Overview

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better tracking of system users and customers. As a separate package, User Manager is available on all architectures except SMIPS, however, care must be taken due to limited free space available. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS, and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, and Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using the WEB interface. Additionally, users can buy their own data plans (profiles) using the most popular payment gateway - PayPal making it a great system for service providers. Customized reports can be generated to ease processing by the billing department. User Manager works according to RADIUS standards defined in RFC2865 and RFC3579.

Attributes

Sub-menu: /user-manager attribute

RADIUS attributes are defined authorization, information, and configuration parameters that are passed between the RADIUS server and the client. User Manager allows sending customized attributes defined in the "attributes" menu. RouterOS has a set of predefined attributes already present, but it is also possible to add additional attributes if necessary. Predefined attributes:

Properties

Database

Sub-menu: /user-manager database

All RADIUS-related information is stored in a separate User Manager's database configurable under the "database" sub-menu. "Enabled" and "db-path" are the only parameters that are not stored in the User Manager's database and instead are stored in the main RouterOS configuration table meaning that these parameters will be affected by the RouterOS configuration reset. The rest of the configuration, session, and payment data is stored in a separate SQLite database on the FLASH storage of the device. When performing any actions with databases, it is advised to make a backup before and after any activity.

Properties

Read-only properties

Commands

Limitations

Sub-menu: /user-manager limitation

Limitations are used by Profiles and are linked together by Profile-Limitations. RADIUS accounting and Interim updates must be enabled to seamlessly switch between multiple limitations or disconnect active sessions when download-limit, upload-limit or uptime-limit is reached.

To disconnect already active sessions from User Manager, accept must be set to yes on the RADIUS client side. If simultaneous session limits are not unlimited (shared-users) and it has reached the maximum allowed number, then the router will try to disconnect the older user session first.

User-Manager attempts to disconnect an active session before a new user will be accepted (when the appropriate limit is set), that's why in such setups it is suggested to use 1s for /radius client timeout.

Properties

Payments

Sub-menu: /user-manager payment

Information about all received payments is available in this section.

Read-only properties

Profiles

Sub-menu: /user-manager profile

Properties

Profile Limitations

Sub-menu: /user-manager profile-limitation

Profile-Limitations table links Limitations and Profiles together and defines their validity period. When multiple Limitations are assigned to the same Profile, a user must comply with all Limitations for the session to be established. This allows more complicated setups to be created, for example, separate monthly and daily bandwidth limits.

Properties

Routers

Sub-menu: /user-manager router

Here you can define NAS devices that can use User Manager as a RADIUS server.

Properties

Commands

Sessions

Sub-menu: /user-manager session

Sessions are logged only if accounting is enabled on NAS.

Read-only properties

Settings

Sub-menu: /user-manager


Properties

Advanced

Sub-menu: /user-manager advanced

Properties

Users

Sub-menu: /user-manager user

Properties

Commands

User Groups

Sub-menu: /user-manager user group

User groups define common characteristics of multiple users such as allowed authentication methods and RADIUS attributes. There are two groups already present in User Manager called default and default-anonymous.

Properties

User Profiles

Sub-menu: /user-manager user-profile

This menu assigns users a profile and tracks the status of the profile. A single user can have multiple profiles assigned, however, only one can be used at the same time. A user will seamlessly be switched to the next profile when the currently active profile expires without dropping the user's session.

Properties

Read-only properties

Commands

WEB Interface

Each user has access to his personal profile using a WEB interface. The WEB interface can be accessed by adding "/um/" directory to the router's IP or domain, for example, http://example.com/um/. Note that the WEB interface is affected by IP Services "www" and "www-ssl". The WEB interface can be customized using CSS, JavaScript, and HTML.

Customizable file reference

Application Guides

Batch user creation

It is possible to create multiple new users with randomly generated usernames and passwords. For example, the following command will generate 3 new users with 6 lowercase symbols as the username and 6 lowercase, uppercase, and numbers as the password.

/user-manager user
add-batch-users number-of-users=3 password-characters=lowercase,numbers,uppercase password-length=6 username-characters=lowercase username-length=6

The command generated users can be seen by printing the user's table:

/user-manager user print 
Flags: X - disabled 
 0   name="olsgkl" password="86a6zH" otp-secret="" group=default shared-users=1 attributes="" 

 1   name="lkbwss" password="jaKY5V" otp-secret="" group=default shared-users=1 attributes="" 

 2   name="cwxbwu" password="a62yZd" otp-secret="" group=default shared-users=1 attributes="" 

Providing NAS with custom RADIUS attributes

It is possible to send additional RADIUS attributes during the authentication process to provide NAS with custom information about the session, such as what IP address should be assigned to the supplicant or what address pool to use for address assigning.

Static IP address for a user

To assign the end user a static IP address, Framed-IP-Address attribute can be used. When using static IP address allocation, shared-sessions must be set to 1 to prevent cases when a user has multiple simultaneous sessions, but there is only one IP address. For example:

/user-manager user
set [find name=username] shared-users=1 attributes=Framed-IP-Address:192.168.1.4

Specifying address pool for a group of users

We can group up multiple similar users and assign RADIUS attributes to all of them at once. First of all, create a new group:

/user-manager user group
add name=location1 outer-auths=chap,eap-mschap2,eap-peap,eap-tls,eap-ttls,mschap1,mschap2,pap \
inner-auths=peap-mschap2,ttls-chap,ttls-mschap1,ttls-mschap2,ttls-pap attributes=Framed-Pool:pool1

The next step is to assign a user to the group:

/user-manager user
 set [find name=username] group=location1

In this case, an IP address from pool1 will be assigned to the user upon authentication - make sure pool1 is created on the NAS device.

