Hello everyone,
I am facing a problem with my MikroTik Hotspot + RADIUS setup, and I would appreciate some guidance from the community.
I am using a RADIUS server (daloRADIUS) for authentication. In my configuration, each user is allowed to use only one device (per-user 1 device policy). However, modern smartphones (both Android and iPhone) use randomised/private MAC addresses, which rotate frequently.
This causes the following issues:
-
Every time the phone changes its MAC address, MikroTik treats it as a new device.
-
The Hotspot cookie stores the old MAC address, so the router becomes confused.
-
The RADIUS server sees a different MAC each time, and the user exceeds the “1 device only” limit.
-
Users get disconnected or cannot log in because the system thinks they are using multiple devices.
I want to know if there is any recommended MikroTik-side solution for this modern behaviour of rotating MAC addresses. My goals are:
-
Keep the “one user → one device” policy.
-
Avoid forcing users to manually disable private MAC (not a scalable solution).
-
Prevent the router from creating multiple device entries for the same user.
-
Allow a consistent identity for authentication even if the MAC changes.
My environment:
-
RouterOS version: 6.49.18 (long-term)
-
Hotspot authentication with RADIUS
-
daloRADIUS backend
-
Per-user device limit enabled
-
Mostly smartphones (Android/iPhone)
Questions:
-
Is there any MikroTik feature to handle randomised MAC addresses more gracefully?
-
Can Hotspot or RADIUS bind the user session to something more stable than the MAC address?
-
Is there any best practice for Hotspot environments with rotating MAC devices?
Any guidance or recommended configuration would be highly appreciated.
Thank you.