New User Manager in RouterOS v7

Wed Dec 11, 2019 8:34 am

As some of you have already seen, we have released a brand new User Manager for RouterOS version 7. It is included in v7.0beta4 extra packages zip file on our downloads page. The package is available for all current architectures excluding SMIPS. Mainly EAP authentication method support and custom RADIUS attribute sending are key features that are not available in the User Manager in RouterOS version 6. A new freshly designed customer portal is also developed specially for the new User Manager.

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using WEB interface. Additionally, users are able to buy their own data plans (profiles) using the most popular payment gateway - PayPal, making it a great system for service providers. Customized reports can be generated to ease processing by billing department. User Manager works according to RADIUS standard defined in RFC2865 and RFC3579.

Currently there is no documentation available for the new User Manager so it is up to you to explore the new package. All User Manager related CLI commands are available under "/user-manager" menu. Winbox support will come a little bit later and there won't be a separate administrators portal as in the old User Manager. The customer portal is available at http://x.x.x.x/um

If you have any feedback, feature requests or questions, please leave them below.

pe1chl · Wed Dec 11, 2019 11:03 am

Feature request: mirroring of the user database to a secondary server on another router, to be used as fallback in case the primary one crashes, is rebooting, etc.

rextended · Wed Dec 11, 2019 1:14 pm

feature request: administrators portal as in the old User Manager

Wed Dec 11, 2019 1:41 pm

See first post.

feris · Wed Dec 11, 2019 9:38 pm

feature request: user password encryption via hash function with salt
feature request: option to allow users change own passwords via user portal

rangoy · Thu Dec 12, 2019 8:18 pm

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.

Fri Dec 13, 2019 9:52 am

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is:

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>

to generate for specific users, or

/user-manager/user/generate-voucher [f] voucher-template=printable_vouchers.html

to generate for all users.
This will create a file gen_printable_vouchers.html.
To access it You either have to download the file to Your device and print that way, or You can access from the via link: <IP>/um/PRIVATE/GENERATED/vouchers/gen_printable_vouchers.html
(Note: For link to work You first need to set username and password : /user-manager/advanced/set web-private-username=<USER> web-private-password=<PASSWORD>)

bpwl · Fri Dec 13, 2019 3:11 pm

Is there any way to have more logging or debugging? I only have "rejects" out of this user manager setup.
What is wrong in this setup? Is there a possible short exemple for 802.1x to start from?
Is it the limit, the profile, the authentication method? Should be PEAP and MSCHAP2 for 802.1x , no ?

This is a lab setup, no real user environment. hAP ac2 (ROS 7.0beta4) as user manager (192.168.2.23) and wAP ac (ROS 6.46) as wifi AP (192.168.2.25)

user manager configuration

[admin@MikroTik hAPac2] /user-manager> export verbose
# dec/13/2019 13:21:29 by RouterOS 7.0beta4
# software id = B8YC-C4XL
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxxxxxx
/user-manager limitation
add download-limit=0B name=tst rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s \
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B \
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=0s
add download-limit=0B name=test rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s \
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B \
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=16m40s
/user-manager profile
add name=userprof name-for-users=userprof override-shared-users=off price=0 starts-when=assigned validity=unlimited
/user-manager user group
set [ find default-name=default ] attributes="" inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 name=default outer-auths=\
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
set [ find default-name=default-anonymous ] attributes="" inner-auths="" name=default-anonymous outer-auths=eap-ttls,eap-peap
/user-manager user
add attributes="" disabled=no group=default name=bpwl password=bpwl shared-users=1
/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes
/user-manager advanced
set paypal-allow=no paypal-currency=USD paypal-password="" paypal-signature="" paypal-use-sandbox=no paypal-user="" web-private-password="" web-private-username=""
/user-manager profile-limitation
add from-time=0s limitation=test profile=userprof till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/user-manager router
add address=192.168.2.25 coa-port=3799 disabled=no name=wap shared-secret=mikrotik
/user-manager user-profile
add profile=userprof user=bpwl
[admin@MikroTik hAPac2] /user-manager>

The logging shows:manager,debug <<<<tx Access-reject after 2 request/challenge handshakes.

# Time Buffer Topics Message

169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119
170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119
171 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:42899, id: 120
172 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:42899, id: 120
173 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:41869, id: 121
174 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:41869, id: 121
175 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:35311, id: 122
176 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:35311, id: 122
177 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:57176, id: 123
178 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:57176, id: 123
179 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:60363, id: 124
180 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:60363, id: 124
181 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49734, id: 125
182 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49734, id: 125
183 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:51911, id: 126
184 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:51911, id: 126
185 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:56187, id: 127
186 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:56187, id: 127
187 Dec/13/2019 00:32:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:36744, id: 128
188 Dec/13/2019 00:32:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:36744, id: 128
189 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55070, id: 129
190 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55070, id: 129
191 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:54221, id: 130
192 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:54221, id: 130

The requesting wifi seems normal with RADIUS debug logging.

