I am upgrading a router from STar-os to MT. It currently runs Radius server for all the wireless clients on our network and it auths based on client’s mac address.
Will MT duplicate this functionality? I cannot seem to find the config screen for it.
Take a look at UserManager.
That lets me use a radius server. It does not create one.
At least as far I can tell and based on the docs.
Maybe I should rephrase this.
Does RouterOS have a built in radius Daemon?
You have two choices:
a) to use UserManager. It is user management system similar to Radius.
b) to use external Radius server for user authentication’s.
I need my existing non-MT APs to talk to the radius server on the MT router.
I turned on AAA in user manager but I get no response on the radius ports.
If I understood correctly you want radius mac authentication for wireless clients.
This is routerOS configuration for that:
/ interface wireless security-profiles set default radius-mac-authentication=yes;
/ radius add service=wireless address=<radius_ip> secret=<secret> authentication-port=1812 accounting-port=1813
Where:
<radius_ip> - your radius servers ip address
- secret passphrase
Also make sure your radius server is configured correctly to communicate with router.
We are getting closer, but the radius server needs to be the MT router itself.
I can do all that but still get no answer on port 1812.
Is it impossible to run radius on the router itself? So in other words <radius_ip> = localhost.
So far MT has kicked Star-os in the $%^ but is this something that star-os does and MT does not?
It would suck to have to build a second server just to run a tiny little daemon. Seems like another point of failure.
Also, the clients are on wireless interfaces on totally different routers spread throughout the network.
As it was mentioned before UserManager is for such purposes.
I am still a bit confused here but;
What port does the user manager listen on? Or am I missing the point, is user manager only for use on the local router?
Ah nevermind, user manager is for the local router only and cannot be accessed remotely for Auth.
So in other words, I have found a feature that Star-os does well and MT lacks@! 
User manager can be accessed remotely too.
Here you can find all info about user manager:
http://wiki.mikrotik.com/wiki/User_Manager
user manager is a radius server - either on a standalone router that also has PPPoE server (ie hotspot) or as a dedicated radius manager for remote routers.
Read the userman docs for full understanding of this fantastic authentication/accounting sfotware built in to RoS.
You are completely missing the point of what userman is.
try this for quick setup:
#Local Radius for User manager:
#-----------------------------
#
/ radius
add service=hotspot called-id="" domain="" address=127.0.0.1 secret="hotspot" \
authentication-port=1812 accounting-port=1813 timeout=300ms \
accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=yes port=1700
/
#User Manager Setup:
#-------------------
/ tool user-manager customer
add login="admin" password="12345" company="Company Name Here" \
date-format="%d-%b-%Y" email="" currency="$" \
user-prefix="MV" public-id="Admin" time-zone=+02:00 permissions=owner \
disabled=no
/ tool user-manager user
add subscriber=admin name="test" password="test" \
disabled=no
/ tool user-manager router
add subscriber=admin name="loopback" ip-address=127.0.0.1 \
shared-secret="hotspot" log=auth-ok,auth-fail,acct-fail comment="" \
disabled=no
/
I think you are not understanding your own requirements either - as if you run a dedicated radius, you need to authenticate routers ON that server, as well as tell the routers where to find the server.
When it is ONE unit combined, the local loopback address must be used both ways - in the RADIUS setup, as well as the Userman ROUTER setup.
So you say ‘run userman on the router itself’ but then you say your wireless clients are all on remote routers??? Your posts are all contradicting each other.
We are getting closer, but the radius server needs to be the MT router itself.
I can do all that but still get no answer on port 1812.
Is it impossible to run radius on the router itself? So in other words <radius_ip> = localhost.
What exactly do you want? A radius server to authenticate your clients on remote routers, or a standalone PPPoE/AP/Radius/accounting.
If any of the above, you can do it with userman…
A radius server to authenticate your clients on remote routers
In our current config which I built and has been running flawlessly for nearly 5 years now;
We have a core router, it has 2 eth interfaces and runs DNS caching, L7 packet shaping, NAT for our private subnets and is the main RADIUS server for our entire network of 2000+ clients and a few dozen APs.
We do not use pptp,pppoe, or hotspot. Our clients CPEs are auth’d using their mac and we use ip accounting connected to our custom built in house CRM system to determine monthly transfer.
The answer above appears that it may get us closer. Do we use the MAC adddress of the client’s CPE as the userid/password as we already do on Star-Os? In Star-os we had to define the formatting of the MAC address, I cannot find any commands or directives to do this in MT.
I have been avoiding the hotspot system as a hotspot is not what I want. But am I to understand that I need to setup hotspot to make this work? Hmm, plus the remote routers do not all support hotspot but they do support radius based mac auth. When a client tries to associate they ask a standard radius server if the MAC is ok.
I have been using the manual. Should I be using the wiki instead?
You don’t have to use hotspot with userman. If you know MT, you would know that the radius option has a number of authentication choices. The script above only enables radius authentication via hotspot as one of these options.
I haven’t investigated MAC auth on userman yet… but the wiki says this:
http://wiki.mikrotik.com/wiki/User_Manager/Wireless_Example
and
http://wiki.mikrotik.com/wiki/User_Manager/DHCP_Example
I have been using the manual. Should I be using the wiki instead?
For userman - yes
Ok, I did a whole bunch more experimenting on this and have made some big progress but I am still stuck at one point.
I cannot get the MT system to resond on port 1812.
In other words I want to run the equivalent to free radius internally on the MT router. I thought user manager could do this, but it will not answer radius requests on port 1812.
I thought user manager could do this, but it will not answer radius requests on port 1812.
???
See my configuration above and check your settings.
Change IP’s as required, and it will work on 1812.
Something about V3.0 is making that config incompatible I think.
Just trying to decipher what exactly that script is building. . .
Hmm, I just tried it on a 2.9 system, there is no command user-manager anywhere in the os, I can go under user but the commands as listed are rejected.
Am I missing something here?
GRRRRR…
There is no mention anywhere that there is a difference between managing users and user manager.
I asked it if I had all the packages and it says yup, you have all of them. Apprently I cannot trust the system.
well i am getting closer. I have usermanager up and running but still no response to radius requests.
All I see in the log is:
subscriber=admin user-orig=“” calling-station-id=“” host-ip=127.0.0.1
status=accounting-failure time=nov/26/2007 17:38:43
description=“missing User-Name”
My test requests from my radius tool are timing out.
yay! I think I have it working.
I added my test PC as a valid router and it now talks to my radius test software! I even got an auth sucess!
I think the thing that tripped me up repeatedly is getting past the fact that in Mikrotik, they renamed a bunch of standard things to their own naming.
Users=Control over the local administration only, built-in
User Manager=RADIUS! you need to add it separately, even if you installed all packages at install time. It will not apprear in winbox ever.
Routers=Your APs out on the network that make Radius requests. (I think it is called “NAS clients” in the real world)