MikroTik User Manager is a RADIUS application developed by MikroTik team and can be used without charge. User Manager is used for authentication, authorization and accounting of MikroTik RouterOS, PPPoE, Hotspot, DHCP and Wireless users. Although User Manager Package is developed by MikroTik it will not be found in RouterOS by default. So, we have to install User Manager Package manually if we wish to use this RADIUS application. User Manager can be installed on MikroTik RouterBOARD, MikroTik CHR or MikroTik RouterOS installed on a PC. As MikroTik RouterBOARD usually has limited resources, it is always better to use MikroTik CHR or a PC RouterOS. In my previous article I discussed how to installed MikroTik CHR and how to install MikroTik RouterOS on a PC. In this article I will discuss how to install MikroTik User Manager RADIUS Server Package and how to do basic configuration.
User Manager Package Installation on MikroTik RouterOS
User Manager is not included in MikroTik RouterOS by default. So, we have to first download User Manager Package from MikroTik download achieve. But before going to download we have to know our RouterOS version and device architecture name. To know your RouterOS version and device architecture, go to System > Resources menu item from Winbox. You will find Architecture Name and RouterOS Version from appeared Resources window.
From the above image you can see that I am using MikroTik CHR. So, my architecture name is x86_64 and RouterOS Version is 6.46 (stable). Similarly, find your architecture name and RouterOS Version and then go to MikroTik Download Archive and choose your RouterOS version and then find all packages zip file that match with your architecture name and download that zip.
After downloading all packages zip file, extract that zip file and find user-manager NPK file and then upload that user-manager NPK file to MikroTik Winbox Files window.
After uploading user manager package in Files window, restart Router and after restarting you will find that user manager package has been installed and can be found in System > Packages window.
User Manager RADIUS Server Basic Configuration
After installing User Manager Package, we need to configure User Manager RADIUS Server. User Manager basic configuration includes configuring Customers, Routers and Users. Now we will configure these items in User Manager RADIUS Server.
Customers Configuration in User Manager RADIUS Server
In MikroTik User Manager RADIUS Server, Customers are treated as service provider. Customers are only eligible to login RADIUS Server’s web interface to manage RADIUS users, credits and routers. Each customer can have zero or more sub-customers and exactly one parent customer that means customers are hierarchically ordered in a tree structure. Permission level of the customers is different. The customer who has owner permissions is called subscriber and the subscriber’s parent is himself. The subscriber can do everything in MikroTik User Manager RADIUS Server.
By default an owner customer named admin is created while installing User Manager Radius Server but the admin customer has no password. So, at first we have to provide a strong password for admin customer. The following steps will show how to login to User Manager RADIUS Server and change admin password.
- Open any browser and type http://user_manager_router_ip/userman (example: http://192.168.70.4/userman). User Manager Customer login page will appear.
- Put admin in Login input box and hit Log in button. User Manager Web Interface will appear.
- Click on Customers menu item and you will find that admin customer is available here.
- Click on admin customer. Customer details window will appear.
- Now put a strong password in Password input box and click Save button.
Users Configuration in User Manager RADIUS Server
In MikroTik User Manager RADIUS Server, Users are people who use internet services using MikroTik PPP Server, Hotspot, DHCP Server, Wireless service and so on provided by any customer. These users may be limited by time, traffic and speed. Users don’t belong to customer but to a specific subscriber because customers are only responsible to add, edit and remove one part of users and whole users including customers belong to a specific subscriber.
By default no user is created in MikroTik User Manager RADIUS Server. Subscribers or Customers are responsible to create users in RADIUS server. In this article, we will create a user who will be able to login to a Client MikroTik RouterOS (NAS device).
Every user must have a profile. So, before creating a user we have to create a profile. The following steps will show how to create user profile in User Manager RADIUS Server.
- Click on Profiles menu item. Profile page will appear.
- From Profiles tab click on PLUS SIGN (+). Create profile pop up window will appear.
- Put a Profile name (example: Full Permission Users) in Name input box and click Create button. Profile and Profile property list will appear that can be changed as required.
- The created profile has no limitation. To add limitation click on Add new limitation button. Profile part pop up window will appear.
- In Period panel, you can set Days and Time when this profile will be active. By default it will keep 24/7.
- From Limits Panel click on New limit button. Limitation details popup window will appear.
- In Main panel, put a limit name (example: Full Permission) Name input field.
- In Constraints panel, put full (so that user can get full permission in RouterOS because RouterOS users can have full, read and write permission only) in Group name input field and click Add button.
- Created limit will be available and selected in Limits panel. Click Add button to add this limit to user profile.
User profile with limitation is now complete. If you wish you can create more profile with limitation following the above steps.
