...
User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better tracking of system users and customers. As a separate package, User Manager is available on all architectures except SMIPS, however, care must be taken due to limited free space available. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS, and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, and Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using the WEB interface. Additionally, users are able to can buy their own data plans (profiles) using the most popular payment gateway - PayPal making it a great system for service providers. Customized reports can be generated to ease processing by the billing department. User Manager works according to RADIUS standards defined in RFC2865 and RFC3579.
...
RADIUS attributes are defined authorization, information, and configuration parameters that are passed between the RADIUS server and the client. User Manager allows sending customized attributes defined in the "attributes" menu. RouterOS has a set of predefined attributes already present, but it is also possible to add additional attributes if necessary. Predefined attributes:
Attribute | Vendor ID | Type ID | Value type | Packet type | Description | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Framed-IP-Address | 0 (standard) | 8 | ip address | Access-Accept | RFC2865 section 5.8 | ||||||||||||||||||||||||||||||||
Framed-IP-Netmask | 0 (standard) | 9 | ip address | Access-Accept | RFC2865 section 5.9 | ||||||||||||||||||||||||||||||||
Session-Timeout | 0 (standard) | 27 | integer | Access-Accept, Access-Challenge | RFC2865 section 5.27 | ||||||||||||||||||||||||||||||||
Idle-Timeout | 0 (standard) | 28 | integer | Access-Accept, Access-Challenge | RFC2865 section 5.28 | ||||||||||||||||||||||||||||||||
Tunnel-Type | 0 (standard) | 64 |
| Access-Accept | RFC2868 section 3.1 | ||||||||||||||||||||||||||||||||
Tunnel-Medium-Type | 0 (standard) | 65 |
| Access-Accept | RFC2868 section 3.2 | ||||||||||||||||||||||||||||||||
Tunnel-Private-Group-ID | 0 (standard) | 81 | string | Access-Accept | RFC2868 section 3.6 | ||||||||||||||||||||||||||||||||
Framed-Pool | 0 (standard) | 88 | string | Access-Accept | RFC2869 section 5.18 | ||||||||||||||||||||||||||||||||
Framed-IPv6-Prefix | 0 (standard) | 97 | ipv6 prefix | Access-Accept | RFC3162 section 2.3 | ||||||||||||||||||||||||||||||||
Framed-IPv6-Pool | 0 (standard) | 100 | string | Access-Accept | RFC3162 section 2.6 | ||||||||||||||||||||||||||||||||
Delegated-IPv6-Prefix | 0 (standard) | 123 | ipv6 prefix | Access-Accept | RFC4818 | ||||||||||||||||||||||||||||||||
Framed-IPv6-Address | 0 (standard) | 168 | ip address | Access-Accept | RFC6911 section 3.1 | ||||||||||||||||||||||||||||||||
Mikrotik-Recv-Limit | 14988 (Mikrotik) | 1 | integer | Access-Accept | Total receive limit in bytes for the client. | ||||||||||||||||||||||||||||||||
Mikrotik-Xmit-Limit | 14988 (Mikrotik) | 2 | integer | Access-Accept | Total transmit limit in bytes for the client. | ||||||||||||||||||||||||||||||||
Mikrotik-Group | 14988 (Mikrotik) | 3 | string | Access-Accept | User's group for local users. HotSpot profile for HotSpot users. PPP profile for PPP users. | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Forward | 14988 (Mikrotik) | 4 | integer | Access-Accept | Not forward the client's frames back to the wireless infrastructure if this attribute is set to "0" (wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Skip-Dot1x | 14988 (Mikrotik) | 5 | integer | Access-Accept | Disable 802.1x authentication for the particular wireless client if set to a non-zero value (wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Enc-Algo | 14988 (Mikrotik) | 6 |
| Access-Accept | WEP encryption algorithm( wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Enc-Key | 14988 (Mikrotik) | 7 | string | Access-Accept | WEP encryption key for the client (wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Rate-Limit | 14988 (Mikrotik) | 8 | string | Access-Accept | Datarate limitation for clients. |
The format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If the tx-rate is not specified, the rx-rate is as tx-rate too. |
The same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate |
are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values. | |||||||||||
Mikrotik-Realm | 14988 (Mikrotik) | 9 | string | Access-Request | If it is set in /radius menu, it is included in every RADIUS request as Mikrotik-Realm attribute. If it is not set, the same value is sent as in the MS-CHAP-Domain attribute (if MS-CHAP-Domain is missing, Realm is not included either). | ||||||
