Can I limit bandwidth by the MAC address, using the radius client to to interface with a billing server, but without having to use PPPoE. That way the a specific radio would be set to the bandwidth limit without the customer having to log in. I would like to have the bandwidth limiting done at the mikrotik router that will be at the POP.
You can what you described with HotSpot MAC Authentication.
-
Enable Login by MAC and RADIUS Authentication.
-
Enter the CLient’s MAC Address in the RADIUS/Billing Server.
They should be loged in if their MAC Address is Authorised by the RADIUS/Billing Server, otherwise the’ll be presented with the HotSpot Login Page.
By using the login by mac address method, does that mean that the customer does not have to type in any passwords or user names ? Also, is there a way to not allow them access at all, instead of sending them to a login page. I’m basicly trying to create a solution that does not require the customer to do anything other than use the radio that was installed on their house. I would like to have a solution that will handle bandwith management in a way similar to canopy BAM or PowerNOC’s BMU. I want to have a transparent bandwidth control device between my connection and netowrk.
Can the hotspot be used across a set of bridged interfaces to create a transparent bandwidth controler ?
You can setup hotspot on a bridge, yes.
But why do you want to use HotSpot as bandwidth controller? Perhaps I don’t get the point…
Best regards,
Christian Meis
The hotspot is what was suggested to me. I’m looking to have a transparent bandwidth controler that would interface with billing software (that has a radius server) without having to pay thousands of dollars. I would much rather pay $95 for L5 RouterOS. If i dont have to use the hotspot to get bandwidth control by MAC, that would be great. 
I’m looking into this as well. I want to limit bandwidth at each POP via MAC address, I use DHCP on the network so limiting via IP address is not a viable solution. I was looking into the RADIUS client features in mikrotik. If I used RADIUS to authenticate wireless users and also set the RADIUS server to pass rate limiting information, does this create simple queues on the local MT box?
(Reference: http://www.mikrotik.com/docs/ros/2.9/guide/aaa_radius)
It should acording to this: http://www.mikrotik.com/docs/ros/2.9/ip/dhcp. See Rate-Limit under DHCP Server Setup.
wildbill442, Yeah, it creates simple queues for it.
We’re currently running an RB532 box at a tower site that’s doing exactly this. We took it a step further by setting ARP on the wireless interface to reply-only, and then in the DHCP server, checked off Add ARP entry. (Then for customer CPE’s, we have those sitting on private static IPs with static ARP entries for them in the RB532.)
This does several things for us. First, it gives us an on/off switch for customers. Secondly, it makes the network a little more secure by only allowing certain MACs; makes it more difficult for a non-customer to put up an antenna and get free internet access (should they know where to point it and what our IP addresses are). Third, it allows us to do bandwidth throttling by MAC, and give customers a public dynamic IP.
so you can set the clients ip and bandwidth queue completely dynamically through radius? how often does it recheck radius in case of a change?
RADIUS only sends its’ reply parameters (which include the bandwidth limiting settings) after a successful authentication, i.e. at the beginning of a session.
So to have new RADIUS settings get into effect, you have to wait for you customer to end his connection and login again. Or, you could terminate his connection and force him to re-login (depending on how urgent your changes are…).
Best regards,
Christian Meis
Or, you can go in and manually modify the values in the already-existing dynamically created queue. That lets you apply changes as needed, without bumping the customer.
–Eric
It is not possible in Winbox, since 2.9.8 
Only in CLI.
well then i guess my question is: how do you make a user logout if he is MAC authenticated to RADIUS?
and how do you make the DHCP server assign the users IP from RADIUS?