As some of you have already seen, we have released a brand new User Manager for RouterOS version 7. It is included in v7.0beta4 extra packages zip file on our downloads page. The package is available for all current architectures excluding SMIPS. Mainly EAP authentication method support and custom RADIUS attribute sending are key features that are not available in the User Manager in RouterOS version 6. A new freshly designed customer portal is also developed specially for the new User Manager.

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using WEB interface. Additionally, users are able to buy their own data plans (profiles) using the most popular payment gateway - PayPal, making it a great system for service providers. Customized reports can be generated to ease processing by billing department. User Manager works according to RADIUS standard defined in RFC2865 and RFC3579.

Currently there is no documentation available for the new User Manager so it is up to you to explore the new package. All User Manager related CLI commands are available under “/user-manager” menu. Winbox support will come a little bit later and there won’t be a separate administrators portal as in the old User Manager. The customer portal is available at http://x.x.x.x/um

If you have any feedback, feature requests or questions, please leave them below.

Feature request: mirroring of the user database to a secondary server on another router, to be used as fallback in case the primary one crashes, is rebooting, etc.

feature request: administrators portal as in the old User Manager

See first post.

feature request: user password encryption via hash function with salt
feature request: option to allow users change own passwords via user portal

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is:

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>

to generate for specific users, or

/user-manager/user/generate-voucher [f] voucher-template=printable_vouchers.html

to generate for all users.
This will create a file gen_printable_vouchers.html.
To access it You either have to download the file to Your device and print that way, or You can access from the via link: /um/PRIVATE/GENERATED/vouchers/gen_printable_vouchers.html
(Note: For link to work You first need to set username and password : /user-manager/advanced/set web-private-username= web-private-password=)

Is there any way to have more logging or debugging? I only have "rejects" out of this user manager setup.
What is wrong in this setup? Is there a possible short exemple for 802.1x to start from?
Is it the limit, the profile, the authentication method? Should be PEAP and MSCHAP2 for 802.1x , no ?

This is a lab setup, no real user environment. hAP ac2 (ROS 7.0beta4) as user manager (192.168.2.23) and wAP ac (ROS 6.46) as wifi AP (192.168.2.25)

user manager configuration

[admin@MikroTik hAPac2] /user-manager> export verbose

dec/13/2019 13:21:29 by RouterOS 7.0beta4

software id = B8YC-C4XL

model = RBD52G-5HacD2HnD

serial number = xxxxxxxxxxxxx

/user-manager limitation
add download-limit=0B name=tst rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=0s
add download-limit=0B name=test rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=16m40s
/user-manager profile
add name=userprof name-for-users=userprof override-shared-users=off price=0 starts-when=assigned validity=unlimited
/user-manager user group
set [ find default-name=default ] attributes="" inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 name=default outer-auths=
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
set [ find default-name=default-anonymous ] attributes="" inner-auths="" name=default-anonymous outer-auths=eap-ttls,eap-peap
/user-manager user
add attributes="" disabled=no group=default name=bpwl password=bpwl shared-users=1
/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes
/user-manager advanced
set paypal-allow=no paypal-currency=USD paypal-password="" paypal-signature="" paypal-use-sandbox=no paypal-user="" web-private-password="" web-private-username=""
/user-manager profile-limitation
add from-time=0s limitation=test profile=userprof till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/user-manager router
add address=192.168.2.25 coa-port=3799 disabled=no name=wap shared-secret=mikrotik
/user-manager user-profile
add profile=userprof user=bpwl
[admin@MikroTik hAPac2] /user-manager>



The logging shows:manager,debug <<<<tx Access-reject after 2 request/challenge handshakes.

Time Buffer Topics Message

169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119
170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119
171 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:42899, id: 120
172 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:42899, id: 120
173 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:41869, id: 121
174 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:41869, id: 121
175 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:35311, id: 122
176 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:35311, id: 122
177 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:57176, id: 123
178 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:57176, id: 123
179 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:60363, id: 124
180 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:60363, id: 124
181 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49734, id: 125
182 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49734, id: 125
183 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:51911, id: 126
184 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:51911, id: 126
185 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:56187, id: 127
186 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:56187, id: 127
187 Dec/13/2019 00:32:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:36744, id: 128
188 Dec/13/2019 00:32:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:36744, id: 128
189 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55070, id: 129
190 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55070, id: 129
191 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:54221, id: 130
192 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:54221, id: 130


The requesting wifi seems normal with RADIUS debug logging.


