Versions Compared

Old Version 2

changes.mady.by.user Māris B.

Saved on

compared with

New Version Current

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: typos

Summary

RADIUS, short for Remote Authentication Dial-In User Service, is a remote server that provides authentication and accounting facilities to various network appliances. RADIUS authentication and accounting allows the ISP or network administrator to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client that can authenticate for HotSpot, PPP, PPPoE, PPTPL2TP, OVPN, and ISDN connections. The attributes received from the RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.

The RADIUS server database is consulted only if no matching user access record is found in the router's local database.

If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service.

RADIUS Client

Sub-menu: /radius

This sub-menu allows adding and removing RADIUS clients. 

Note

 The order of added items in this list is significant.

Properties

PropertyDescription
accounting-backup (yes | no; Default: no)Whether the configuration is for the backup RADIUS server
accounting-port (integer

/radius

Radius client settings

add

Create a new item
ParameterTypeDescriptionAdditional Notesaccounting-backup
Type: bool
Radius accounting backup
accounting-portnum
[1..65535]
Radius accounting port
address
Type: alt
ip-address: ip_arg
ipv6-address: ip6_arg
The address of radius
; Default: 1813)RADIUS server port used for accounting
address (IPv4/IPv6 address; Default: 0.0.0.0)

IPv4 or IPv6 address of RADIUS server.

The following formats are accepted:

- ipv4
- ipv4@vrf
- ipv6
- ipv6@vrf

authentication-port (integer
authentication-portnum
[1..65535]
Default port 1645 to RFC
; Default: 1812)RADIUS server port used for authentication.
called-id
Type: string
Called identity
certificate
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'checkId1', 'value': 'u5b'}, {'key': 'checkValue1', 'value': 1}, {'key': 'path', 'value': '{19,1}'}]}}]}
(string; Default: )Value depends on Point-to-Point protocol: PPPoE - service name, PPTP - server's IP address, L2TP - server's IP address.
certificate (string; Default: )Certificate file to use for communicating with RADIUS Server with RadSec enabled.
comment
Type: string
noprint: True
Short description of the item
Adds short description to one or several specified items.
copy-from
Type: arg_node
noexport: True
ID of item to make a copy from
disabled
Type: bool
Defines whether item is ignored or used
domain
Type: string
The domain of the radius
place-before
Type: arg_node
noexport: True
Item number
protocol
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'radsec', 'value': 1}, {'key': 'udp', 'value': 0}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'user datagram protocol'}]}}]}}]}
(string; Default: )
disabled (yes | no; Default: no)
domain (string; Default: )Microsoft Windows domain of client passed to RADIUS servers that require domain validation.
protocol (radsec | udp; Default: udp)
constant: True
Specifies the protocol to use when communicating with the RADIUS Server.
realm
Type: string
(string; Default: )Explicitly stated realm (user domain)
The
, so the users do not have to provide proper ISP domain name in the user name
if this is specified
.
secret
Type: string
sensitive: True
PPP secret name
service
Type: ubit_arg
bitspec: {'producer': '', 'sub': [{'key': 'dhcp', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 4096}, {'key': 'ormask', 'value': 4096}]}}, {'key': 'dot1x', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 16384}, {'key': 'ormask', 'value': 16384}]}}, {'key': 'hotspot', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 512}, {'key': 'ormask', 'value': 512}]}}, {'key': 'ipsec', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 8192}, {'key': 'ormask', 'value': 8192}]}}, {'key': 'login', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 256}, {'key': 'ormask', 'value': 256}]}}, {'key': 'ppp', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 1}, {'key': 'ormask', 'value': 1}]}}, {'key': 'wireless', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 1024}, {'key': 'ormask', 'value': 1024}]}}]}
Name of the service
src-address
Type: alt
ip-address: ip_arg
ipv6-address: ip6_arg
Source IP/IPv6 address of the packets sent to RADIUS server
timeouttime [10000000 .. 60000000000] unit: 1000000
Time limit how long the radius client will try to connect to the radius server

comment

Set comment for items

...