We will now create a user and assign this created profile to the user. The following steps will show how to create RADIUS user and assign any profile to the user.
- Click on Users menu item. User page will appear.
- From top menu bar click on Add and then click on One option. User details popup window will appear.
- In Main panel, put user name in Username input filed and put the user password in Password input field. Optionally you can provide user more information in Private information panel.
- From Assign profile dropdown menu choose any created profile that you want to assign for this user.
- Click Add button to create this user.
We have created a user in User Manager RADIUS Server. Similarly we can create as many users as we need.
Now it is time to add NAS device that will use this created user. NAS devices are added as Routers in User Manager RADIUS Server. In the next part we will see how to add NAS device in User Manager RADIUS Server.
Routers Configuration in User Manager RADIUS Server
In MikroTik User Manager RADIUS Server, Routers are Client MikroTik Router that will inquire for user authentication. MikroTik User Manager is like a judge that means it receives question from Client Routers and must give answer. For example, a Hotspot Server asks: “Is user ‘bob’ is allowed to use Hotspot?”. Now User Manager replies: “Yes, but only 2 hours and give him IP 192.168.110.200”. If any unknown router ask any question, MikroTik User Manager RADIUS Server silently ignore that request. Router table of User Manager RADIUS Server keeps known router lists that are allowed to ask question to RADIUS Server.
Both Subscriber and Customers are eligible to add routers in User Manager RADIUS Server. The following steps will show how to add client routers (NAS) that will make query to authenticate users in RADIUS Server.
- Click on Routers menu item. Router page will appear.
- From top menu bar click on Add menu and then choose New option. Router Details window will appear now.
- In Main panel, put a meaningful name (example: MikroTik Router) for that client router in Name input field.
- Put the IP address of the client router (example: 192.168.70.2 that will use User Manager as its RADIUS client) in IP address input field.
- Put a password in Shared secret input field. This shared secret is important and has to provide while configuring RADIUS client. Otherwise, the RADIUS client cannot communicate with this RADIUS Server.
- In Radius incoming panel, check the CoA (Change of Authorization) check box and put CoA port 3799. This port will be used to send acknowledgment to NAS device for a user’s authorization. For example, if a user exceeds his data limit, RADIUS Server will tell the NAS device to disconnect the user immediately.
- Click Add button to add this NAS device.
Following the above steps, you can add as many NAS as you want in User Manager RADIUS Server. Similarly, you can enable, disable, change or remove any NAS whenever you want using Edit menu.
RADIUS Client Configuration in MikroTik RouterOS
After adding NAS device, we need to configure RADIUS Client in NAS. The following steps will show how to configure RADIUS Client in MikroTik RouterOS.
- Login to MikroTik Router using Winbox and full permission user.
- Click on RADIUS menu item from left menu bar. Radius window will appear.
- Click on PLUS SIGN (+) to add a RADIUS Server. New Radius Server window will appear now.
- Click on login checkbox (because we want only login user verification from RADISU Server at this moment) from Service panel.
- Put RADIUS Server IP address (in this article: 192.168.70.4) in Address input field.
- Put Shared secret (in this article: 123) that you have entered in RADIUS Server Routers configuration in Secret input field.
- Click Apply and OK button.
- From RADIUS window, click on Incoming button. RADIUS Incoming window will appear.
- Click on Accept checkbox and the default port will be 3799. So, nothing to do. Click Apply and OK button.
RADIUS Client configuration in MikroTik RouterOS has been completed. Now MikroTik RouterOS will be able to communicate with the User Manager RADIUS Server.
To authenticate RouterOS user via RADIUS Server, we have to enable RADIUS authentication. The following steps will show how to enable RADIUS authentication in MikroTik RouterOS.
- Go to System > Users menu item from Winbox. User List window will appear.
- Click on AAA button. Login Authentication and Accounting window will appear.
- Click on Use RADIUS and Accounting checkbox.
- Click Apply and OK button.
Client RouterOS (NAS device) is now ready to authenticate user via RADIUS Server. Open Winbox software and login to Client MikroTik Router using RADIUS Server user credentials. If everything is OK, you are now able to login to your Client MikroTik Router via RADIUS Server user. User status can be found in Active Users tab in User List window.
User login status can also be found in User Manager RADIUS Server. To find user session status, login to User Manager RADIUS Server and click Sessions menu item. Now you will find the user login sessions here.
If you face any confusion to follow the above steps, watch the following video on Mikrotik User Manager Installation with Basic Configuration. I hope it will reduce your any confusion.
How to Install and Configure MikroTik User Manager RADIUS Server step by step has been discussed in this article. I hope you will now be able to install and configure User Manager RADIUS Server successfully. However, if you face any confusion, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.