Mikrotik-Host-IP | 14988 (Mikrotik) | 10 | ip address | Access-Request | The IP address of HotSpot client before Universal Client translation (the original IP address of the client). | ||||||
Mikrotik-Mark-Id | 14988 (Mikrotik) | 11 | string | Access-Accept | Firewall mangle chain name (HotSpot only). The MikroTik RADIUS client upon receiving this attribute creates a dynamic firewall mangle rule with action=jump chain=hotspot and jump-target equal to the attribute value. Mangle chain name can have suffixes .in or .out, which will install rule only for incoming or outgoing traffic. Multiple Mark-id attributes can be provided, but only the last ones for incoming and outgoing are used. | ||||||
Mikrotik-Advertise-URL | 14988 (Mikrotik) | 12 | string | Access-Accept | URL of the page with advertisements that should be displayed to clients. If this attribute is specified, advertisements are enabled automatically, including transparent proxy, even if they were explicitly disabled in the corresponding user profile. Multiple attribute instances may be sent by the RADIUS server to specify additional URLs which are chosen in a round-robin fashion. | ||||||
Mikrotik-Advertise-Interval | 14988 (Mikrotik) | 13 | integer | Access-Accept | The time interval between two adjacent advertisements. Multiple attribute instances may be sent by the RADIUS server to specify additional intervals. All interval values are treated as a list and are taken one by one for each successful advertisement. If the end of the list is reached, the last value is continued to be used. | ||||||
Mikrotik-Recv-Limit-Gigawords | 14988 (Mikrotik) | 14 | integer | Access-Accept | 4G (2^32) bytes of total receive limit (bits 32..63, when bits 0..31 are delivered in Mikrotik-Recv-Limit). | ||||||
Mikrotik-Xmit-Limit-Gigawords | 14988 (Mikrotik) | 15 | integer | Access-Accept | 4G (2^32) bytes of total transmit limit (bits 32..63, when bits 0..31 are delivered in Mikrotik-Recv-Limit). | ||||||
Mikrotik-Wireless-PSK | 14988 (Mikrotik) | 16 | string | Access-Accept | |||||||
Mikrotik-Total-Limit | 14988 (Mikrotik) | 17 | integer | Access-Accept | |||||||
Mikrotik-Total-Limit-Gigawords | 14988 (Mikrotik) | 18 | integer | Access-Accept | |||||||
Mikrotik-Address-List | 14988 (Mikrotik) | 19 | string | Access-Accept | |||||||
Mikrotik-Wireless-MPKey | 14988 (Mikrotik) | 20 | string | Access-Accept | |||||||
Mikrotik-Wireless-Comment | 14988 (Mikrotik) | 21 | string | Access-Accept | |||||||
Mikrotik-Delegated-IPv6-Pool | 14988 (Mikrotik) | 22 | string | Access-Accept | IPv6 pool used for Prefix Delegation. | ||||||
Mikrotik-DHCP-Option-Set | 14988 (Mikrotik) | 23 | string | Access-Accept | |||||||
Mikrotik-DHCP-Option-Param-STR1 | 14988 (Mikrotik) | 24 | string | Access-Accept | |||||||
Mikrotik-DHCP-Option-Param-STR2 | 14988 (Mikrotik) | 25 | string | Access-Accept | |||||||
Mikrotik-Wireless-VLANID | 14988 (Mikrotik) | 26 | integer | Access-Accept | VLAN ID for the client (Wireless only). | ||||||
Mikrotik-Wireless-VLANIDtype | 14988 (Mikrotik) | 27 |
| Access-Accept | VLAN ID type for the client (Wireless only). | ||||||
Mikrotik-Wireless-Minsignal | 14988 (Mikrotik) | 28 | string | Access-Accept | |||||||
Mikrotik-Wireless-Maxsignal | 14988 (Mikrotik) | 29 | string | Access-Accept | |||||||
Mikrotik-Switching-Filter | 14988 (Mikrotik) | 30 | string | Access-Accept | Allows to create dynamic switch rules when authenticating clients with dot1x server. |
Properties
Property | Description |
---|---|
name (string; Default: ) | Name of the attribute. |
packet-types (string; Default: access-accept) |
|
type-id (integer:1..255; Default: ) | Attribute identification number from the specific vendor's attribute database. |
value-type (string; Default: ) |
|
vendor-id (integer; Default: 0) | IANA allocated a specific enterprise identification number. |
...
All RADIUS-related information is stored in a separate User Manager's database configurable under the "database" sub-menu. "Enabled" and "db-path" are the only parameters that are not stored in the User Manager's database and instead are stored in the main RouterOS configuration table meaning that these parameters will be affected by the RouterOS configuration reset. The rest of the configuration, session, and payment data is stored in a separate SQLite database on the FLASH storage of the device. When performing any actions with databases, it is advised to make a backup before and after any activity.
...
