this forum: No registered users and 54 guests