Page tree

Overview

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. As a separate package, User Manager is available on all architectures including SMIPS, however care must be taken due to limited free space available. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using WEB interface. Additionally, users are able buy their own data plans (profiles) using the most popular payment gateway - PayPal making it a great system for service providers. Customized reports can be generated to ease processing by billing department. User Manager works according to RADIUS standard defined in RFC2865 and RFC3579.

Attributes

RADIUS attributes are defined authorization, information and configuration parameters that are passed between the RADIUS server and client. User Manager allows sending customized attributes defined in "attributes" menu. Complete list of attributes that can be sent from User Manager is compiled in the table below.

#AttributeData typePacket typeDescription
1User-NametextAccess-AcceptRFC2865 section 5.1
6Service-TypeenumAccess-AcceptRFC2865 section 5.6
7Framed-ProtocolenumAccess-AcceptRFC2865 section 5.7
8

Framed-IP-Address

ipv4Access-AcceptRFC2865 section 5.8
9

Framed-IP-Netmask

ipv4Access-AcceptRFC2865 section 5.9
10

Framed-Routing

enumAccess-AcceptRFC2865 section 5.10
11

Filter-Id

textAccess-AcceptRFC2865 section 5.11
12

Framed-MTU

integerAccess-AcceptRFC2865 section 5.12
13

Framed-Compression

enumAccess-AcceptRFC2865 section 5.13
14

Login-IP-Host

ipv4Access-AcceptRFC2865 section 5.14
15

Login-Service

enumAccess-AcceptRFC2865 section 5.15
16

Login-TCP-Port

integerAccess-AcceptRFC2865 section 5.16
18

Reply-Message

textAccess-Accept, Access-ChallengeRFC2865 section 5.18
19

Callback-Number

textAccess-AcceptRFC2865 section 5.19
20

Callback-Id

textAccess-AcceptRFC2865 section 5.20
22

Framed-Route

textAccess-AcceptRFC2865 section 5.22
23

Framed-IPX-Network

ipv4Access-AcceptRFC2865 section 5.23
24

State

stringAccess-Accept, Access-ChallengeRFC2865 section 5.24
25

Class

stringAccess-AcceptRFC2865 section 5.25
26

Vendor-Specific


Access-Accept, Access-ChallengeRFC2865 section 5.26
27

Session-Timeout

integerAccess-Accept, Access-ChallengeRFC2865 section 5.27
28

Idle-Timeout

integerAccess-Accept, Access-ChallengeRFC2865 section 5.28
29

Termination-Action

enumAccess-AcceptRFC2865 section 5.29
33

Proxy-State

stringAccess-Accept, Access-ChallengeRFC2865 section 5.33
34

Login-LAT-Service

textAccess-AcceptRFC2865 section 5.34
35

Login-LAT-Node

textAccess-AcceptRFC2865 section 5.35
36

Login-LAT-Group

stringAccess-AcceptRFC2865 section 5.36
37

Framed-AppleTalk-Link

integerAccess-AcceptRFC2865 section 5.37
38

Framed-AppleTalk-Network

integerAccess-AcceptRFC2865 section 5.38
39

Framed-AppleTalk-Zone

textAccess-AcceptRFC2865 section 5.39
56

Egress-VLANID

integerAccess-AcceptRFC4675 section 2.1
57

Ingress-Filters

enumAccess-AcceptRFC4675 section 2.2
58

Egress-VLAN-Name

textAccess-AcceptRFC4675 section 2.3
59

User-Priority-Table

stringAccess-AcceptRFC4675 section 2.4
62

Port-Limit

integerAccess-AcceptRFC2865 section 5.42
63

Login-LAT-Port

textAccess-AcceptRFC2865 section 5.43
64

Tunnel-Type

enumAccess-AcceptRFC2868 section 3.1
65

Tunnel-Medium-Type

enumAccess-AcceptRFC2868 section 3.2
66

Tunnel-Client-Endpoint

textAccess-AcceptRFC2868 section 3.3
67

Tunnel-Server-Endpoint

textAccess-AcceptRFC2868 section 3.4
69

Tunnel-Password

stringAccess-AcceptRFC2868 section 3.5
81

Tunnel-Private-Group-ID

textAccess-AcceptRFC2868 section 3.6
82

Tunnel-Assignment-ID

textAccess-AcceptRFC2868 section 3.7
83

Tunnel-Preference

integerAccess-AcceptRFC2868 section 3.8
90

Tunnel-Client-Auth-ID

textAccess-AcceptRFC2868 section 3.9
91

Tunnel-Server-Auth-ID

textAccess-AcceptRFC2868 section 3.10

Database

All RADIUS related information is stored in a separate User Manager's database configurable under the "database" sub-menu. "Enabled" and "db-path" are the only parameters that are not stored in User Manager's database and are stored in main RouterOS configuration table meaning that these parameters will be affected by RouterOS configuration reset.

Payment gateway

Reports

User limitation

WEB user interface

  • No labels