Quick SetWebFigTerminal RouterOS v6.46 (stable)

Time Buffer Topics Message

506 Dec/13/2019 00:30:55 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
507 Dec/13/2019 00:30:55 memory radius, debug, packet debug: received Access-Reject with id 121 from 192.168.2.23:1812
508 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Signature = 0xc74e9aa1891a0423b0680031b52e63a5
509 Dec/13/2019 00:30:55 memory radius, debug, packet debug: EAP-Message = 0x04020004
510 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Message-Authenticator = 0x406d0b9b63b2573f54e206f1139f1ce5
511 Dec/13/2019 00:30:55 memory radius, debug debug: received reply for 58:c3
512 Dec/13/2019 00:30:55 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
513 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64
514 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c4 code=Access-Request service=wireless called-id=test
515 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c4 to 192.168.2.23:1812
516 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 122 to 192.168.2.23:1812
517 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x3dd925fc93baf700562a0cf27abc6fd4
518 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
519 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
520 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
521 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
522 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
523 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
524 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
525 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x02000009016270776c
526 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x7a2e3e7c4a67cf445a4655b18063ad73
527 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
528 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
529 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 122 from 192.168.2.23:1812
530 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xbac9bd4fa4ff68bf517a95ac5ff23afc
531 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x0101001b1a0100001610486eefc353bc
532 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6b2ecdf458c26fbb026120
533 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
534 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xa49772870be90db17f19d97505f1a863
535 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c4
536 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c5 code=Access-Request service=wireless called-id=test
537 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c5 to 192.168.2.23:1812
538 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 123 to 192.168.2.23:1812
539 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x5ff13abc8302675e71b62c41759dc0fe
540 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
541 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
542 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
543 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
544 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
545 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
546 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
547 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
548 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020100060319
549 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x0201fd3d97e48f7cff4bec8a16a18299
550 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
551 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
552 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 123 from 192.168.2.23:1812
553 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x020a7b6a38e9c131011fdadb4d9e49a1
554 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x010200061920
555 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
556 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb7f791633cf57d3ec49c18fd30624470
557 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c5
558 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c6 code=Access-Request service=wireless called-id=test
559 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c6 to 192.168.2.23:1812
560 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 124 to 192.168.2.23:1812
561 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xe3ffe217f2d1fff1d891e45c08228605
562 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
563 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
564 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
565 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
566 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
567 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
568 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
569 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
570 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020200d01980000000c616030100c101
571 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0000bd0301b3d0d7ae846d0dbac970c9
572 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 81cba0b50c44a2aa4593d99ee9318b59
573 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6a5eef810d000054c014c00ac022c021
574 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00390038c00fc0050035c012c008c01c
575 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01b00160013c00dc003000ac013c009
576 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01fc01e00330032c00ec004002fc011
577 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c007c00cc00200050004001500120009
578 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0014001100080006000300ff01000040
579 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000b000403000102000a00340032000e
580 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000d0019000b000c00180009000a0016
581 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00170008000600070014001500040005
582 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00120013000100020003000f00100011
583 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb262b821f948349f54d16ca558b4749d
584 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
585 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
586 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Reject with id 124 from 192.168.2.23:1812
587 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x11b7cd725a0d5086a68c659a3a2ed706
588 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x04020004
589 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x5345932c7690016ac6bd851a1cc54aea
590 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c6
591 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
592 Dec/13/2019 00:32:14 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64

Device is an old Android tablet with PEAP and MSChap2 set for wifi network security,. or even my laptop Windows 10. Both cannot connect.

This same AP setup with the wAP works with a Draytek router and Synology-NAS RADIUS server. But there is poor logging in the Draytek never logging the requesting device, and the Synology NAS is overkill.

Kudos to the mikrotik team for the work done so far on the new user-manager!

is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile? instead of inserting multiple user IDs one by one!!!