Property | Description |
---|---|
db-size | The current size of the database. |
free-disk-space | Free space left on the disk where the database is stored. |
Commands
Property | Description |
---|---|
load (name) | Restore previously created backup file in .umb format. |
migrate-legacy-db (database-path; overwrite) | Convert the old User Manager (from RouterOS v6 or before) to the new standard. It is possible to overwrite the current database. |
optimize-db () | |
save (name; overwrite) | Save the current state of the User Manager database. |
Limitations
Sub-menu: /user-manager limitation
...
Warning |
---|
IPsec service in RouterOS does not support rate limitations. |
Properties
Property | Description |
---|---|
comment (string; Default: ) | Short description of the limitation. |
download-limit (integer; Default: 0) | The total amount of traffic a user can download in Bytes. |
name (string; Default: ) | Unique name of the limitation. |
rate-limit-burst-rx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-burst-threshold-rx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-burst-threshold-tx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-burst-time-rx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-burst-time-tx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-burst-tx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-min-rx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-min-tx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-priority () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-rx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
rate-limit-tx () | Part of MT-Rate-Limit RADIUS attribute. Refer to Queues#SimpleQueue. |
reset-counters-interval (hourly | daily | weekly | monthly | disabled); Default: disabled) | The interval from reset-counters-start-time when all associated user statistics are cleared. |
reset-counters-start-time (datetime; Default: ) | Static date and time value from which reset-counters-interval is calculated. |
transfer-limit (integer; Default: 0) | The total amount of aggregated (download+upload) traffic in Bytes. |
upload-limit (integer; Default: 0) | The total amount of traffic a user can upload in Bytes. |
uptime-limit (time; Default: 00:00:00) | The total amount of uptime a user can stay active. |
Payments
Sub-menu: /user-manager payment
...
Sub-menu: /user-manager profile
Properties
Property | Description |
---|---|
comment (string; Default: ) | Short description of the entry. |
name (string; Default: ) | Unique name of the profile. |
name-for-users (string; Default: ) | Name of the profile that will be shown for users on the Web page. |
override-shared-users (decimal | off | unlimited; Default: off) | Whether to allow multiple sessions with the same user name. This overrides the shared-users setting. |
price (decimal; Default: 0.00) | |
starts-when (assigned | first-auth; Default: assigned) | The time when does the profile become active. Assigned - immediately when a User Profile entry is created. First-auth - upon first authentication request from the user. |
validity (time | unlimited; Default: unlimited) | The total amount of time a user can use this profile. |
Profile Limitations
Sub-menu: /user-manager profile-limitation
Profile-Limitations table links Limitations and Profiles together and defines their validity period. When multiple Limitations are assigned to the same Profile, a user must comply with all Limitations for the session to establishbe established. This allows more complicated setups to be created, for example, separate monthly and daily bandwidth limits.
Properties
Property | Description |
---|---|
comment (string; Default: ) | Short description of the entry. |
from-time (time; Default: 00:00:00) | Time of day when the limitation should start. |
limitation (limitation; Default: ) | Name of already created Limitation. |
profile (profile; Default: ) | Name of already created Profile. |
till-time (time; Default: 23:59:59) | Time of day when the limitation should end. |
weekdays (day of week; Default: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday) | Day of the week when the limitation should be active. |
Routers
Sub-menu: /user-manager router
Here are defined all you can define NAS devices that can use User Manager as a RADIUS server.
...
The following example will accept the user's authentication with a calculated TOTP token added to the common password until a new TOTP token is generated, for example,
...
To generate a single user's printable voucher card, simply use the generate-voucher command. Specify the RouterOS ID number of the user or use the find command to specify a username. A template is already included in User Manager's installation available in the Files section of your device. You can customize the template for your needs.
...
The generated voucher card is available by accessing the router using a WEB browser and navigating to /um/PRIVATE/GENERATED/vouchers/gen_printable_vouchers.html
By default, the printable card looks like this:
...
In cases where presentable network usage information is required by companies billing or legal team an automated session export can be created using using the generate-report command. The command requires an input of the report template - an example of the template is available in um5files/PRIVATE/TEMPLATES/reports/report_default.html. Example of the report generation:
...
Migrating from RouterOS v6
When you do upgrade your User Manager router from RouterOS v6 to the v7 the new User Manager starts to will work with new database files and configuration. In order to continue to use To continue using the old user, router, profile, etc. configuration you must manually execute the migrate command. In order to To do so you must have files from the old User Manager server folder "user-manager" present. Folder The folder can be renamed, but all the contents from the old installation must be transferred to the new v7 installation (you can move the old configuration from one router to another router with v7, you must copy "user-manager" folder). After that, all you need to do is execute this command - "/user-manager/database/migrate-legacy-db database-path=<path_to_old_user_manager_folder>".
The import process will try to convert such configuration - users, profiles, user-profiles, limitations, profile-limitations, user-counters, routers, and sessions.
Application Examples
Basic L2TP/IPsec server with User Manager authentication
...