Community discussions

MUM Europe 2020
 
User avatar
emils
MikroTik Support
MikroTik Support
Topic Author
Posts: 545
Joined: Thu Dec 11, 2014 8:53 am

New User Manager in RouterOS v7

Wed Dec 11, 2019 8:34 am

As some of you have already seen, we have released a brand new User Manager for RouterOS version 7. It is included in v7.0beta4 extra packages zip file on our downloads page. The package is available for all current architectures excluding SMIPS. Mainly EAP authentication method support and custom RADIUS attribute sending are key features that are not available in the User Manager in RouterOS version 6. A new freshly designed customer portal is also developed specially for the new User Manager.

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using WEB interface. Additionally, users are able to buy their own data plans (profiles) using the most popular payment gateway - PayPal, making it a great system for service providers. Customized reports can be generated to ease processing by billing department. User Manager works according to RADIUS standard defined in RFC2865 and RFC3579.

Currently there is no documentation available for the new User Manager so it is up to you to explore the new package. All User Manager related CLI commands are available under "/user-manager" menu. Winbox support will come a little bit later and there won't be a separate administrators portal as in the old User Manager. The customer portal is available at http://x.x.x.x/um

If you have any feedback, feature requests or questions, please leave them below.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6175
Joined: Mon Jun 08, 2015 12:09 pm

Re: New User Manager in RouterOS v7

Wed Dec 11, 2019 11:03 am

Feature request: mirroring of the user database to a secondary server on another router, to be used as fallback in case the primary one crashes, is rebooting, etc.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2950
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: New User Manager in RouterOS v7

Wed Dec 11, 2019 1:14 pm

feature request: administrators portal as in the old User Manager
I'm Italian, not English. Sorry for my imperfect grammar.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24393
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: New User Manager in RouterOS v7

Wed Dec 11, 2019 1:41 pm

See first post.
No answer to your question? How to write posts
 
feris
just joined
Posts: 12
Joined: Tue May 16, 2017 3:58 pm

Re: New User Manager in RouterOS v7

Wed Dec 11, 2019 9:38 pm

feature request: user password encryption via hash function with salt
feature request: option to allow users change own passwords via user portal
 
rangoy
just joined
Posts: 1
Joined: Thu Mar 30, 2017 5:30 pm

Re: New User Manager in RouterOS v7

Thu Dec 12, 2019 8:18 pm

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.
 
User avatar
krisjanisj
MikroTik Support
MikroTik Support
Posts: 67
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: New User Manager in RouterOS v7

Fri Dec 13, 2019 9:52 am

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is:
/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>
to generate for specific users, or
/user-manager/user/generate-voucher [f] voucher-template=printable_vouchers.html
to generate for all users.
This will create a file gen_printable_vouchers.html.
To access it You either have to download the file to Your device and print that way, or You can access from the via link: <IP>/um/PRIVATE/GENERATED/vouchers/gen_printable_vouchers.html
(Note: For link to work You first need to set username and password : /user-manager/advanced/set web-private-username=<USER> web-private-password=<PASSWORD>)
* Wager of "The Holy War" against users who don't paste their config/export/print into [code][/code] blocks
* Avid coffee consumer
* Provider of stupid solutions for simple problems
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Fri Dec 13, 2019 3:11 pm

Is there any way to have more logging or debugging? I only have "rejects" out of this user manager setup.
What is wrong in this setup? Is there a possible short exemple for 802.1x to start from?
Is it the limit, the profile, the authentication method? Should be PEAP and MSCHAP2 for 802.1x , no ?