Quick SetWebFigTerminal RouterOS v6.46 (stable)

# Time Buffer Topics Message

506 Dec/13/2019 00:30:55 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
507 Dec/13/2019 00:30:55 memory radius, debug, packet debug: received Access-Reject with id 121 from 192.168.2.23:1812
508 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Signature = 0xc74e9aa1891a0423b0680031b52e63a5
509 Dec/13/2019 00:30:55 memory radius, debug, packet debug: EAP-Message = 0x04020004
510 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Message-Authenticator = 0x406d0b9b63b2573f54e206f1139f1ce5
511 Dec/13/2019 00:30:55 memory radius, debug debug: received reply for 58:c3
512 Dec/13/2019 00:30:55 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
513 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64
514 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c4 code=Access-Request service=wireless called-id=test
515 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c4 to 192.168.2.23:1812
516 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 122 to 192.168.2.23:1812
517 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x3dd925fc93baf700562a0cf27abc6fd4
518 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
519 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
520 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
521 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
522 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
523 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
524 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
525 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x02000009016270776c
526 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x7a2e3e7c4a67cf445a4655b18063ad73
527 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
528 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
529 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 122 from 192.168.2.23:1812
530 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xbac9bd4fa4ff68bf517a95ac5ff23afc
531 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x0101001b1a0100001610486eefc353bc
532 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6b2ecdf458c26fbb026120
533 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
534 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xa49772870be90db17f19d97505f1a863
535 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c4
536 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c5 code=Access-Request service=wireless called-id=test
537 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c5 to 192.168.2.23:1812
538 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 123 to 192.168.2.23:1812
539 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x5ff13abc8302675e71b62c41759dc0fe
540 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
541 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
542 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
543 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
544 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
545 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
546 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
547 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
548 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020100060319
549 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x0201fd3d97e48f7cff4bec8a16a18299
550 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
551 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
552 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 123 from 192.168.2.23:1812
553 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x020a7b6a38e9c131011fdadb4d9e49a1
554 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x010200061920
555 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
556 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb7f791633cf57d3ec49c18fd30624470
557 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c5
558 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c6 code=Access-Request service=wireless called-id=test
559 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c6 to 192.168.2.23:1812
560 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 124 to 192.168.2.23:1812
561 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xe3ffe217f2d1fff1d891e45c08228605
562 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
563 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
564 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
565 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
566 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
567 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
568 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
569 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
570 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020200d01980000000c616030100c101
571 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0000bd0301b3d0d7ae846d0dbac970c9
572 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 81cba0b50c44a2aa4593d99ee9318b59
573 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6a5eef810d000054c014c00ac022c021
574 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00390038c00fc0050035c012c008c01c
575 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01b00160013c00dc003000ac013c009
576 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01fc01e00330032c00ec004002fc011
577 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c007c00cc00200050004001500120009
578 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0014001100080006000300ff01000040
579 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000b000403000102000a00340032000e
580 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000d0019000b000c00180009000a0016
581 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00170008000600070014001500040005
582 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00120013000100020003000f00100011
583 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb262b821f948349f54d16ca558b4749d
584 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
585 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
586 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Reject with id 124 from 192.168.2.23:1812
587 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x11b7cd725a0d5086a68c659a3a2ed706
588 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x04020004
589 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x5345932c7690016ac6bd851a1cc54aea
590 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c6
591 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
592 Dec/13/2019 00:32:14 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64

Device is an old Android tablet with PEAP and MSChap2 set for wifi network security,. or even my laptop Windows 10. Both cannot connect.

This same AP setup with the wAP works with a Draytek router and Synology-NAS RADIUS server. But there is poor logging in the Draytek never logging the requesting device, and the Synology NAS is overkill.

jolly · Sat Dec 14, 2019 9:11 am

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is:
Code: Select all
/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>
to generate for specific users, or

Kudos to the mikrotik team for the work done so far on the new user-manager!

is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile? instead of inserting multiple user IDs one by one!!!

jolly · Sat Dec 14, 2019 9:20 am

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).

Can't wait for long to have the Winbox/Webfig control for the UserManager admin

. it should be a top priority!!
because doing stuffs from CLI for not-so-techy user-manager admins who have to generate vouchers from time to time will pose a major challenge

mkx · Sat Dec 14, 2019 10:39 am

Code: Select all
/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>
is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile?

I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find <selection criterion here>]. I don't know how selection criterion would look like (I'm not runnin userman), but I guess usual regular expressions work here a well ...

jolly · Sat Dec 14, 2019 11:42 am

Code: Select all
/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>
is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile?
I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find <selection criterion here>]. I don't know how selection criterion would look like (I'm not runnin userman), but I guess usual regular expressions work here a well ...

