User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. As a separate package, User Manager is available on all architectures including SMIPS, however care must be taken due to limited free space available. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using WEB interface. Additionally, users are able buy their own data plans (profiles) using the most popular payment gateway - PayPal making it a great system for service providers. Customized reports can be generated to ease processing by billing department. User Manager works according to RADIUS standard defined in RFC2865 and RFC3579.


RADIUS attributes are defined authorization, information and configuration parameters that are passed between the RADIUS server and client. User Manager allows sending customized attributes defined in "attributes" menu. RouterOS has a set of predefined attributes already present, but it is also possible to add additional attributes if necessary. Predefined attributes:

AttributeVendor IDType IDValue typePacket typeDescription


0 (standard)8ip addressAccess-AcceptRFC2865 section 5.8


0 (standard)9ip addressAccess-AcceptRFC2865 section 5.9


0 (standard)27integerAccess-Accept, Access-ChallengeRFC2865 section 5.27


0 (standard)28integerAccess-Accept, Access-ChallengeRFC2865 section 5.28


0 (standard)64
1Point-to-Point Tunneling Protocol (PPTP)
2Layer Two Forwarding (L2F)
3Layer Two Tunneling Protocol (L2TP)
4Ascend Tunnel Management Protocol (ATMP)
5Virtual Tunneling Protocol (VTP)
6IP Authentication Header in the Tunnel-mode (AH)
7IP-in-IP Encapsulation (IP-IP)
8Minimal IP-in-IP Encapsulation (MIN-IP-IP)
9IP Encapsulating Security Payload in the Tunnel-mode (ESP)
10Generic Route Encapsulation (GRE)
11Bay Dial Virtual Services (DVS)
12IP-in-IP Tunneling
Access-AcceptRFC2868 section 3.1


0 (standard)65
1IPv4 (IP version 4)
2IPv6 (IP version 6)
4HDLC (8-bit multidrop)
5BBN 1822
6802 (includes all 802 media plus Ethernet "canonical format")
7E.163 (POTS)
8E.164 (SMDS, Frame Relay, ATM)
9F.69 (Telex)
10X.121 (X.25, Frame Relay)
13Decnet IV
14Banyan Vines
15E.164 with NSAP format subaddress
Access-AcceptRFC2868 section 3.2


0 (standard)81stringAccess-AcceptRFC2868 section 3.6


0 (standard)88stringAccess-AcceptRFC2869 section 5.18
Framed-IPv6-Prefix0 (standard)97ipv6 prefixAccess-AcceptRFC3162 section 2.3


0 (standard)100stringAccess-AcceptRFC3162 section 2.6


0 (standard)123ipv6 prefixAccess-AcceptRFC4818
Framed-IPv6-Address0 (standard)168ip addressAccess-AcceptRFC6911 section 3.1
Mikrotik-Recv-Limit14988 (Mikrotik)1integerAccess-AcceptTotal receive limit in bytes for the client.
Mikrotik-Xmit-Limit14988 (Mikrotik)2integerAccess-AcceptTotal transmit limit in bytes for the client.
Mikrotik-Group14988 (Mikrotik)3stringAccess-Accept

User's group for local users.

HotSpot profile for HotSpot users.

PPP profile for PPP users.