This is a lab setup, no real user environment. hAP ac2 (ROS 7.0beta4) as user manager (192.168.2.23) and wAP ac (ROS 6.46) as wifi AP (192.168.2.25)

user manager configuration

[admin@MikroTik hAPac2] /user-manager> export verbose
# dec/13/2019 13:21:29 by RouterOS 7.0beta4
# software id = B8YC-C4XL
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxxxxxx
/user-manager limitation
add download-limit=0B name=tst rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s \
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B \
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=0s
add download-limit=0B name=test rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s \
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B \
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=16m40s
/user-manager profile
add name=userprof name-for-users=userprof override-shared-users=off price=0 starts-when=assigned validity=unlimited
/user-manager user group
set [ find default-name=default ] attributes="" inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 name=default outer-auths=\
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
set [ find default-name=default-anonymous ] attributes="" inner-auths="" name=default-anonymous outer-auths=eap-ttls,eap-peap
/user-manager user
add attributes="" disabled=no group=default name=bpwl password=bpwl shared-users=1
/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes
/user-manager advanced
set paypal-allow=no paypal-currency=USD paypal-password="" paypal-signature="" paypal-use-sandbox=no paypal-user="" web-private-password="" web-private-username=""
/user-manager profile-limitation
add from-time=0s limitation=test profile=userprof till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/user-manager router
add address=192.168.2.25 coa-port=3799 disabled=no name=wap shared-secret=mikrotik
/user-manager user-profile
add profile=userprof user=bpwl
[admin@MikroTik hAPac2] /user-manager>



The logging shows:manager,debug <<<<tx Access-reject after 2 request/challenge handshakes.

# Time Buffer Topics Message

169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119
170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119
171 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:42899, id: 120
172 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:42899, id: 120
173 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:41869, id: 121
174 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:41869, id: 121
175 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:35311, id: 122
176 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:35311, id: 122
177 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:57176, id: 123
178 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:57176, id: 123
179 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:60363, id: 124
180 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:60363, id: 124
181 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49734, id: 125
182 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49734, id: 125
183 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:51911, id: 126
184 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:51911, id: 126
185 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:56187, id: 127
186 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:56187, id: 127
187 Dec/13/2019 00:32:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:36744, id: 128
188 Dec/13/2019 00:32:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:36744, id: 128
189 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55070, id: 129
190 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55070, id: 129
191 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:54221, id: 130
192 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:54221, id: 130


The requesting wifi seems normal with RADIUS debug logging.


Quick SetWebFigTerminal RouterOS v6.46 (stable)

# Time Buffer Topics Message


506 Dec/13/2019 00:30:55 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
507 Dec/13/2019 00:30:55 memory radius, debug, packet debug: received Access-Reject with id 121 from 192.168.2.23:1812
508 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Signature = 0xc74e9aa1891a0423b0680031b52e63a5
509 Dec/13/2019 00:30:55 memory radius, debug, packet debug: EAP-Message = 0x04020004
510 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Message-Authenticator = 0x406d0b9b63b2573f54e206f1139f1ce5
511 Dec/13/2019 00:30:55 memory radius, debug debug: received reply for 58:c3
512 Dec/13/2019 00:30:55 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
513 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64
514 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c4 code=Access-Request service=wireless called-id=test
515 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c4 to 192.168.2.23:1812
516 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 122 to 192.168.2.23:1812
517 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x3dd925fc93baf700562a0cf27abc6fd4
518 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
519 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
520 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
521 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
522 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
523 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
524 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
525 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x02000009016270776c
526 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x7a2e3e7c4a67cf445a4655b18063ad73
527 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
528 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
529 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 122 from 192.168.2.23:1812
530 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xbac9bd4fa4ff68bf517a95ac5ff23afc
531 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x0101001b1a0100001610486eefc353bc
532 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6b2ecdf458c26fbb026120
533 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
534 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xa49772870be90db17f19d97505f1a863
535 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c4
536 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c5 code=Access-Request service=wireless called-id=test
537 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c5 to 192.168.2.23:1812
538 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 123 to 192.168.2.23:1812
539 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x5ff13abc8302675e71b62c41759dc0fe
540 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
541 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
542 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
543 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
544 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
545 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
546 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
547 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
548 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020100060319
549 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x0201fd3d97e48f7cff4bec8a16a18299
550 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
551 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
552 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 123 from 192.168.2.23:1812
553 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x020a7b6a38e9c131011fdadb4d9e49a1
554 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x010200061920
555 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
556 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb7f791633cf57d3ec49c18fd30624470
557 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c5
558 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c6 code=Access-Request service=wireless called-id=test
559 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c6 to 192.168.2.23:1812
560 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 124 to 192.168.2.23:1812
561 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xe3ffe217f2d1fff1d891e45c08228605
562 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
563 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
564 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
565 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
566 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
567 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
568 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
569 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
570 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020200d01980000000c616030100c101
571 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0000bd0301b3d0d7ae846d0dbac970c9
572 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 81cba0b50c44a2aa4593d99ee9318b59
573 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6a5eef810d000054c014c00ac022c021
574 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00390038c00fc0050035c012c008c01c
575 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01b00160013c00dc003000ac013c009
576 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01fc01e00330032c00ec004002fc011
577 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c007c00cc00200050004001500120009
578 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0014001100080006000300ff01000040
579 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000b000403000102000a00340032000e
580 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000d0019000b000c00180009000a0016
581 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00170008000600070014001500040005
582 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00120013000100020003000f00100011
583 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb262b821f948349f54d16ca558b4749d
584 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
585 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
586 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Reject with id 124 from 192.168.2.23:1812
587 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x11b7cd725a0d5086a68c659a3a2ed706
588 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x04020004
589 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x5345932c7690016ac6bd851a1cc54aea
590 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c6
591 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
592 Dec/13/2019 00:32:14 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64