That works!! Thanks

jolly · Sat Dec 14, 2019 12:32 pm

feature request: user's ability to change own password from the users portal as in the old User Manager

Mon Dec 16, 2019 9:30 am

@mkx & @jolly - My provided lines were just an example. Standart ROS script functions to find a particular set of data can be used while generating vouchers as @mkx mentioned.

Mon Dec 16, 2019 10:01 am

bpwl - User Manager requires a certificate in order to work with EAP and I see that you do not have a certificate specified under UM settings:

/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes

bpwl · Mon Dec 16, 2019 11:12 am

@strods

Thanks a lot. The perfect answer I was looking for.

300 Dec/16/2019 09:41:22 memory certificate, info generated CA certificate: CA
301 Dec/16/2019 09:41:37 memory system, info, account user admin logged out from 192.168.2.21 via telnet
302 Dec/16/2019 09:41:59 memory certificate, info generated certificate 7A594AB680019073:AP:BE:TEWEAD:IT:WVL:Roeselare key-size:2048 key-curve:0 usage:8000000d valid:365 for CA CA
303 Dec/16/2019 09:44:09 memory system, info, account user admin logged in from 192.168.2.21 via telnet
304 Dec/16/2019 09:46:16 memory system, info UMS settings changed by admin
305 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55868, id: 140
306 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55868, id: 140
307 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:39222, id: 141
308 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:39222, id: 141
309 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:52030, id: 142
310 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:52030, id: 142
311 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55534, id: 143
312 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55534, id: 143
313 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:48873, id: 144
314 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:48873, id: 144
315 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:47916, id: 145
316 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:47916, id: 145
317 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:34664, id: 146
318 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:34664, id: 146
319 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:46874, id: 147
320 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:46874, id: 147
321 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49471, id: 148
322 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49471, id: 148
323 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:50628, id: 149
324 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Accept to [192.168.2.25]:50628, id: 149

Now I would like to see in the unit that runs the user-manager what device was logging into wifi with what user name. (Calling ID and user account). Information is in the RADIUS packet and can be seen at the AP with the RADIUS packet debug logging. Or should I check "accounting" somewhere? I need to know for legal logging, who is doing what on the internet connection. Not all my AP's are Mikrotik yet. Using a login portal for internet access is what we had, and has proven to be problematic with 80 visiting users and 10 AP's and many different devices.

bpwl · Mon Dec 23, 2019 1:14 am

All fine the tests with wireless 802.1x (WPA2 enterprise) and the user-manager as Radius server, until the client is Windows 10 (1903). Windows 10 clients seem not to accept self-signed certificates, even if the CA certificate is added to the trusted base certificates on the client, and checking the server certificate is disabled. Either a public acquired certificate is needed , or a private certificate authority has to be set up. Not that simple building that private certificate authority if there are no servers in the network. (only routers, switches and access points). Using other routers for radius server does work well, but those have a build in certificate, signed by the CA of the vendor. Is there such a thing with Mikrotik? Acquiring a public certificate is quite a job, as you have to have your own domain name (e.g. noip.com), and a public accessable website to enroll and renew the certificate. (e.g. Let's Encrypt)

I followed this https://serverfault.com/questions/98637 ... rtificates and this https://support.microsoft.com/en-us/hel ... th-eap-tls and this https://blogs.msdn.microsoft.com/shreya ... tificates/ and many many other instructions for EAP, certificates and Windows 10 compatibility. But none of them worked. If I use the radius on my Synology NAS storage device then it works fine. (CA is Synology.com) . Start wondering if it is the certificate or the TLS 1.2 incompatibility (Window 10 version 1903?).https://support.microsoft.com/en-us/hel ... nvironment . Can we specify the TLS version of EAP ? It did not work from the Windows side.

akska10 · Tue Dec 24, 2019 4:19 pm

Future request :
Ability to to change generation properties ..
Like generate number only or letters only or choose set of set of letter/digits/symbols in addition to previous properties

floaty · Wed Dec 25, 2019 7:39 pm

guess this feature will make a lot of people very happy ( and of course ... no doubt ... me too)
well done

.

v7-eap-test-ws.png

.

v7-eap-test-rad-debug.png

.

v7-eap-test-um-stat.PNG

.

v7-eap-test-um-sess.PNG

.

v7-eap-test-andr.png

.
.
and unlike me, keep your clocks in sync !

bpwl · Wed Dec 25, 2019 10:09 pm

@floaty: Super !!!!
Any issues with Windows 10 clients?

