Overview
User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. As a separate package, User Manager is available on all architectures including SMIPS, however care must be taken due to limited free space available. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using WEB interface. Additionally, users are able buy their own data plans (profiles) using the most popular payment gateway - PayPal making it a great system for service providers. Customized reports can be generated to ease processing by billing department. User Manager works according to RADIUS standard defined in RFC2865 and RFC3579.
Attributes
RADIUS attributes are defined authorization, information and configuration parameters that are passed between the RADIUS server and client. User Manager allows sending customized attributes defined in "attributes" menu. RouterOS has a set of predefined attributes already present, but it is also possible to add additional attributes if necessary. Predefined attributes:
Attribute | Vendor ID | Type ID | Value type | Packet type | Description | ||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Framed-IP-Address | 0 (standard) | 8 | ip address | Access-Accept | RFC2865 section 5.8 | ||||||||||||||||||||||||||||||||
Framed-IP-Netmask | 0 (standard) | 9 | ip address | Access-Accept | RFC2865 section 5.9 | ||||||||||||||||||||||||||||||||
Session-Timeout | 0 (standard) | 27 | integer | Access-Accept, Access-Challenge | RFC2865 section 5.27 | ||||||||||||||||||||||||||||||||
Idle-Timeout | 0 (standard) | 28 | integer | Access-Accept, Access-Challenge | RFC2865 section 5.28 | ||||||||||||||||||||||||||||||||
Tunnel-Type | 0 (standard) | 64 |
| Access-Accept | RFC2868 section 3.1 | ||||||||||||||||||||||||||||||||
Tunnel-Medium-Type | 0 (standard) | 65 |
| Access-Accept | RFC2868 section 3.2 | ||||||||||||||||||||||||||||||||
Tunnel-Private-Group-ID | 0 (standard) | 81 | string | Access-Accept | RFC2868 section 3.6 | ||||||||||||||||||||||||||||||||
Framed-Pool | 0 (standard) | 88 | string | Access-Accept | RFC2869 section 5.18 | ||||||||||||||||||||||||||||||||
Framed-IPv6-Prefix | 0 (standard) | 97 | ipv6 prefix | Access-Accept | RFC3162 section 2.3 | ||||||||||||||||||||||||||||||||
Framed-IPv6-Pool | 0 (standard) | 100 | string | Access-Accept | RFC3162 section 2.6 | ||||||||||||||||||||||||||||||||
Delegated-IPv6-Prefix | 0 (standard) | 123 | ipv6 prefix | Access-Accept | RFC4818 | ||||||||||||||||||||||||||||||||
Framed-IPv6-Address | 0 (standard) | 168 | ip address | Access-Accept | RFC6911 section 3.1 | ||||||||||||||||||||||||||||||||
Mikrotik-Recv-Limit | 14988 (Mikrotik) | 1 | integer | Access-Accept | Total receive limit in bytes for the client. | ||||||||||||||||||||||||||||||||
Mikrotik-Xmit-Limit | 14988 (Mikrotik) | 2 | integer | Access-Accept | Total transmit limit in bytes for the client. | ||||||||||||||||||||||||||||||||
Mikrotik-Group | 14988 (Mikrotik) | 3 | string | Access-Accept | User's group for local users. HotSpot profile for HotSpot users. PPP profile for PPP users. | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Forward | 14988 (Mikrotik) | 4 | integer | Access-Accept | Not forward the client's frames back to the wireless infrastructure if this attribute is set to "0" (wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Skip-Dot1x | 14988 (Mikrotik) | 5 | integer | Access-Accept | Disable 802.1x authentication for the particular wireless client if set to non-zero value (wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Enc-Algo | 14988 (Mikrotik) | 6 |
| Access-Accept | WEP encryption algorithm( wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Enc-Key | 14988 (Mikrotik) | 7 | string | Access-Accept | WEP encryption key for the client (wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Rate-Limit | 14988 (Mikrotik) | 8 | string | Access-Accept | Datarate limitation for clients. Format is: rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx" is client download). All rates should be numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values. | ||||||||||||||||||||||||||||||||
Mikrotik-Realm | 14988 (Mikrotik) | 9 | string | Access-Request | If it is set in /radius menu, it is included in every RADIUS request as Mikrotik-Realm attribute. If it is not set, the same value is sent as in MS-CHAP-Domain attribute (if MS-CHAP-Domain is missing, Realm is not included neither). | ||||||||||||||||||||||||||||||||
Mikrotik-Host-IP | 14988 (Mikrotik) | 10 | ip address | Access-Request | IP address of HotSpot client before Universal Client translation (the original IP address of the client). | ||||||||||||||||||||||||||||||||
Mikrotik-Mark-Id | 14988 (Mikrotik) | 11 | string | Access-Accept | Firewall mangle chain name (HotSpot only). The MikroTik RADIUS client upon receiving this attribute creates a dynamic firewall mangle rule with action=jump chain=hotspot and jump-target equal to the attribute value. Mangle chain name can have suffixes .in or .out, that will install rule only for incoming or outgoing traffic. Multiple Mark-id attributes can be provided, but only last ones for incoming and outgoing is used. | ||||||||||||||||||||||||||||||||