Device is an old Android tablet with PEAP and MSChap2 set for wifi network security,. or even my laptop Windows 10. Both cannot connect.

This same AP setup with the wAP works with a Draytek router and Synology-NAS RADIUS server. But there is poor logging in the Draytek never logging the requesting device, and the Synology NAS is overkill.
Last edited by bpwl on Sat Dec 14, 2019 9:32 am, edited 1 time in total.
 
jolly
Trainer
Trainer
Posts: 37
Joined: Fri Jun 11, 2004 11:41 pm
Contact:

Re: New User Manager in RouterOS v7

Sat Dec 14, 2019 9:11 am


Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is:
/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>
to generate for specific users, or
Kudos to the mikrotik team for the work done so far on the new user-manager!

is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile? instead of inserting multiple user IDs one by one!!!
Regards.

Dele
 
jolly
Trainer
Trainer
Posts: 37
Joined: Fri Jun 11, 2004 11:41 pm
Contact:

Re: New User Manager in RouterOS v7

Sat Dec 14, 2019 9:20 am


Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).

Can't wait for long to have the Winbox/Webfig control for the UserManager admin :D. it should be a top priority!!
because doing stuffs from CLI for not-so-techy user-manager admins who have to generate vouchers from time to time will pose a major challenge
Regards.

Dele
 
mkx
Forum Guru
Forum Guru
Posts: 3616
Joined: Thu Mar 03, 2016 10:23 pm

Re: New User Manager in RouterOS v7

Sat Dec 14, 2019 10:39 am

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>
is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile?
I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find <selection criterion here>]. I don't know how selection criterion would look like (I'm not runnin userman), but I guess usual regular expressions work here a well ...
BR,
Metod
 
jolly
Trainer
Trainer
Posts: 37
Joined: Fri Jun 11, 2004 11:41 pm
Contact:

Re: New User Manager in RouterOS v7

Sat Dec 14, 2019 11:42 am

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>
is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile?
I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find <selection criterion here>]. I don't know how selection criterion would look like (I'm not runnin userman), but I guess usual regular expressions work here a well ...
That works!! Thanks
Regards.

Dele
 
jolly
Trainer
Trainer
Posts: 37
Joined: Fri Jun 11, 2004 11:41 pm
Contact:

Re: New User Manager in RouterOS v7

Sat Dec 14, 2019 12:32 pm

feature request: user's ability to change own password from the users portal as in the old User Manager
Regards.