floaty · Thu Dec 26, 2019 12:31 am

indeed ... bootet up another wireshark to free my win10-machine for a test ... seems the setup of the encrypted eap-tunnel fails ...
no accept, no reject ... stuck in challenge
.
so maybe a problem with my server-certificate ...
or:
https://support.microsoft.com/en-ph/hel ... nvironment
.
maybe both
... interesting ...

floaty · Thu Dec 26, 2019 3:49 am

so ... for starters ... it seems the problem ist NOT related to the certificates I've generated on the chr-v7-radius-um-machine

I've installed these certificates on another radius-machine ...
.

you may ask: ... what the **ck took him so long ? 
a.) ... tried that on my production-machine ... which has an eval-license ... resources are tight ... dependencies were neglected ... a backup had to do it's job
b.) ... provisioned a new VM ... these are minutes too !
c.) ... there's kind of a mini-bar in homeland-labs   :shock:  ... sometimes it spurs ... sometimes it brakes

.
... and they are on duty on this device without flaws (win10, android, linux) !!

.
I'm little in the dark how to debug "MTIk-v7-UserMan-eap" ... guess the carving of these handles is work in progress ...
.

fac-cert-rad-install.PNG

.

fac-certification-check.PNG

.

tupi-connect.PNG

.

debian-too.png

.

global-view.PNG

floaty · Thu Dec 26, 2019 5:02 am

just had a little read-along ... again
.

169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119
170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119
171 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:42899, id: 120
172 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:42899, id: 120
173 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:41869, id: 121
174 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:41869, id: 121
175 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:35311, id: 122
176 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:35311, id: 122
177 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:57176, id: 123
178 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:57176, id: 123

.
@bpwl
.
did you check your UserManager-setup without EAP ?? (ntradping or something like that ?)
... it's kinda uncommon to receive an access-reject when the inner tunnel fails to establish ... cross-check couldn't hurt !?
... your user should be able to authenticate without any extensions (plain pap & chap)
.
https://www.novell.com/coolsolutions/tools/14377.html

bpwl · Thu Dec 26, 2019 9:57 am

@floaty: the setup works fine with Android devices. I didn't see the problem at those initial tests. So user/password is OK, connection to radius server is OK (it's wireless and bridged, can't do a Mikrotik sniffer on this 5 GHz connection) . In the beginning I had rejects for windows 10. But after improving the Mikrotik certificate definitions, now i'm stuck in the handshake like you. The CAPI2 logbook in windows didn't learn me enough to understand what's going on. There are so many cases of Windows 10 problems in forums ....
(Fortinet was my favorit @work for many years, don't have it @home)

bpwl · Thu Dec 26, 2019 10:56 pm

@floaty: interesting tool that NTradPing test tool. Reveals no errors. Learns me that the shared secret is not checked for user authentication

floaty · Fri Dec 27, 2019 1:36 am

yeah ... good tool (and as old as methusalix) ...
.
maybe the binary partly crashed ... it is not showing such behaviour on my machine ... wrong shared secret -> access-reject
.
.
btw. repeated my eap-test with new generated certificates keysize 4096 instead of 2048 ... and then also the android client fails
will give it a try with externaly generated certs ... another day

bpwl · Fri Dec 27, 2019 1:51 am

@floaty: searching everywhere ... the sniffer tool on the Mikrotik (not the interface sniffer tool) does allow me to capture the radius communication. Seen no clue so far. Only Wireshark sees fragmented IP in the UDP packet (with certificate information), with packet size 1514 bytes. Framed MTU is at 1400 bytes. Just raw information for me .... https://community.arubanetworks.com/t5/ ... d-p/498619 . Don't know if this brings something.

floaty · Fri Dec 27, 2019 1:09 pm

I guess without the ability to debug the radius server side this is as cushy as nosepicking in a hobos schnozzle.
We better wait for an "upstream statement" ...
Maybe an old windows7-valiant out threre can tell if he's able to connect ...
[ ... also the fortiauthenticator spat out my keysize 4096 certificates ... cipher not supported ]
.

win10ver.PNG

hfree · Sun Dec 29, 2019 5:04 pm

feature request: radius proxy for wifi roaming

tomtom800 · Sun Jan 05, 2020 2:02 pm

feature request: central managed ip pools

At the Moment we have to split our ip pool with public ipv4 over all router where the customer can connect. So we lose a lot of addresses because we need some reserve on every router. One central ip pool on the radius would be great.

Maybe one challenge would be that sometimes userman don't check that a customer is offline and sessions some times still active.

floaty · Tue Jan 07, 2020 8:20 pm

seems that feature isn't so widely implemented (self carved freeradius-installation ... possible ... not exaggerated easy)
and until someone put a gracious eye on your feature-request ... you can evaluate here:
https://www.kaplansoft.com/tekradius/
( ... only when you can live with a windows-box)
Should ... or better: it may be possible to proxify the user-authentication to Mikrotik-userman and only use the dhcp-feature to circumvent your pub-IP-shortage.
A customer of mine is running the tek-radius (as freeware) in front of his MS-SQL-userdb for Portal-Authentication ... a happy man !