Type: string
noprint: True

...

Short description of the item
Adds short description to one or several specified items.

...

Type: arg_node

...

List of item numbers

disable

Disable items

...

Type: arg_node

...

List of item numbers

edit

Edit items
ParameterTypeDescriptionAdditional Notesnumber
Type: arg_node
Item number
value-name
Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'accounting-backup', 'value': 8}, {'key': 'accounting-port', 'value': 6}, {'key': 'address', 'value': 3}, {'key': 'authentication-port', 'value': 5}, {'key': 'called-id', 'value': 1}, {'key': 'certificate', 'value': 12}, {'key': 'comment', 'value': 23}, {'key': 'domain', 'value': 2}, {'key': 'protocol', 'value': 11}, {'key': 'realm', 'value': 9}, {'key': 'secret', 'value': 4}, {'key': 'service', 'value': 0}, {'key': 'src-address', 'value': 10}, {'key': 'timeout', 'value': 7}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'Name of the service'}, {'key': 1, 'value': 'Called identity'}, {'key': 2, 'value': 'The domain of the radius'}, {'key': 3, 'value': 'The address of radius'}, {'key': 4, 'value': 'PPP secret name'}, {'key': 5, 'value': 'Default port 1645 to RFC'}, {'key': 6, 'value': 'Radius accounting port'}, {'key': 7, 'value': 'Time limit how long the radius client will try to connect to the radius server'}, {'key': 8, 'value': 'Radius accounting backup'}, {'key': 9, 'value': 'Explicitly stated realm (user domain)'}, {'key': 10, 'value': '
(string; Default: )The shared secret used to access the RADIUS server.
service (ppp|login|hotspot|wireless|dhcp; Default: )Router services that will use this RADIUS server:
  • hotspot - HotSpot authentication service
  • login - router's local user authentication
  • ppp - Point-to-Point clients authentication
  • wireless - wireless client authentication
  • dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)
src-address (ipv4/ipv6 address; Default: 0.0.0.0)
Source IP/IPv6 address of the packets sent to the RADIUS server
'}, {'key': 11, 'value': 'Specifies the protocol to use when communicating with RADIUS Server'}, {'key': 12, 'value': 'Certificate file to use for communicating with RADIUS Server with RadSec enabled'}, {'key': 23, 'value': 'Short description of the item'}]}}]}}]}
Name of editable property

enable

Enable items

...

Type: arg_node

...

List of item numbers

export

Print or save an export script that can be used to restore configuration

...

Type: switch
value: True

...

Only exports user-changed settings without defaults

...

Type: string

...

File name
Name of the file that will be stored in FTP access area.

...

Type: switch
value: True

...

Hides sensitive information like passwords from beeing printed

...

Type: switch
value: True

...

Creates export with output without line wraps

...

Type: switch
value: True

...

Creates output with all RouterOS settings (including the default ones)

find

Find items by value

...

Type: query_arg
query: True

...

Generates output depending on values supplied (used mainly for scripting)

get

Gets value of item's property

...

Type: arg_node

...

Item number

...

Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'accounting-backup', 'value': 8}, {'key': 'accounting-port', 'value': 6}, {'key': 'address', 'value': 3}, {'key': 'authentication-port', 'value': 5}, {'key': 'called-id', 'value': 1}, {'key': 'certificate', 'value': 12}, {'key': 'comment', 'value': 23}, {'key': 'disabled', 'value': 22}, {'key': 'domain', 'value': 2}, {'key': 'protocol', 'value': 11}, {'key': 'realm', 'value': 9}, {'key': 'secret', 'value': 4}, {'key': 'service', 'value': 0}, {'key': 'src-address', 'value': 10}, {'key': 'timeout', 'value': 7}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'Name of the service'}, {'key': 1, 'value': 'Called identity'}, {'key': 2, 'value': 'The domain of the radius'}, {'key': 3, 'value': 'The address of radius'}, {'key': 4, 'value': 'PPP secret name'}, {'key': 5, 'value': 'Default port 1645 to RFC'}, {'key': 6, 'value': 'Radius accounting port'}, {'key': 7, 'value': 'Time limit how long the radius client will try to connect to the radius server'}, {'key': 8, 'value': 'Radius accounting backup'}, {'key': 9, 'value': 'Explicitly stated realm (user domain)'}, {'key': 10, 'value': 'Source IP/IPv6 address of the packets sent to RADIUS server'}, {'key': 11, 'value': 'Specifies the protocol to use when communicating with RADIUS Server'}, {'key': 12, 'value': 'Certificate file to use for communicating with RADIUS Server with RadSec enabled'}, {'key': 22, 'value': 'Defines whether item is ignored or used'}, {'key': 23, 'value': 'Short description of the item'}]}}]}}]}