Dele
 
User avatar
krisjanisj
MikroTik Support
MikroTik Support
Posts: 67
Joined: Wed Feb 20, 2019 2:53 pm
Contact:

Re: New User Manager in RouterOS v7

Mon Dec 16, 2019 9:30 am

@mkx & @jolly - My provided lines were just an example. Standart ROS script functions to find a particular set of data can be used while generating vouchers as @mkx mentioned.
* Wager of "The Holy War" against users who don't paste their config/export/print into [code][/code] blocks
* Avid coffee consumer
* Provider of stupid solutions for simple problems
 
User avatar
strods
MikroTik Support
MikroTik Support
Posts: 1420
Joined: Wed Jul 16, 2014 7:22 am
Location: Riga, Latvia

Re: New User Manager in RouterOS v7

Mon Dec 16, 2019 10:01 am

bpwl - User Manager requires a certificate in order to work with EAP and I see that you do not have a certificate specified under UM settings:

/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Mon Dec 16, 2019 11:12 am

@strods

Thanks a lot. The perfect answer I was looking for.

300 Dec/16/2019 09:41:22 memory certificate, info generated CA certificate: CA
301 Dec/16/2019 09:41:37 memory system, info, account user admin logged out from 192.168.2.21 via telnet
302 Dec/16/2019 09:41:59 memory certificate, info generated certificate 7A594AB680019073:AP:BE:TEWEAD:IT:WVL:Roeselare key-size:2048 key-curve:0 usage:8000000d valid:365 for CA CA
303 Dec/16/2019 09:44:09 memory system, info, account user admin logged in from 192.168.2.21 via telnet
304 Dec/16/2019 09:46:16 memory system, info UMS settings changed by admin
305 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55868, id: 140
306 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55868, id: 140
307 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:39222, id: 141
308 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:39222, id: 141
309 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:52030, id: 142
310 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:52030, id: 142
311 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55534, id: 143
312 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55534, id: 143
313 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:48873, id: 144
314 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:48873, id: 144
315 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:47916, id: 145
316 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:47916, id: 145
317 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:34664, id: 146
318 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:34664, id: 146
319 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:46874, id: 147
320 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:46874, id: 147
321 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49471, id: 148
322 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49471, id: 148
323 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:50628, id: 149
324 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Accept to [192.168.2.25]:50628, id: 149

Now I would like to see in the unit that runs the user-manager what device was logging into wifi with what user name. (Calling ID and user account). Information is in the RADIUS packet and can be seen at the AP with the RADIUS packet debug logging. Or should I check "accounting" somewhere? I need to know for legal logging, who is doing what on the internet connection. Not all my AP's are Mikrotik yet. Using a login portal for internet access is what we had, and has proven to be problematic with 80 visiting users and 10 AP's and many different devices.
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Mon Dec 23, 2019 1:14 am

All fine the tests with wireless 802.1x (WPA2 enterprise) and the user-manager as Radius server, until the client is Windows 10 (1903). Windows 10 clients seem not to accept self-signed certificates, even if the CA certificate is added to the trusted base certificates on the client, and checking the server certificate is disabled. Either a public acquired certificate is needed , or a private certificate authority has to be set up. Not that simple building that private certificate authority if there are no servers in the network. (only routers, switches and access points). Using other routers for radius server does work well, but those have a build in certificate, signed by the CA of the vendor. Is there such a thing with Mikrotik? Acquiring a public certificate is quite a job, as you have to have your own domain name (e.g. noip.com), and a public accessable website to enroll and renew the certificate. (e.g. Let's Encrypt)

I followed this https://serverfault.com/questions/98637 ... rtificates and this https://support.microsoft.com/en-us/hel ... th-eap-tls and this https://blogs.msdn.microsoft.com/shreya ... tificates/ and many many other instructions for EAP, certificates and Windows 10 compatibility. But none of them worked. If I use the radius on my Synology NAS storage device then it works fine. (CA is Synology.com) . Start wondering if it is the certificate or the TLS 1.2 incompatibility (Window 10 version 1903?).https://support.microsoft.com/en-us/hel ... nvironment . Can we specify the TLS version of EAP ? It did not work from the Windows side.
Last edited by bpwl on Wed Dec 25, 2019 7:28 pm, edited 1 time in total.
 