... no complains

millenium7 · Mon Jan 13, 2020 5:16 am

Can this new user manager (or the old one) be used in a centralized way for multiple sites?

We currently use HSNM because it gives us a web UI to setup new sites and generate new voucher codes for any site with an administrative overview. Plus change images etc for the hotspot page
But we could very happily get rid of it and just run this directly on the MikroTik if there is a way to centrally manage all the sites. Each site needs its own images/logos and its own voucher codes with different plan speeds, data usage etc

floaty · Mon Jan 13, 2020 1:16 pm

It is possible to define different "customers" (like administrative domains) ... and it's possible to apply different sets of user-profiles (for vouchers, quotas etc.).
Not shure about the logo-customization ...
If you're already using MTik-devices you can download the usermanager package, install it and check yourself if it fits your needs ... no big deal, easily done.

millenium7 · Mon Jan 13, 2020 1:43 pm

True but my workday does no consist of sitting around twiddling my thumbs wondering what I could do next

I don't mind tinkering with things but time is limited and if its not viable yet i'm happy to just wait and move onto other things. After all V7 is not production ready just yet anyway, but keen to see where its headed

floaty · Mon Jan 13, 2020 2:27 pm

some tinkering-time should be integral part of any workday : )
... so if anyone calls you in for another tubby meeting ... say: sorry, I have something of tremendous importance to tinker !

bpwl · Fri Jan 17, 2020 8:43 pm

Windows 10 build 1903 and 1909 both fail to connect to 802.1x (WPA2 enterprise) with the new Radius server on ROS7beta4.
Also the working "other" Radius servers have just a self signed certificate. So it seems not to be the certificate, and not the Windows 10 build 1909 requirements from Microsoft.
I hope next ROS7 beta release will have Radius debug log ... and a fix to allow Windows 10 clients.

floaty · Sat Jan 18, 2020 2:46 am

yay: one+ for a radius-eap-debugging option
.
... since I found the (or a possible) power-supply for my grand ole 2530p (nice keyboard, btw)
-> ... also windows7 is not able to connect to the MT-CHR7-radius.

Also for my cross-check-radius-server (zeroshell) I had to install the CA and the server-certificate in w7.
Odd thing: even while in the wireless-profile "validate server-certificate" was NOT ticked:
no dialogue to accept the radius-server certificate popped up, when I tried to connect ( I could do that ... once ... in the good old time : )
I had to install the server-cert in addition to the CA-cert. ... maybe the W7 subsystem has also been updated.
.
But the v7 Radius stucked with the Win7-client in the same way.
... maybe a overlain libc in the compiling chain

.

no_tupi_nix_w7.PNG

.

floaty · Sat Jan 18, 2020 2:53 am

... while reviewing ... and talking odds ...
.

no_tupi_nix_w7_more_odd.png

.
maybe a clock prob I did run into ...

floaty · Sat Jan 18, 2020 3:10 am

no ... annoying mischief, because the clock is always working against you ...
but also with the exact clocking the win7-client fails.

microexpert · Sat Jan 18, 2020 3:19 am

feature request: allow self service passwords through user portal, this saves a lot of time of the network team

chittimotunaveen · Thu Jan 23, 2020 5:23 am

Feature request: Enable user to login with OTP (like Indian railway stations) or whatsapp, gmail, hotmail, twitter, instagram.

Userman is nice for small ISP's for commertial purpose!. but we need to create every user/ vocher and have to share to customers.and they have to enter username and password manually.

Now small stores, hospitals, clinics, malls, cofee shops will provide a wifi for free to customers, but we need to collect coustmer information like name, mobile, email, address. So with the help of hostspot and giving Free intermnet access by eneablinhg social media login's.
Those data will be usable for brand promotios later. Data is new oil for us

There are already existing solution to do this and found from mikrotik forum "viewtopic.php?t=102208"
https://shop.codekece.com/downloads/dabsah/

So i hope you guys also will look into this and will intigrate social media login in routeros 7

MForooghii · Mon Jan 27, 2020 12:03 am

feature request:
sync new users from Microsoft Active Directory or other standard LDAP protocols.(can add users with special profile if they belong to a user group in AD)
profiles with invalid profile limitations to change a user attributive after user used the amount of time/Size specified in one day-week or month. and or after profile limitation. we can connect invalid users/profiles with special ip pool and redirect this users to a http page to view and charge his accounts.
its amazing if we can have same cisco isg feature in mikrotik .