Mikrotik-Advertise-URL | 14988 (Mikrotik) | 12 | string | Access-Accept | URL of the page with advertisements that should be displayed to clients. If this attribute is specified, advertisements are enabled automatically, including transparent proxy, even if they were explicitly disabled in the corresponding user profile. Multiple attribute instances may be send by RADIUS server to specify additional URLs which are chosen in round robin fashion. | ||||||||||||||||||||||||||||||||
Mikrotik-Advertise-Interval | 14988 (Mikrotik) | 13 | integer | Access-Accept | Time interval between two adjacent advertisements. Multiple attribute instances may be send by RADIUS server to specify additional intervals. All interval values are treated as a list and are taken one-by-one for each successful advertisement. If end of list is reached, the last value is continued to be used. | ||||||||||||||||||||||||||||||||
Mikrotik-Recv-Limit-Gigawords | 14988 (Mikrotik) | 14 | integer | Access-Accept | 4G (2^32) bytes of total receive limit (bits 32..63, when bits 0..31 are delivered in Mikrotik-Recv-Limit). | ||||||||||||||||||||||||||||||||
Mikrotik-Xmit-Limit-Gigawords | 14988 (Mikrotik) | 15 | integer | Access-Accept | 4G (2^32) bytes of total transmit limit (bits 32..63, when bits 0..31 are delivered in Mikrotik-Recv-Limit). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-PSK | 14988 (Mikrotik) | 16 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Total-Limit | 14988 (Mikrotik) | 17 | integer | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Total-Limit-Gigawords | 14988 (Mikrotik) | 18 | integer | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Address-List | 14988 (Mikrotik) | 19 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Wireless-MPKey | 14988 (Mikrotik) | 20 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Comment | 14988 (Mikrotik) | 21 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Delegated-IPv6-Pool | 14988 (Mikrotik) | 22 | string | Access-Accept | IPv6 pool used for Prefix Delegation. | ||||||||||||||||||||||||||||||||
Mikrotik-DHCP-Option-Set | 14988 (Mikrotik) | 23 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-DHCP-Option-Param-STR1 | 14988 (Mikrotik) | 24 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-DHCP-Option-Param-STR2 | 14988 (Mikrotik) | 25 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Wireless-VLANID | 14988 (Mikrotik) | 26 | integer | Access-Accept | VLAN ID for the client (Wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-VLANIDtype | 14988 (Mikrotik) | 27 |
| Access-Accept | VLAN ID type for the client (Wireless only). | ||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Minsignal | 14988 (Mikrotik) | 28 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Wireless-Maxsignal | 14988 (Mikrotik) | 29 | string | Access-Accept | |||||||||||||||||||||||||||||||||
Mikrotik-Switching-Filter | 14988 (Mikrotik) | 30 | string | Access-Accept | Allows to create dynamic switch rules when authenticating clients with dot1x server. |
Properties
Property | Description |
---|---|
name (string; Default: ) | Name of the attribute. |
packet-types (string; Default: access-accept) |
|
type-id (integer:1..255; Default: ) | Attribute identification number from the specific vendor's attribute database. |
value-type (string; Default: ) |
|
vendor-id (integer; Default: 0) | IANA allocated specific enterprise identification number. |
Database
All RADIUS related information is stored in a separate User Manager's database configurable under the "database" sub-menu. "Enabled" and "db-path" are the only parameters that are not stored in User Manager's database and are stored in main RouterOS configuration table meaning that these parameters will be affected by RouterOS configuration reset. The rest of the configuration, session and payment data is stored in a separate SQLite database on devices FLASH storage. When performing any actions with databases, it is advised to make backup before and after any activity.
Properties
Property | Description |
---|---|
db-path (string; Default: ) | Path to location where database files will be stored. |
Read-only properties
Property | Description |
---|---|
db-size | Current size of the database. |
free-disk-space | Free space left on the disk where database is stored. |
Commands
Property | Description |
---|---|
load (name) | Restore previously created backup file in .umb format. |
migrate-legacy-db (database-path; overwrite) | Convert old User Manager (from RouterOS v6 or before) to new standard. It is possible to overwrite current database. |
optimize-db () | |
save (name; overwrite) | Save current state of the User Manager database. |
Limitations
Payments
Profiles
Profile-Limitations
Reports
Routers
Sessions
Users
User-Profiles
WEB Interface
Each user has access to his personal profile using a WEB interface. The WEB interface can be accessed by adding "/um/" directory to router's IP or domain, for example, http://router.ip/um/. Note that the WEB interface is affected by IP Services "www" and "www-ssl". The WEB interface can be customized using CSS, JavaScript and HTML.