Mikrotik-Wireless-Forward14988 (Mikrotik)4integerAccess-AcceptNot forward the client's frames back to the wireless infrastructure if this attribute is set to "0" (wireless only).
Mikrotik-Wireless-Skip-Dot1x14988 (Mikrotik)5integerAccess-AcceptDisable 802.1x authentication for the particular wireless client if set to non-zero value (wireless only).
Mikrotik-Wireless-Enc-Algo14988 (Mikrotik)6
Access-AcceptWEP encryption algorithm( wireless only).
Mikrotik-Wireless-Enc-Key14988 (Mikrotik)7stringAccess-AcceptWEP encryption key for the client (wireless only).
Mikrotik-Rate-Limit14988 (Mikrotik)8stringAccess-AcceptDatarate limitation for clients. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values. 
Mikrotik-Realm14988 (Mikrotik)9stringAccess-RequestIf it is set in /radius menu, it is included in every RADIUS request as Mikrotik-Realm attribute. If it is not set, the same value is sent as in MS-CHAP-Domain attribute (if MS-CHAP-Domain is missing, Realm is not included neither).
Mikrotik-Host-IP14988 (Mikrotik)10ip addressAccess-RequestIP address of HotSpot client before Universal Client translation (the original IP address of the client).
Mikrotik-Mark-Id14988 (Mikrotik)11stringAccess-AcceptFirewall mangle chain name (HotSpot only). The MikroTik RADIUS client upon receiving this attribute creates a dynamic firewall mangle rule with action=jump chain=hotspot and jump-target equal to the attribute value. Mangle chain name can have suffixes .in or .out, that will install rule only for incoming or outgoing traffic. Multiple Mark-id attributes can be provided, but only last ones for incoming and outgoing is used. 
Mikrotik-Advertise-URL14988 (Mikrotik)12stringAccess-AcceptURL of the page with advertisements that should be displayed to clients. If this attribute is specified, advertisements are enabled automatically, including transparent proxy, even if they were explicitly disabled in the corresponding user profile. Multiple attribute instances may be send by RADIUS server to specify additional URLs which are chosen in round robin fashion.
Mikrotik-Advertise-Interval14988 (Mikrotik)13integerAccess-AcceptTime interval between two adjacent advertisements. Multiple attribute instances may be send by RADIUS server to specify additional intervals. All interval values are treated as a list and are taken one-by-one for each successful advertisement. If end of list is reached, the last value is continued to be used.
Mikrotik-Recv-Limit-Gigawords14988 (Mikrotik)14integerAccess-Accept4G (2^32) bytes of total receive limit (bits 32..63, when bits 0..31 are delivered in Mikrotik-Recv-Limit).
Mikrotik-Xmit-Limit-Gigawords14988 (Mikrotik)15integerAccess-Accept4G (2^32) bytes of total transmit limit (bits 32..63, when bits 0..31 are delivered in Mikrotik-Recv-Limit).
Mikrotik-Wireless-PSK14988 (Mikrotik)16stringAccess-Accept
Mikrotik-Total-Limit14988 (Mikrotik)17integerAccess-Accept
Mikrotik-Total-Limit-Gigawords14988 (Mikrotik)18integerAccess-Accept
Mikrotik-Address-List14988 (Mikrotik)19stringAccess-Accept
Mikrotik-Wireless-MPKey14988 (Mikrotik)20stringAccess-Accept
Mikrotik-Wireless-Comment14988 (Mikrotik)21stringAccess-Accept
Mikrotik-Delegated-IPv6-Pool14988 (Mikrotik)22stringAccess-AcceptIPv6 pool used for Prefix Delegation.
Mikrotik-DHCP-Option-Set14988 (Mikrotik)23stringAccess-Accept
Mikrotik-DHCP-Option-Param-STR114988 (Mikrotik)24stringAccess-Accept
Mikrotik-DHCP-Option-Param-STR214988 (Mikrotik)25stringAccess-Accept
Mikrotik-Wireless-VLANID14988 (Mikrotik)26integerAccess-AcceptVLAN ID for the client (Wireless only).
Mikrotik-Wireless-VLANIDtype14988 (Mikrotik)27
Access-AcceptVLAN ID type for the client (Wireless only). 
Mikrotik-Wireless-Minsignal14988 (Mikrotik)28stringAccess-Accept
Mikrotik-Wireless-Maxsignal14988 (Mikrotik)29stringAccess-Accept
Mikrotik-Switching-Filter14988 (Mikrotik)30stringAccess-AcceptAllows to create dynamic switch rules when authenticating clients with dot1x server.


name (string; Default: )Name of the attribute.
packet-types (string; Default: access-accept)
  • access-accept - use this attribute in RADIUS Access-Accept messages
  • access-challenge - use this attribute in RADIUS Access-Challenge messages
type-id (integer:1..255; Default: )Attribute identification number from the specific vendor's attribute database.
value-type (string; Default: )
  • hex
  • ip-address - IPv4 or IPv6 IP address
  • ip6-prefix - IPv6 prefix
  • macro
  • string
  • uint32
vendor-id (integer; Default: 0)IANA allocated specific enterprise identification number.


All RADIUS related information is stored in a separate User Manager's database configurable under the "database" sub-menu. "Enabled" and "db-path" are the only parameters that are not stored in User Manager's database and are stored in main RouterOS configuration table meaning that these parameters will be affected by RouterOS configuration reset. The rest of the configuration, session and payment data is stored in a separate SQLite database on devices FLASH storage. When performing any actions with databases, it is advised to make backup before and after any activity.


db-path (string; Default: )Path to location where database files will be stored.

Read-only properties

db-sizeCurrent size of the database.
free-disk-spaceFree space left on the disk where database is stored.


load (name)Restore previously created backup file in .umb format.
migrate-legacy-db (database-path; overwrite)Convert old User Manager (from RouterOS v6 or before) to new standard. It is possible to overwrite current database.
optimize-db ()
save (name; overwrite)Save current state of the User Manager database.








coa-port (integer:1..65535; Default: 3799)Port number of CoA (Change of Authorization) communication.
address (IP/IPv6; Default: )IP address of the RADIUS client.
comment (string; Default: )Short description of the peer.
disabled (yes | no; Default: no)Controls whether the entry is currently active or not.
name (string; Default: )Unique name of the RADIUS client.
shared-secret (string; Default: )Used to secure communication between a RADIUS server and a RADIUS client.


reset-counters ()Clear all statistics for specific RADIUS client.




WEB Interface

Each user has access to his personal profile using a WEB interface. The WEB interface can be accessed by adding "/um/" directory to router's IP or domain, for example, http://router.ip/um/. Note that the WEB interface is affected by IP Services "www" and "www-ssl". The WEB interface can be customized using CSS, JavaScript and HTML.

Customizable file reference


  • No labels