MForooghii · Mon Jan 27, 2020 1:22 am

feature request:
custom payment method that can config as Hotel Billing gateway or other gateways that simplify written by users. this can authenticate users passports with billing systeams. that is useful if they can redirect some information (like username-password- phone number) to gateway even to send him his information using some RTF Language that not supported in mikrotik CLI.

bpwl · Sun Feb 09, 2020 2:08 am

Have been waiting for an update for ROS 7.0beta4 for Usermanager ... ability to use Windows clients

But if those license limits will apply for Radius-EAP, then Usermanager gets out of scope. I can understand these are realistic numbers for VPN dialin users, but for local wifi users ????

Klembord-2.jpg

excession · Wed Feb 12, 2020 6:07 pm

Not seeing Mikrotik specific attributes in the docs: https://help.mikrotik.com/docs/display/ ... er+Manager

How do we add Vendor Specific attributes?

I'd like to be able to add:
ATTRIBUTE Mikrotik-Wireless-PSK 16 string

Or preferably have all Mikrotik attributes already defined.

UPDATE:

Looks like this might work:

/user-manager attribute add name=Mikrotik-Wireless-PSK type-id=26 value-type=string

Not sure what the type-id refers to; guessed "26". From the docs:
26 Vendor-Specific Access-Accept, Access-Challenge

Anyone know?

Many thanks.

bpwl · Fri Feb 14, 2020 2:40 pm

FYI: Just loaded RouterOSv7.0beta5. Still no Windows 802.1x EAP clients according my little wifi test.

Fri Feb 14, 2020 3:05 pm

Check the "manager" logging topic. It should contain more information in beta5. Have you checked the logs on Windows using Event Viewer?

bpwl · Fri Feb 14, 2020 3:33 pm

Hi emils, I book no progress. Log output did not change after ROS 7.0beta5 upgrade.

I'm not able to see the error. Must be something I and others in this forum thread do different from what is expected.

Klembord-3.jpg

Klembord-4.jpg

mozerd · Fri Feb 14, 2020 5:10 pm

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers.

I have not loaded v7 Bx and will not until v7 RC is out -- but I wanted to THANK YOU for including RADIUS server implementation in RouterOS under user manager. A great addition and will look forward to testing when RC is out.

anav · Wed Feb 19, 2020 10:48 pm

Typical hotel practice is to add room number to last name for wifi.
If looking for smart phone applications, perhaps generate a code that a user puts into an MT app on the smart phone to access wifi...........
Could be sent via SMS or email to the persons phone number??

Good idea to lay out the requirements clearly.........................
1. Non MT trained person (any hotel or bar staff, can easily/quickly generate a key or code etc, and easy to get to customer (SMS or email to phone/tablet) and easy for customer to access (perhaps a MT app for wifi access - or another tool in the current MT app).
Least obtrusive but reasonably secure.

Really fancy would be to generate bar codes thingys..... QR codes.

PS I have used zyxel hotspot devices before and I like the direction MT is going on this one. You may wish to have a VIP option, where there is no time limit or reduced or no cost options etc..........
Different groups of users I suppose..........(probably already covered?)

ilcergio · Sat Mar 14, 2020 2:45 am

function request an API that allows radio manager to be integrated with third-party applications to manage accounting

floaty · Sat Apr 25, 2020 4:00 am

.
... while v7 is still cooking ... were stuck with our windows-wlan-clients in the meantime ...
and because corona-boreout and freeradius3.0 forming a perfect couple ... we are setting up an EAP-proxy (almost better than sudoku)
.

       ------            ubnt       bananapi         CHR
   ////      \\\\     +-------+     +-------+     +-------+
  |     SSID     |    |       |     |       |     |       |
 |                |---+  AP   |-----+freerad|-----+ MTik  |
  |    xolotl    |    |       |     |  3.0  |     |  UM   |
   \\\\      ////     |       |     |       |     |       |
       ------         +-------+     +-------+     +-------+
                        .253          .28           .161
    andro-client
  54-25-EA-59-26-EC            192.168.222.0/24

    win10-client        NAS        EAP-Proxy       MSCHAP
  F8-16-54-05-67-F7

.
I've attached a config- and a debug-dump, so if someone feels the need to setup such a thing for him- / herself , it should hopefully be possible to sing along.
.
freerad-setup in short:
.
1. config client (MTik-UM)
2. setup a realm in proxy.conf
3 activate virtual-server "proxy-inner-tunnel" ... the v-server "inner-tunnel" should be activated by default
4. direct your eap-protocols to v-server "proxy-inner-tunnel" in mods-enabled/eap ... in my example only peap ... , ttls is directed to "inner-tunnel" (just to show what's'what)
5. file "sites-enabled/inner-tunnel" shoul be good as it is
6. direct v-server proxy-inner-tunnel in file "sites-enabled/proxy-inner-tunnel" to your realm from proxy.conf
.
more or less thats it, ... it should be possible to connect with EAP/PEAP(MSCHAPv2) to your SSID
.
Freeradius is a beasty thing. To be honest it took me some hours to figure it out, I did some stuff with v2 a couple of years ago

felt not like it helped me much here.
Just saw that v4 is avail

... also with tons of new features and directives
.
In case you got stuck, have a look in the debug-dump ... its a good source to see in which order the server(s) work and how the cfg-files are used and interpreted.
Maybe there will be a follow up, how to use attributes from a foreign dictionary ... point I haven't figured out yet.