akska10
just joined
Posts: 3
Joined: Mon May 07, 2018 6:39 pm

Re: New User Manager in RouterOS v7

Tue Dec 24, 2019 4:19 pm

Future request :
Ability to to change generation properties ..
Like generate number only or letters only or choose set of set of letter/digits/symbols in addition to previous properties
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Wed Dec 25, 2019 7:39 pm

guess this feature will make a lot of people very happy ( and of course ... no doubt ... me too)
well done :!:
.
v7-eap-test-ws.png
.
v7-eap-test-rad-debug.png
.
v7-eap-test-um-stat.PNG
.
v7-eap-test-um-sess.PNG
.
v7-eap-test-andr.png
.
.
and unlike me, keep your clocks in sync !
You do not have the required permissions to view the files attached to this post.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Wed Dec 25, 2019 10:09 pm

@floaty: Super !!!!
Any issues with Windows 10 clients?
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Thu Dec 26, 2019 12:31 am

indeed ... bootet up another wireshark to free my win10-machine for a test ... seems the setup of the encrypted eap-tunnel fails ...
no accept, no reject ... stuck in challenge
.
so maybe a problem with my server-certificate ...
or:
https://support.microsoft.com/en-ph/hel ... nvironment
.
maybe both
... interesting ...
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Thu Dec 26, 2019 3:49 am

so ... for starters ... it seems the problem ist NOT related to the certificates I've generated on the chr-v7-radius-um-machine :!:
I've installed these certificates on another radius-machine ...
.
you may ask: ... what the **ck took him so long ? 
a.) ... tried that on my production-machine ... which has an eval-license ... resources are tight ... dependencies were neglected ... a backup had to do it's job
b.) ... provisioned a new VM ... these are minutes too !
c.) ... there's kind of a mini-bar in homeland-labs   :shock:  ... sometimes it spurs ... sometimes it brakes
.
... and they are on duty on this device without flaws (win10, android, linux) !! :?:
.
I'm little in the dark how to debug "MTIk-v7-UserMan-eap" ... guess the carving of these handles is work in progress ...
.
fac-cert-rad-install.PNG
.
fac-certification-check.PNG
.
tupi-connect.PNG
.
debian-too.png
.
global-view.PNG
You do not have the required permissions to view the files attached to this post.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Thu Dec 26, 2019 5:02 am

just had a little read-along ... again
.
169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119
170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119
171 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:42899, id: 120
172 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:42899, id: 120
173 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:41869, id: 121
174 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:41869, id: 121
175 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:35311, id: 122
176 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:35311, id: 122
177 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:57176, id: 123
178 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:57176, id: 123
.
@bpwl
.
did you check your UserManager-setup without EAP ?? (ntradping or something like that ?)
... it's kinda uncommon to receive an access-reject when the inner tunnel fails to establish ... cross-check couldn't hurt !?
... your user should be able to authenticate without any extensions (plain pap & chap)
.
https://www.novell.com/coolsolutions/tools/14377.html
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Thu Dec 26, 2019 9:57 am

@floaty: the setup works fine with Android devices. I didn't see the problem at those initial tests. So user/password is OK, connection to radius server is OK (it's wireless and bridged, can't do a Mikrotik sniffer on this 5 GHz connection) . In the beginning I had rejects for windows 10. But after improving the Mikrotik certificate definitions, now i'm stuck in the handshake like you. The CAPI2 logbook in windows didn't learn me enough to understand what's going on. There are so many cases of Windows 10 problems in forums ....
(Fortinet was my favorit @work for many years, don't have it @home)
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Thu Dec 26, 2019 10:56 pm

@floaty: interesting tool that NTradPing test tool. Reveals no errors. Learns me that the shared secret is not checked for user authentication
You do not have the required permissions to view the files attached to this post.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Fri Dec 27, 2019 1:36 am

yeah ... good tool (and as old as methusalix) ...
.
maybe the binary partly crashed ... it is not showing such behaviour on my machine ... wrong shared secret -> access-reject
.
.
btw. repeated my eap-test with new generated certificates keysize 4096 instead of 2048 ... and then also the android client fails
will give it a try with externaly generated certs ... another day
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Fri Dec 27, 2019 1:51 am

