Hi,
Sorry I’am new in here mikrotik device, and i want to ask, do mikrotik router can act as a radius server to other devices?
Here’s the detail I want to asked, so my topologi is, starlink → switch → cambium access point, i want to add mikrotik router connected to switch then using user manager mikrotik to manage the radius server user, is it possible?
already try, all device is can communicate but when from access point request authenticate to mikrotik the response is only request time out,.
thank you for your help.
Yes, I can confirm it working as RADIUS server for authentication and interim accounting with UniFi and Aruba APs. You can also direct the APs to put individual users into their specified VLAN when Authentication succeeds. With Aruba, User Manager can also pass the user role to the APs and with it bandwidth limitation also works.
What not working is Change of Authentication (CoA) / Disconnect on UniFi APs because User Manager does not provide all required attributes and MikroTik has refused to add the missing ones 
. As a result, session time, download / upload volume limitations don’t work because User Manager can not tell the APs to disconnect the user.
In System → Logging you can add an entry for the “manager” topic to better diagnose the issues with your Cambium AP. You can also use the Packet Sniffer on the router (filter by UDP ports 1812, 1813) to monitor the RADIUS communication between the AP and the router.
i try to following step on internet, the connection between access point and mikrotik is reachable, but when cambium send the request to authenticate to mikrotik, it replay request time out.
i configure on radius service login, wireless, firewall to accept port 1812. did I missing any step on this?
thanks for your help.
If you add the new entry for topic=manager under System → Logging, you’ll see more details in the Log whenever the APs communicate with User Manager. Also you can temporarily start Tools → Packet Sniffer (configured to filter ports 1812 and 1813) and check whether packets appear on the router interfaces when the APs are supposed to send the requests to User Manager. Packet Sniffer can also dump to file, and you can open the file in Wireshark to see all the protocol details from the packets, including what response is sent back by User Manager.
If nothing appears then maybe a firewall is blocking UDP packets between the devices and the router.
No, on RouterOS you don’t need to configure anything under the RADIUS menu, that part is for RouterOS acting as RADIUS client (NAS). For user Manager to act as RADIUS server for the APs you only need to change the settings within the User Manager menu only. You enable it under User Manager → Settings → Enabled, select a certificate if possible (you can use the one issued by Let’s Encrypt, the router can request certificate from Let’s Encrypt with /certificate/enable-ssl-certificate). Then in the Routers table add one entry for each of your access point, with their IP addresses and chosen shared secret (that you’ll also enter on the APs). You can then create User/User Groups.
If Limitations are needed, then you must enable the Use Profiles checkbox under Settings, and create Profiles, Limitations, as well as the Profile Limitations and User Profiles associations.
Hi CGGXANNX,
do if i’am not mistaken, i just configure on the user manager, and add routers, the address is access point IP address and set shared secret, then add for the users right?
on the access point side i just add my mikrotik IP address as a host and set same secret radius and port..
once again thanks for the assist, and correct me if i’m wrong.
Yes, that’s roughly all I needed to do. For better security you can get a certificate from Let’s Encrypt (RouterOS supports generating it) for any domain/subdomain of yours, and select this certificate under User Manager → Settings → Certificate. When the user connects to the APs on devices like Windows or Apple’s ones, they will see the domain of the certificate and can make sure that the APs are the trusted ones (domain matches expectation). For Android phones they need to enter the domain name beside the username (as identity) and password when first making the connection and choose: EAP method = PEAP. Phase 2 authentication = MSCHAPv2, CA certificate = Use system certificate.
You can also create special user groups for your WiFi users, for Outer Auths and Inner Auths only these checkboxes are needed.
In the screenshot you can also see that I am assigning the WiFi users belonging to this group to the VLAN with ID 15, by adding the three attributes. The VLAN ID is specified with Tunnel-Private-Group-ID (15 in this example). Your access point must support this feature, I’ve confirmed it working with UniFi, Aruba, and TP-Link Omada APs. With this you only need one SSID but can still have the connecting users in multiple different VLANs. The ethernet port from the router to the APs must be configured as hybrid ports with the supported VLANs tagged.
Sorry, I still encounter problem, when i tried to ping from AP to routeros is fine, but when i configure the wpa 2 enterprise and set exactly same as your step,then i try test the wifi. the AP did not send any request to mikrotik. so there is no log or etc. or is it my AP wich is cambium E410 not support ? on firewall i already set accept on port 1812.
If no packet appears in the packet sniffer, and no log is being written in RouterOS then it might still be because it was blocked by the firewall. The default firewall config allows ICMP from everywhere, so ping still works if the router blocks everything else. If it’s not the firewall, then maybe it’s the setup on the Cambium switch. I’ve never used their products, but looking at this interface:
The IP address and shared secret of the router should be filled for both Authentication Server as well as Accounting Server (red arrows). You should also set Accounting Mode to “Start-Interim-Stop” and turn on Accouting-On messages maybe (blue arrows).
CoA should also be turned on if you want User Manager to be able to tell the Access Points to end a session (green arrow). That correspond to the CoA setting with CoA Port 3799 on RouterOS User Manager.
Maybe you can also increase the number of Attemps from 1 to 3?
Do you use the “Proxy through cnMaestro” feature? If yes then on RouterOS User Manager the cnMaestro host (on-premise) must be added as “Routers”, because it will be communicating with User Manager, not the access points.
yes that is the interface,
i think the problem is on the firewall, but i still don’t know how to manage the firewall, since i use telnet to see the radius port is open or not.
sorry if I am very stupid, since i just new in here, and i can’t provide any radius server with virtual machine or cloud based, so i think this would be work, but it is very hard for me.
the radius port should be listed on IP services or not? because if yes, in mine there is no such 1812 port.
All the relevant ports 1812, 1813, 3799 are UDP (and not required to be listed under IP services), not TCP. Which means you cannot test with telnet. It’s better for debugging to use packet sniffer like I posted above.
To temporarily bypass possible blocking rules in your firewall configuration, you can add a filter rule, chain input, protocol UDP, destination port 1812,1813, action accept. Then move this rule by dragging it to the top of the filter table. This is just for testing whether if the problem is caused by the firewall. Once done with testing, this rule should be removed.