floaty · Sat Apr 25, 2020 4:06 am

.
https://www.dfn.de/fileadmin/3Beratung/ ... Strauf.pdf
.
for v4-afficionados !

floaty · Sat Apr 25, 2020 5:20 pm

.
just discovered a nice radius testing-tool ... no eap-features ... ,but its possible to save predefined setup's, contains coa-requests, server-stress-testing ,monitoring ... tidy
for windows, linux, freebsd ... decent
seems ntradping, my convenient good old geezer, is ready for pension

.
https://www.iea-software.com/products/r ... login4.cfm
.

test-tool.PNG

.

test-tool#2.PNG

floaty · Mon Apr 27, 2020 6:38 pm

.
just for the completeness of the picture:
proxying a request from freeradius-v4 to MTik-UM-v7b5 seems to be a nogo
.
after setting up a new instance for MTik-UM in new radius_rlm of FRv4; FRv4 tries something like a check or hello or something, before the rlm is fully instantiated ... which fails ... dropped ... unsupported
.

 ######   mods-available/radius   #####
 #
 #  The module adds a Proxy-State attribute to all proxied packets.
 #  This `Proxy-State` contains a 32-bit random number, which is unique
 #  to this module.  This unique number helps to detect proxy loops.
 #
 proxy-hlandtikrad - Status check packet type will be Status-Server
(proxy-hlandtikrad)    Event-Timestamp = "Jan  1 1970 00:00:00 UTC"
(proxy-hlandtikrad)    NAS-Identifier = "status check - are you alive?"

.
.
but I've been warned ... so it what it is ... anti-corona-boreout-sit-ups

.

 Info  : FreeRADIUS Version 4.0.0
 Info  : Copyright 1999-2019 The FreeRADIUS server project and contributors
 Info  : There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 Info  : PARTICULAR PURPOSE

.

v4-module-instantiation.png

.

MTik-UMv7-response.png

SiB · Tue Jun 23, 2020 6:09 pm

I have a question who is very important for me, maybe even as Feature Request.

That new User Manager allow me to use it for separate VPNs Radius client's into separate users ?

Currently the VPN service use only ONE ppp\profile and Radius users from Micro$oft NPS are as one group who cannot be separated, they exist as one pool.

I use workaround from long time ago, what I just paste in the best post I can found about that problem, here is a post PPTP VPN with RADIUS and Fixed IP address for PPTP clients.
I use profile on-up/down scripts who grab IP from pools and manage own Firewall\AccessList what is my base of separate one users from other one. This is not perfect method...

Best Regards
Marcin (SiB) Przysowa.

floaty · Tue Jun 23, 2020 8:11 pm

.
you should be able to do this by adding the attribute "Mikrotik-Group" to a user
(haven't figured if and when if, ... how to add a attribute-set to a profile or user-profile ... like a group-feature ? ... I would like that too)
.
Mikrotik-Group - Router local user group name (defines in /user group) for local users; HotSpot default profile for HotSpot users; PPP default profile name for PPP users.
.

[admin@chr-7-1] /user-manager/attribute> add name=Mikrotik-Group vendor-id=14988 type-id=3 value-type=string packet-types=access-accept 
[admin@chr-7-1] /user-manager/attribute> 
[admin@chr-7-1] /user-manager/user> print
Flags: X - disabled 
 0   name="v7" password="***" group=default shared-users=unlimited attributes="" 

 1   name="v7w" password="***" group=default shared-users=unlimited attributes="" 
[admin@chr-7-1] /user-manager/user> 

[admin@chr-7-1] /user-manager/user> set 0 attributes=
Mikrotik-Group  :
[admin@chr-7-1] /user-manager/user> set 0 attributes=Mikrotik-Group:Testgroup 
[admin@chr-7-1] /user-manager/user> 
02:47:37 echo: system,info UMS user <v7> changed by admin
[admin@chr-7-1] /user-manager/user>

.

requ.png

.

ws-dump.png

floaty · Tue Jun 23, 2020 8:27 pm

.
you can also add:
Radius:IETF Framed-Pool
to select the IP-Pool
.
and
Radius:IETF Filter-Id
to define a firewall-chain in MTik-ROS

floaty · Tue Jun 23, 2020 8:55 pm

.
and ...I found the group-feature ... inbetween ... hard to see : )
.
/user-manager/user/group
.
[admin@chr-7-1] /user-manager/user/group> print
Flags: * - default
0 * name="default" default-name="default" outer-auths=pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 attributes=""

1 * name="default-anonymous" default-name="default-anonymous" outer-auths=eap-ttls,eap-peap inner-auths="" attributes=""

2 name="Mygroup" outer-auths="" inner-auths="" attributes=Mikrotik-Group:Testgroup,Mikrotik-Wireless-PSK:bananas
.


