Is it possible with User Manager to have separated users by rights? For example: user1 can connect to router1, router2 and user2 can connect only to wireless network and users3 cant connect to hotspot. The connection of user2 to routers and hotspot will be restricted. The connection of user3 will be restricted to connect to routers and wireless, also.

If no, can this be done with external radius (freeradius for example). Does this standard authorization features supported by Mikrotik routers (NAS).

Thank you.

From my recent experiments and analysis, the answer is "no" for basic role-based separation using User Manager.
User Manager seems to only be useful for some WISPs and, otherwise, very simple setups. While it can send many different attributes based on profiles and groups, it doesn't seem capable of doing anything with attributes that a radius agent/client sends to UserManager... The only information that UM receives RADIUS for evaluation is is the calling user and/or calling device credential; no other external conditions are checked.

RouterOS can/will absolutely send all the needed information that a "normally capable" RADIUS server would/could for pretty advanced logic, including the independent RBAC to different resources.

I was disappointed too and it is not likely to be useful for any use-case I will likely ever be involved with... lol... but I'm sure it meets the needs of some!

Hi,

So, calling the "User Manager" service as the "Radius" is an exaggeration. Accounting does not work as the protocol declares. This is an excavated AAA. It's just A without AA .

May you have experience using external Radius (FreeRadius as example). Will Mikrotik devices be able to work fully as Radius-NAS. I have a suspicion that it depends on the internal service: login, wireless, hotspot. Some services may be, others may not.?!? Is it worth experimenting? The documentation on this is very poor.

Thanks.