New User Manager in RouterOS v7

RouterOS RouterOS beta
121

Txs for the advice. However I’m getting further and further away from a working setup.

Gradually increased the timeout up to 4000ms, but nothing helped.
However now I see only 6 handshakes (12 packets) with each attempt, not the usual 10. No idea why the communication now stops there.
Maybe the certificate ? We moved from summer-time to winter-time ??? User profile limits kicking in?? (non existing everything was unlimited), also created new fresh users to test. Nothing helped.
No error messages.

I destroyed my Raspberry Docker environment by some Portainer upgrade or phpAdmin installation. But I have an even more stable Docker installation of Freeradius on my Odroid N2+.

IP addresses in sniffer file: (2.38 Raspberry= broken, 2.42 Daloradius docker on Odroid, 2.25 de wAP ac as Radius client, 2.100 ROS7.1rc5 CHR VM on Synology with Usermanager)
See ZIP file.

Current situation:
With Usermanager: Tablet works, Windows fails
With Freeradius: Tablet and Windows work.

PS: (When swapping RADIUS servers, the Usermanager didn’t like to receive accounting information due to the Freeradius authentication, and sent kill commands for that session.)

Also created and selected the certificates as published example, on the server only: no change

Sorry, what blew up the Windows environment? The previously mentioned TLSv1.2 registration editing, that was undone, and never helped?

EDIT: kept digging … Windows complex logbooks give : “Authentication for the EAP method 25 type failed. The following error occurred: 0x30A.”
What is 0x30A? No idea, but smells like certificates.
Revisited the certificate process. Something must have gone wrong with the copy/paste of the full example in ‘New Terminal’.
Some things are not familiar to me, like I never used keysize ‘secp384r1’ before.
Done again, line by line … and BINGO … that certificate “userman-cert” does work for Windows 10 , and for the tablet.
The FreeRADIUS copied certificate does not work for Windows 10 with Usermanager v5.

THANK YOU !

Now time to analyze that certificate :slight_smile: (My “free-radius” certificate I used had become invalid since 24/oct/2021. Now added the “invalid after” column in Winbox table)

# Generating a Certificate Authority
/certificate
add name=radius-ca common-name="RADIUS CA" key-size=secp384r1 digest-algorithm=sha384 days-valid=1825 key-usage=key-cert-sign,crl-sign
# sign it
sign radius-ca ca-crl-host=radius.mikrotik.test
# Generating a server certificate for User Manager
add name=userman-cert common-name=radius.mikrotik.test subject-alt-name=DNS:radius.mikrotik.test key-size=secp384r1 digest-algorithm=sha384 days-valid=800 key-usage=tls-server
# and sign it
sign userman-cert ca=radius-ca
# to be set in the usermanager settings

4000ms.zip (19.2 KB)

122

Thank you. I tried to test it again on my windows 10 laptop (PEAP-MSCHAPv2). It works with the User Manager based on RouterOS v.7!
Also it works with self-signed certificates that was generated by any MikroTik devices and then imported to the device running User Manager. :slight_smile:

However I have not found how to set the condition for anonymous identity on User Manager like I set on the Connection Request Policy on NPS (Network Policy Server).
It would be nice that MikroTik supports add this on the next revision of RouterOS v.7. Thanks.

Additionally (my observation), I tried to use a MikroTik device as a wireless supplicant in Wireless LAN with WPA2 EAP (PEAP). I can set the TLS mode only “dont verify certificate”. I know that it means for EAP-TLS but I would like the wireless supplicant verify the CA certificate (root certificate) like it works in Dot1X (client). Unlike the wireless supplicant, the Dot1X-based client with PEAP in wired LAN need the CA certificate (without the CA certificate, it does not work) however the laptop computer with its wired connection has an option to go ahead without the CA certificate.

Thanks again for implementing the User Manager to support IEEE 802.1X. :slight_smile:

123

Hello everyone

Just joined this forum and wanted to share my simple trial with enterprise WiFi EAP success using the new UM:
Nothing special here, just one RB working as AP, Radius Client and UM (RADIUS Sever I guess)
Tested on Mobile: iPhone X and Samsung A02
Windows 10 Laptop
MAC Auth and Accounting is also included in this setup

UM:

/user-manager
set certificate="replace this with Cert name" enabled=yes
/user-manager router
add address=127.0.0.1 name=Test-RB

Wireless Sec Prof:

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-eap interim-update=5m mode=dynamic-keys radius-eap-accounting=yes \
    radius-mac-accounting=yes radius-mac-authentication=yes supplicant-identity=""

In this setup, need to add two users in UM for each device, one with username/password and the other is username=MAC without apssword.
I hope this can help some people utilizing the new UM with enterprise WiFi security.
Please note that I dont have any knowledge about security and my role here is just a normal implementer.
Thanks

124

Hello, any one knows what is the performance limit of the new UM?