########################################

# jun/24/2020 03:36:09 by RouterOS 7.0beta8
# software id = 
#
/user-manager attribute
add name=Mikrotik-Recv-Limit type-id=1 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Xmit-Limit type-id=2 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Group type-id=3 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Wireless-Forward type-id=4 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Wireless-Skip-Dot1x type-id=5 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Wireless-Enc-Algo type-id=6 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Wireless-Enc-Key type-id=7 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Rate-Limit type-id=8 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Realm type-id=9 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Mark-Id type-id=11 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Advertise-URL type-id=12 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Advertise-Interval type-id=13 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Recv-Limit-Gigawords type-id=14 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Xmit-Limit-Gigawords type-id=15 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Wireless-PSK type-id=16 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Total-Limit type-id=17 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Total-Limit-Gigawords type-id=18 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Address-List type-id=19 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Wireless-MPKey type-id=20 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Wireless-Comment type-id=21 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Delegated-IPv6-Pool type-id=22 value-type=string vendor-id=Mikrotik
add name=Mikrotik-DHCP-Option-Set type-id=23 value-type=string vendor-id=Mikrotik
add name=Mikrotik-DHCP-Option-Param-STR1 type-id=24 value-type=string vendor-id=Mikrotik
add name=Mikortik-DHCP-Option-Param-STR2 type-id=25 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Wireless-VLANID type-id=26 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Wireless-VLANIDtype type-id=27 value-type=uint32 vendor-id=Mikrotik
add name=Mikrotik-Wireless-Minsignal type-id=28 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Wireless-Maxsignal type-id=29 value-type=string vendor-id=Mikrotik
add name=Mikrotik-Switching-Filter type-id=30 value-type=string vendor-id=Mikrotik
[admin@chr-7-1] /user-manager/attribute>

Gerlach76 · Wed Aug 26, 2020 1:23 pm

How many Users can the new Manager handle?

100?
500?
1000?
2000?

THX

Mannsean · Fri Aug 28, 2020 1:51 am

How many Users can the new Manager handle?

100?
500?
1000?
2000?

THX

Don't think it would handle up to 2000

PeterFreeman · Fri Aug 28, 2020 11:35 am

Out of interest, can the new User Manager be used to authenticate other routers in a network or is it just for local access?
i.e just as a radius server for other NAS devices to authenticate against.
Thanks

bpwl · Fri Aug 28, 2020 11:56 am

Typical for WPA2-Enterprise or WPA2-EAP the radius server is not local. The 802.11x check is local, but the radius server is central. Works well for wifi in RouterOS v7 with User Manager v7, except for Windows clients, that did not work, and there has been no update mentioned in the change logs since. So the Windows problem is supposed to still be there.

I used the radius on the Synology NAS with success for RouterOS, but did not try the reverse, as I need windows client access. And some worry about the number of concurrent users whith a L4/L5 ROS license.

Gerlach76 · Sun Dec 06, 2020 2:51 pm

How many Users can the new Manager handle?

100?
500?
1000?
2000?

THX
@normis what do you think? how many?

thx

pe1chl · Sun Dec 06, 2020 4:38 pm

There could be a fixed limit determined by licensing, and of course there is a "load limit" but that depends more on the number of logon/logoff actions than on the actual number of users.
So it would be more difficult to predict, because it depends on the behavior of your users. And on the type of auth you are using it for.
(i.e. a PPPoE connection would likely be much easier on the user manager than a WPA2-EAP WiFi connection on APs inside a company)

anuser · Mon Jan 04, 2021 12:13 pm

feature request:
sync new users from Microsoft Active Directory or other standard LDAP protocols.(can add users with special profile if they belong to a user group in AD)

Is synchronization with Active Directory supported nowadays?

niammuddin · Sun Jan 10, 2021 9:48 am

request for: add-batch-users , add feature "Pwd same as login" or username&password same.

now only
caller-id --
disabled --
group --
number-of-users --
password-characters --
password-length --
profile --
shared-users --
username-characters --
username-length --
username-prefix --

thanks

floaty · Thu Feb 11, 2021 10:02 pm

.
?[(ROSv7b4 & 802.1x) & (windows-802.1x-client)] -> 'in statu quo res erant ante bellum' [pre-ROSv7b4]

Who is online