@floaty: searching everywhere ... the sniffer tool on the Mikrotik (not the interface sniffer tool) does allow me to capture the radius communication. Seen no clue so far. Only Wireshark sees fragmented IP in the UDP packet (with certificate information), with packet size 1514 bytes. Framed MTU is at 1400 bytes. Just raw information for me .... https://community.arubanetworks.com/t5/ ... d-p/498619 . Don't know if this brings something.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Fri Dec 27, 2019 1:09 pm

I guess without the ability to debug the radius server side this is as cushy as nosepicking in a hobos schnozzle.
We better wait for an "upstream statement" ...
Maybe an old windows7-valiant out threre can tell if he's able to connect ...
[ ... also the fortiauthenticator spat out my keysize 4096 certificates ... cipher not supported ]
.
win10ver.PNG
You do not have the required permissions to view the files attached to this post.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
hfree
just joined
Posts: 1
Joined: Sat Apr 25, 2015 7:33 pm

Re: New User Manager in RouterOS v7

Sun Dec 29, 2019 5:04 pm

feature request: radius proxy for wifi roaming
 
tomtom800
just joined
Posts: 1
Joined: Sun Jan 05, 2020 1:40 pm

Re: New User Manager in RouterOS v7

Sun Jan 05, 2020 2:02 pm

feature request: central managed ip pools

At the Moment we have to split our ip pool with public ipv4 over all router where the customer can connect. So we lose a lot of addresses because we need some reserve on every router. One central ip pool on the radius would be great.

Maybe one challenge would be that sometimes userman don't check that a customer is offline and sessions some times still active.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Tue Jan 07, 2020 8:20 pm

seems that feature isn't so widely implemented (self carved freeradius-installation ... possible ... not exaggerated easy)
and until someone put a gracious eye on your feature-request ... you can evaluate here:
https://www.kaplansoft.com/tekradius/
( ... only when you can live with a windows-box)
Should ... or better: it may be possible to proxify the user-authentication to Mikrotik-userman and only use the dhcp-feature to circumvent your pub-IP-shortage.
A customer of mine is running the tek-radius (as freeware) in front of his MS-SQL-userdb for Portal-Authentication ... a happy man ! :shock: ... no complains
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
millenium7
Member Candidate
Member Candidate
Posts: 220
Joined: Wed Mar 16, 2016 6:12 am

Re: New User Manager in RouterOS v7

Mon Jan 13, 2020 5:16 am

Can this new user manager (or the old one) be used in a centralized way for multiple sites?

We currently use HSNM because it gives us a web UI to setup new sites and generate new voucher codes for any site with an administrative overview. Plus change images etc for the hotspot page
But we could very happily get rid of it and just run this directly on the MikroTik if there is a way to centrally manage all the sites. Each site needs its own images/logos and its own voucher codes with different plan speeds, data usage etc
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Mon Jan 13, 2020 1:16 pm

It is possible to define different "customers" (like administrative domains) ... and it's possible to apply different sets of user-profiles (for vouchers, quotas etc.).
Not shure about the logo-customization ...
If you're already using MTik-devices you can download the usermanager package, install it and check yourself if it fits your needs ... no big deal, easily done.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
millenium7
Member Candidate
Member Candidate
Posts: 220
Joined: Wed Mar 16, 2016 6:12 am

Re: New User Manager in RouterOS v7

Mon Jan 13, 2020 1:43 pm

True but my workday does no consist of sitting around twiddling my thumbs wondering what I could do next :)

I don't mind tinkering with things but time is limited and if its not viable yet i'm happy to just wait and move onto other things. After all V7 is not production ready just yet anyway, but keen to see where its headed
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Mon Jan 13, 2020 2:27 pm

some tinkering-time should be integral part of any workday : )
... so if anyone calls you in for another tubby meeting ... say: sorry, I have something of tremendous importance to tinker !
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
bpwl
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Mon Apr 08, 2019 1:16 am

Re: New User Manager in RouterOS v7

Fri Jan 17, 2020 8:43 pm

Windows 10 build 1903 and 1909 both fail to connect to 802.1x (WPA2 enterprise) with the new Radius server on ROS7beta4.
Also the working "other" Radius servers have just a self signed certificate. So it seems not to be the certificate, and not the Windows 10 build 1909 requirements from Microsoft.
I hope next ROS7 beta release will have Radius debug log ... and a fix to allow Windows 10 clients.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Sat Jan 18, 2020 2:46 am

yay: one+ for a radius-eap-debugging option
.
... since I found the (or a possible) power-supply for my grand ole 2530p (nice keyboard, btw)
-> ... also windows7 is not able to connect to the MT-CHR7-radius.