...

Name of the value you want to get

monitor

Radius monitoring

...

Type: switch
value: True

...

Controls if print to file overwrites or appends to content of an existing file

...

Type: switch
value: True

...

Prints out output as value (used in scripting)

...

Type: arg_node

...

Execute given script after each time it prints stats on the screen

...

Type: string
interesting: False

...

File name where to print output

...

Delay between messages in seconds

...

Type: arg_node

...

List of item numbers

...

Type: switch
value: True

...

Execute and print commands output just once

...

Type: switch
value: True

...

Prints out each update as new output instead of overwriting previous one on each update

move

Change order of items

...

Type: arg_node
noexport: True

...

Target to where the file should be moved

...

Type: arg_node

...

List of item numbers

print

Print values of item properties

...

Type: switch
value: True

...

Controls if print to file overwrites or appends to content of an existing file

...

Type: switch
interesting: False
value: True

...

Prints out output as value (used in scripting)

...

Type: switch
value: True

...

Displays brief description

...

Type: switch
value: True

...

Shows only the count of special login users

...

Type: switch
sysc: 3
value: True

...

Type: switch
value: True

...

Displays detailed information

...

Type: string

...

Print the content of the submenu into specific file

...

Type: switch
value: True

...

Updates output in real-time

...

Type: switch
value: True

...

Will output changes that have occured after invoking command

...

Type: switch
value: True

...

¯_(ツ)_/¯ (Requires: Option.npk)

...

Type: arg_node
noexport: True

...

Print parameters only from specified item

...

Displays information and refreshes it in selected time interval

...

Type: obj_arg
+arg: {'producer': 'enum_arg', 'sub': [{'key': '#mapping', 'value': {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'accounting-backup', 'value': 8}, {'key': 'accounting-port', 'value': 6}, {'key': 'address', 'value': 3}, {'key': 'authentication-port', 'value': 5}, {'key': 'called-id', 'value': 1}, {'key': 'certificate', 'value': 12}, {'key': 'comment', 'value': 23}, {'key': 'disabled', 'value': 22}, {'key': 'domain', 'value': 2}, {'key': 'protocol', 'value': 11}, {'key': 'realm', 'value': 9}, {'key': 'secret', 'value': 4}, {'key': 'service', 'value': 0}, {'key': 'src-address', 'value': 10}, {'key': 'timeout', 'value': 7}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'Name of the service'}, {'key': 1, 'value': 'Called identity'}, {'key': 2, 'value': 'The domain of the radius'}, {'key': 3, 'value': 'The address of radius'}, {'key': 4, 'value': 'PPP secret name'}, {'key': 5, 'value': 'Default port 1645 to RFC'}, {'key': 6, 'value': 'Radius accounting port'}, {'key': 7, 'value': 'Time limit how long the radius client will try to connect to the radius server'}, {'key': 8, 'value': 'Radius accounting backup'}, {'key': 9, 'value': 'Explicitly stated realm (user domain)'}, {'key': 10, 'value': 'Source IP/IPv6 address of the packets sent to RADIUS server'}, {'key': 11, 'value': 'Specifies the protocol to use when communicating with RADIUS Server'}, {'key': 12, 'value': 'Certificate file to use for communicating with RADIUS Server with RadSec enabled'}, {'key': 22, 'value': 'Defines whether item is ignored or used'}, {'key': 23, 'value': 'Short description of the item'}]}}]}}]}}, {'key': 'acc', 'value': {'producer': '"ufd0007"', 'sub': []}}, {'key': 'hint', 'value': 'Name of the value you want to get'}, {'key': 'setUnsetAcc', 'value': {'producer': '"bfd0008"', 'sub': []}}]}

...