125

7.1rc6 Mac Authentication is working fine for me with a ZyXEL XGS1930 Switch however there are no Sessions showing also in the users section I am not showing any Uptime.

Anyone else had any issues?

126

Been toying with um on 7.1rc6 and I’m seeing similar issues. No accounting, no data.
Hosts does show uptime but not user.

Makes it a bit difficult to track if it does what it is supposed to do with hotspot (which ultimately is what I’m trying to setup for another environment).
Going to set up a test environment with map and maplite to play a bit more with it.

127

Not all connections provide session data. It is possible to have it with Wireless or PPPoE connections, but I don’t think it is possible with MAC authentication on switches. The Switch just asks for permission to admit a certain MAC, and that’s it.

128

Session data mostly comes from Radius accounting, in my experiments.

RouterOS even allows a backup accounting server. (Is what I do today, sending the accounting also to Usermanager, as the MT Radius licence is too limited in # of sessions.)
(And PEAP/EAP not available in ROS 6, and accounting not available on the main (Draytek) router)

129

Hotspot authenticated via userman still show error “Radius server not responding” Is it bugs or I missed something?

130

You enabled it on 2 places ?
Hotspot server radius
And User Manager incoming

Out of the top of my head…

131

Correction:
User manager settings - set to enabled
Radius - Incoming - set to accept
And Hotspot - Server Profiles - Use Radius

So it’s 3 places you need to visit.

132

and so many more things to check …

  • is the AP/Hotspot IP address in the User Manager “router” list ?
  • RADIUS server IP in the Radius setting? Shared Secret OK ?
  • using port UDP/1812? IP path/route OK? Port accessible? (Firewall settings)
  • reverse IP route RADIUS->Hotspot OK?

Does RADIUS server respond on NTRadPing or other radius tester?
http://forum.mikrotik.com/t/radius-server-is-not-responding/152803/7

133

In UM 6 there was customer to setup timezone, but now I couldnt find customers in any submenu in the new UM so the time difference issue is here now.
Any one solved this issue or we should wait for another upgrade ?

134

Hello,
I am new to User Manager, I have a new Mikrotik router with RouterOS 7.1 offical stable support.
I can not find any documentation regarding the user manager, how to enable it, and start using it.
As far as I understand, it can also bi RADIUS server (for external network devices, like cisco switches, unifi wireless etc) ?
I also can not find how to run configuration, since https://wiki.mikrotik.com/wiki/Manual:User_Manager
is saying it should be under /tool , but it is not
I have only one package - routeros 7.1 version.
Please advise link, or reference, how to Start using, setup, and documentation for this great feature.
Thank you

135

Documentation for RouterOS v7 is here: https://help.mikrotik.com/docs/
Specifically for User Manager it is here: https://help.mikrotik.com/docs/display/ROS/User+management

136

Documentation is wrong because correct path using cli is /user-manager.
Not /tool user-manager

[xyz@Map2nD] > /user-manager/
[xyz@Map2nD] /user-manager> /tool user-manager
bad command name user-manager (line 1 column 7)
[xyz@Map2nD] /user-manager>

Same in Winbox.
Direct submenu User Manager. Nothing under tools.

137

Documentation is still about the old User Manager.
This one is a better example: https://help.mikrotik.com/docs/display/ROS/Enterprise+wireless+security+with+User+Manager+v5

138

Ok I have complained about the lack of version-awareness in the help system before :slight_smile:
I had found that docs but while I clicked around a bit to find a neat anchor to post here, I apparently wandered off to the old docs again.

The help system really should be organized in such a way that it is clear what is for v6 and what is for v7… v6 will be around for some time, I suppose.

139

Absolutely true !
And there is an even older document system still going around … https://wiki.mikrotik.com/wiki/Main_Page
Doesn’t make it easy to find the required info.

140

I get it? At the reception of a hotel, do I have to instruct the employees to use the winbox?
I don’t think they will like it. And what good is the user to log into an account … I also need to explain how to authenticate. Ops…Manual for end user
Sorry