Also for my cross-check-radius-server (zeroshell) I had to install the CA and the server-certificate in w7.
Odd thing: even while in the wireless-profile "validate server-certificate" was NOT ticked:
no dialogue to accept the radius-server certificate popped up, when I tried to connect ( I could do that ... once ... in the good old time : )
I had to install the server-cert in addition to the CA-cert. ... maybe the W7 subsystem has also been updated.
.
But the v7 Radius stucked with the Win7-client in the same way.
... maybe a overlain libc in the compiling chain :?: . :shock:
.
no_tupi_nix_w7.PNG
.
You do not have the required permissions to view the files attached to this post.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Sat Jan 18, 2020 2:53 am

... while reviewing ... and talking odds ...
.
no_tupi_nix_w7_more_odd.png
.
maybe a clock prob I did run into ...
You do not have the required permissions to view the files attached to this post.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
User avatar
floaty
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sat Oct 20, 2018 1:24 am
Location: 52°08'32.34"N 14°39'05.0"E

Re: New User Manager in RouterOS v7

Sat Jan 18, 2020 3:10 am

no ... annoying mischief, because the clock is always working against you ...
but also with the exact clocking the win7-client fails.
~~
We know what happens to people who stay in the middle of the road. They get run over.
 
microexpert
just joined
Posts: 1
Joined: Sat Jan 18, 2020 3:15 am
Contact:

Re: New User Manager in RouterOS v7

Sat Jan 18, 2020 3:19 am

feature request: allow self service passwords through user portal, this saves a lot of time of the network team
 
chittimotunaveen
just joined
Posts: 1
Joined: Thu Jan 23, 2020 5:16 am

Re: New User Manager in RouterOS v7

Thu Jan 23, 2020 5:23 am

Feature request: Enable user to login with OTP (like Indian railway stations) or whatsapp, gmail, hotmail, twitter, instagram.

Userman is nice for small ISP's for commertial purpose!. but we need to create every user/ vocher and have to share to customers.and they have to enter username and password manually.

Now small stores, hospitals, clinics, malls, cofee shops will provide a wifi for free to customers, but we need to collect coustmer information like name, mobile, email, address. So with the help of hostspot and giving Free intermnet access by eneablinhg social media login's.
Those data will be usable for brand promotios later. Data is new oil for us :D

There are already existing solution to do this and found from mikrotik forum "viewtopic.php?t=102208"
https://shop.codekece.com/downloads/dabsah/

So i hope you guys also will look into this and will intigrate social media login in routeros 7
 
User avatar
MForooghii
just joined
Posts: 17
Joined: Thu Mar 01, 2012 6:57 am

Re: New User Manager in RouterOS v7

Mon Jan 27, 2020 12:03 am

feature request:
sync new users from Microsoft Active Directory or other standard LDAP protocols.(can add users with special profile if they belong to a user group in AD)
profiles with invalid profile limitations to change a user attributive after user used the amount of time/Size specified in one day-week or month. and or after profile limitation. we can connect invalid users/profiles with special ip pool and redirect this users to a http page to view and charge his accounts.
its amazing if we can have same cisco isg feature in mikrotik .
 
User avatar
MForooghii
just joined
Posts: 17
Joined: Thu Mar 01, 2012 6:57 am

Re: New User Manager in RouterOS v7

Mon Jan 27, 2020 1:22 am

feature request:
custom payment method that can config as Hotel Billing gateway or other gateways that simplify written by users. this can authenticate users passports with billing systeams. that is useful if they can redirect some information (like username-password- phone number) to gateway even to send him his information using some RTF Language that not supported in mikrotik CLI.

Who is online

Users browsing this forum: No registered users and 8 guests