Can’t wait for long to have the Winbox/Webfig control for the UserManager admin . it should be a top priority!!
because doing stuffs from CLI for not-so-techy user-manager admins who have to generate vouchers from time to time will pose a major challenge

I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find ]. I don’t know how selection criterion would look like (I’m not runnin userman), but I guess usual regular expressions work here a well …

That works!! Thanks

feature request: user’s ability to change own password from the users portal as in the old User Manager

@mkx & @jolly - My provided lines were just an example. Standart ROS script functions to find a particular set of data can be used while generating vouchers as @mkx mentioned.

bpwl - User Manager requires a certificate in order to work with EAP and I see that you do not have a certificate specified under UM settings:

/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes

@strods

Thanks a lot. The perfect answer I was looking for.

300 Dec/16/2019 09:41:22 memory certificate, info generated CA certificate: CA
301 Dec/16/2019 09:41:37 memory system, info, account user admin logged out from 192.168.2.21 via telnet
302 Dec/16/2019 09:41:59 memory certificate, info generated certificate 7A594AB680019073:AP:BE:TEWEAD:IT:WVL:Roeselare key-size:2048 key-curve:0 usage:8000000d valid:365 for CA CA
303 Dec/16/2019 09:44:09 memory system, info, account user admin logged in from 192.168.2.21 via telnet
304 Dec/16/2019 09:46:16 memory system, info UMS settings changed by admin
305 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55868, id: 140
306 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55868, id: 140
307 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:39222, id: 141
308 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:39222, id: 141
309 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:52030, id: 142
310 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:52030, id: 142
311 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55534, id: 143
312 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55534, id: 143
313 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:48873, id: 144
314 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:48873, id: 144
315 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:47916, id: 145
316 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:47916, id: 145
317 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:34664, id: 146
318 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:34664, id: 146
319 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:46874, id: 147
320 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:46874, id: 147
321 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49471, id: 148
322 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49471, id: 148
323 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:50628, id: 149
324 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Accept to [192.168.2.25]:50628, id: 149

Now I would like to see in the unit that runs the user-manager what device was logging into wifi with what user name. (Calling ID and user account). Information is in the RADIUS packet and can be seen at the AP with the RADIUS packet debug logging. Or should I check “accounting” somewhere? I need to know for legal logging, who is doing what on the internet connection. Not all my AP’s are Mikrotik yet. Using a login portal for internet access is what we had, and has proven to be problematic with 80 visiting users and 10 AP’s and many different devices.

All fine the tests with wireless 802.1x (WPA2 enterprise) and the user-manager as Radius server, until the client is Windows 10 (1903). Windows 10 clients seem not to accept self-signed certificates, even if the CA certificate is added to the trusted base certificates on the client, and checking the server certificate is disabled. Either a public acquired certificate is needed , or a private certificate authority has to be set up. Not that simple building that private certificate authority if there are no servers in the network. (only routers, switches and access points). Using other routers for radius server does work well, but those have a build in certificate, signed by the CA of the vendor. Is there such a thing with Mikrotik? Acquiring a public certificate is quite a job, as you have to have your own domain name (e.g. noip.com), and a public accessable website to enroll and renew the certificate. (e.g. Let’s Encrypt)

I followed this https://serverfault.com/questions/986375/mikrotik-eap-tls-wifi-config-using-certificates and this https://support.microsoft.com/en-us/help/814394/certificate-requirements-when-you-use-eap-tls-or-peap-with-eap-tls and this https://blogs.msdn.microsoft.com/shreyasgowda/2017/08/18/public-certificates-vs-private-certificates-vs-self-signed-certificates/ and many many other instructions for EAP, certificates and Windows 10 compatibility. But none of them worked. If I use the radius on my Synology NAS storage device then it works fine. (CA is Synology.com) . Start wondering if it is the certificate or the TLS 1.2 incompatibility (Window 10 version 1903?).https://support.microsoft.com/en-us/help/3121002/windows-10-devices-can-t-connect-to-an-802-1x-environment . Can we specify the TLS version of EAP ? It did not work from the Windows side.

Future request :
Ability to to change generation properties ..
Like generate number only or letters only or choose set of set of letter/digits/symbols in addition to previous properties

guess this feature will make a lot of people very happy ( and of course … no doubt … me too)
well done
.

.

.

.

.

.
.
and unlike me, keep your clocks in sync !

@floaty: Super !!!
Any issues with Windows 10 clients?