Names of properties

...

Type: switch
value: True

...

Prints static IDs for selected submenu (Requires: Option.npk)

...

Type: switch
interesting: False
value: True

...

Show details in compact and machine friendly format

...

Type: switch
interesting: False
value: True

...

Show properties one per line

...

Type: query_arg
query: True

...

Generates output depending on values supplied (used mainly for scripting)

...

Type: switch
value: True

...

Displays information in one piece

remove

Remove item

...

Type: arg_node

...

List of item numbers

reset-counters

Reset all counters

set

Change item properties

...

Type: bool

...

Radius accounting backup

...

Radius accounting port

...

Type: alt
ip-address: ip_arg
ipv6-address: ip6_arg

...

The address of radius

...

Default port 1645 to RFC

...

Type: string

...

Called identity

...

Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'remote_mapping', 'sub': [{'key': 'checkId1', 'value': 'u5b'}, {'key': 'checkValue1', 'value': 1}, {'key': 'path', 'value': '{19,1}'}]}}]}

...

Certificate file to use for communicating with RADIUS Server with RadSec enabled

...

Type: string
noprint: True

...

Short description of the item
Adds short description to one or several specified items.

...

Type: bool

...

Defines whether item is ignored or used

...

Type: string

...

The domain of the radius

...

Type: arg_node

...

List of item numbers

...

Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'radsec', 'value': 1}, {'key': 'udp', 'value': 0}]}}, {'key': 'help', 'value': {'producer': '', 'sub': [{'key': 0, 'value': 'user datagram protocol'}]}}]}}]}
constant: True

...

Specifies the protocol to use when communicating with RADIUS Server

...

Type: string

...

Explicitly stated realm (user domain)
The users do not have to provide proper ISP domain name in user name if this is specified

...

Type: string
sensitive: True

...

PPP secret name

...

Type: ubit_arg
bitspec: {'producer': '', 'sub': [{'key': 'dhcp', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 4096}, {'key': 'ormask', 'value': 4096}]}}, {'key': 'dot1x', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 16384}, {'key': 'ormask', 'value': 16384}]}}, {'key': 'hotspot', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 512}, {'key': 'ormask', 'value': 512}]}}, {'key': 'ipsec', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 8192}, {'key': 'ormask', 'value': 8192}]}}, {'key': 'login', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 256}, {'key': 'ormask', 'value': 256}]}}, {'key': 'ppp', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 1}, {'key': 'ormask', 'value': 1}]}}, {'key': 'wireless', 'value': {'producer': '', 'sub': [{'key': 'andmask', 'value': 1024}, {'key': 'ormask', 'value': 1024}]}}]}

...

Name of the service

...

Type: alt
ip-address: ip_arg
ipv6-address: ip6_arg

...

Source IP/IPv6 address of the packets sent to RADIUS server

...

Time limit how long the radius client will try to connect to the radius server

/radius/incoming

Incoming messages management

edit

Edit items

...

Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'accept', 'value': 0}, {'key': 'port', 'value': 1}]}}]}}]}

...

Name of editable property
timeout (time; Default: 100ms)Timeout after which the request should be resent, for example, "/radius set timeout=300ms numbers=0"


Note

When the RADIUS server is authenticating the user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not using a shared secret, the secret is used only in the authentication reply, and the router (RADIUS client) verifies it. So if you have the wrong shared secret, the RADIUS server will accept a request, but the router won't accept the reply. You can see that with "/radius monitor" command, the "bad-replies" number should increase whenever somebody tries to connect.