Using TOTP (time-based one-time password) for user authentication

User Manager supports time-based authentication token addition to the user's password field that is regenerated every 30 seconds.

TOTP works by having a shared secret on the supplicant (client) and the authentication server (User Manager). To configure TOTP on RouterOS, simply set the otp-secret for the user. For example:

/user-manager user
set [find name=username] password=mypass otp-secret=mysecret

To calculate the TOTP token on the supplicant side, many widely available applications can be used, for example, Google Authenticator or https://totp.app/. Adding mysecret to the TOTP token generator will provide a new unique 6-digit code that must be added to the user password.

The following example will accept the user's authentication with a calculated TOTP token added to the common password until a new TOTP token is generated, for example,

User-Name=username
User-Password=mypass620872

Exporting user credentials

Printable login credentials for a single user

To generate a single user's printable voucher card, simply use the generate-voucher command. Specify the RouterOS ID number of the user or use the find command to specify a username. A template is already included in User Manager's installation available in the Files section of your device. You can customize the template for your needs.

/user-manager user
generate-voucher voucher-template=printable_vouchers.html [find where name=username]

The generated voucher card is available by accessing the router using a WEB browser and navigating to /um/PRIVATE/GENERATED/vouchers/gen_printable_vouchers.html

By default, the printable card looks like this:

It is possible to use different variables when generating vouchers. Currently, supported variables are:

$(username) - Represents User Manager username
$(password) - Password of the username
$(userprofname) - Profile that is active for the particular user
$(userprofendtime) - Profile validity end time if specified

Multiple user credential export

It is possible to generate a CSV or XML file with multiple or all user credentials at once by using the export.xml or export.csv as voucher-template.

/user-manager user
generate-voucher voucher-template=export.xml [find]

The command generates an XML file um5files/PRIVATE/GENERATED/vouchers/gen_export.xml which can either be accessible by the WEB browser or any other file access tools.

<?xml version="1.0" encoding="UTF-8"?>
<users>
    <user>
        <username>olsgkl</username>
        <password>86a6zH</password>
    </user>
    <user>
        <username>lkbwss</username>
        <password>jaKY5V</password>
    </user>
    <user>
        <username>cwxbwu</username>
        <password>a62yZd</password>
    </user>
    <user>
        <username>username</username>
        <password>secretpassword</password>
    </user>

</users>

Generating usage report

In cases where presentable network usage information is required by companies billing or legal team an automated session export can be created using the generate-report command. The command requires an input of the report template - an example of the template is available in um5files/PRIVATE/TEMPLATES/reports/report_default.html. Example of the report generation:

/user-manager
generate-report report-template=report_default.html columns=username,uptime,download,upload

The generated report is available by accessing the router using a WEB browser and navigating to /um/PRIVATE/GENERATED/reports/gen_report_default.html

Purchasing a profile

After logging into the user's private profile by accessing the router's /um/ directory using a WEB browser, for example, http://example.com/um/, he will be able to see all available Profiles in the respective menu. Profiles that have specified price values will have a Buy this Profile button available.

After pressing the Buy this Profile button, the user will be asked to choose from available transaction service providers (currently only PayPal is available) and later redirected to PayPal's payment processing page.

When the payment is completed, the User Manager will ask PayPal to approve the transaction. After approval, the profile is assigned to the user and is ready to use.

Migrating from RouterOS v6

When you upgrade your User Manager router from RouterOS v6 to the v7 the new User Manager will work with new database files and configuration. To continue using the old user, router, profile, etc. configuration you must manually execute the migrate command. To do so you must have files from the old User Manager server folder "user-manager" present. The folder can be renamed, but all the contents from the old installation must be transferred to the new v7 installation (you can move the old configuration from one router to another router with v7, you must copy "user-manager" folder). After that, all you need to do is execute this command - "/user-manager/database/migrate-legacy-db database-path=<path_to_old_user_manager_folder>".

The import process will try to convert such configuration - users, profiles, user-profiles, limitations, profile-limitations, user-counters, routers, and sessions.

Application Examples

Basic L2TP/IPsec server with User Manager authentication

User Manager configuration

Start off by enabling User Manager functionality.

/user-manager
set enabled=yes

Allow receiving RADIUS requests from the localhost (the router itself).

/user-manager router
add address=127.0.0.1 comment=localhost name=local shared-secret=test

Next, add users and their credentials that clients will use to authenticate to the server.

/user-manager user
add name=user1 password=password

Configuring RADIUS client

For the router to use the RADIUS server for user authentication, it is required to add a new RADIUS client that has the same shared secret that we already configured on User Manager.

/radius
add address=127.0.0.1 secret=test service=ipsec

L2TP/IPsec server configuration

Configure the IP pool from which IP addresses will be assigned to the users and assign it to the PPP Profile.

/ip pool
add name=vpn-pool range=192.168.99.2-192.168.99.100

/ppp profile
set default-encryption local-address=192.168.99.1 remote-address=vpn-pool

Enable the use of RADIUS for PPP authentication.

/ppp aaa
set use-radius=yes

Enable the L2TP server with IPsec encryption.

/interface l2tp-server server
set enabled=yes use-ipsec=required ipsec-secret=mySecret

That is it. Your router is now ready to accept L2TP/IPsec connections and authenticate them to the internal User Manager.