Warning

If RadSec is enabled, make sure your RADIUS Server is using "radsec" as the shared secret, otherwise, the RADIUS Server will not be able to decrypt data correctly (unprintable characters). With RadSec RouterOS forces the shared secret to "radsec" regardless of what has been set manually. For more details see - RFC6614.

Example

To set up a RADIUS Client for HotSpot and PPP services that will authenticate against a RADIUS Server (10.0.0.3), you need to do the following:

Code Block
languageros
[admin@MikroTik] > /radius add service=hotspot,ppp address=10.0.0.3 secret=ex
[admin@MikroTik] > /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 ppp,hotspot

To set up a RADIUS Client with RadSec, you need to do the following:

Code Block
languageros
[admin@MikroTik] > /radius add service=hotspot,ppp address=10.0.0.3 secret=radsec protocol=radsec certificate=client.crt
[admin@MikroTik] > /radius print
Flags: X - disabled
# SERVICE CALLED-ID DOMAIN ADDRESS SECRET
0 ppp,hotspot 10.0.0.3 radsec


Note

Make sure the specified certificate is trusted. 

To view RADIUS Client statistics, you need to do the following:

Code Block
languageros
[admin@MikroTik] > /radius monitor 0
pending: 0
requests: 10
accepts: 4
rejects: 1
resends: 15
timeouts: 5
bad-replies: 0
last-request-rtt: 0s

Make sure you enable RADIUS authentication for the desired services:

Code Block
languageros
/ppp aaa set use-radius=yes
/ip hotspot profile set default use-radius=yes

Connection Terminating from RADIUS

Sub-menu: /radius incoming

This facility supports unsolicited messages sent from the RADIUS server. Unsolicited messages extend RADIUS protocol commands, that allow terminating a session that has already been connected from the RADIUS server. For this purpose, DM (Disconnect-Messages) is used. Disconnect messages cause a user session to be terminated immediately. 

Note

RouterOS doesn't support POD (Packet of Disconnect) the other RADIUS access request packet that performs a similar function as Disconnect Messages

Properties

PropertyDescription
accept (yes | no; Default: no)Whether to accept unsolicited messages
port (integer; Default: 1700)The port number to listen for the requests on

vrf (VRF name; default value: main)

Set VRF on which service is listening for incoming connections

export

Print or save an export script that can be used to restore configuration

...

Type: switch
value: True

...

Only exports user-changed settings without defaults

...

Type: string

...

File name
Name of the file that will be stored in FTP access area.

...

Type: switch
value: True

...

Hides sensitive information like passwords from beeing printed

...

Type: switch
value: True

...

Creates export with output without line wraps

...

Type: switch
value: True

...

Creates output with all RouterOS settings (including the default ones)

get

Gets value of item's property

...

Type: enum
#mapping: {'producer': '', 'sub': [{'key': '', 'value': {'producer': 'const_mapping', 'sub': [{'key': 'data', 'value': {'producer': '', 'sub': [{'key': 'accept', 'value': 0}, {'key': 'port', 'value': 1}]}}]}}]}

...

Name of the value you want to get

monitor

Monitor incoming requests

...

Type: switch
value: True

...

Controls if print to file overwrites or appends to content of an existing file

...

Type: switch
value: True

...

Prints out output as value (used in scripting)

...

Type: arg_node

...

Execute given script after each time it prints stats on the screen

...

Type: string
interesting: False

...

File name where to print output

...

Delay between messages in seconds

...

Type: switch
value: True

...

Execute and print commands output just once

...

Type: switch
value: True

...

Prints out each update as new output instead of overwriting previous one on each update

print

Print values of item properties

...

Type: switch
value: True

...

Prints out output as value (used in scripting)

...

Type: switch
sysc: 3
value: True

...

Type: string

...

Print the content of the submenu into specific file

...

Displays information and refreshes it in selected time interval

...

Type: switch
value: True

...

Displays information in one piece

reset-counters

Reset monitoring counters

set

Change item properties
ParameterTypeDescriptionAdditional Notesaccept
Type: bool
Whether to accept the unsolicited messages
portnum [1 .. 65535]The port number to listen for the requests on