Community discussions

MikroTik App
 
lox
just joined
Topic Author
Posts: 20
Joined: Wed Oct 05, 2022 1:05 pm

Radius server is not responding (Hotspot + UserManager)

Wed Jan 11, 2023 2:14 am

Hello,

I need to build a secured Hotel network using mikrotik devices.

For now, I am testing the setup on an HexPOE. I had it working until I enabled 'Use profiles' in user manager. Since then, I have the 'Radius server is not responding' message. I tried disabling 'Use profiles', I tried to reset. BTW, after each reset, I also need to uninstall and reinstall UserManager, and delete all Um5files. If I don't, all attempts to add a setting (from UI or CLI) to UserManager times out.

That said, here is the full config export for which I get "Radius server is not responding" when a hotspot user tried to authenticate using UserManager credentials. I am stuck and this is driving me crazy.

# jan/11/2023 11:10:40 by RouterOS 7.6
# software id = B03Z-9A05
#
# model = RB960PGS
/interface bridge
add admin-mac=08:55:31:78:2A:0D auto-mac=no comment=defconf name=bridge \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether4 ] poe-out=off
/interface vlan
add interface=bridge name=BASE_VLAN vlan-id=10
add interface=bridge name=CUSTOMERS_VLAN vlan-id=40
add interface=bridge name=OFFICE_VLAN vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLAN
add name=BASE
add name=OFFICE
add name=CUSTOMERS
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
add dns-name=hostspot.mydomain.com hotspot-address=10.40.40.1 html-directory=\
    flash/hotspot-customers login-by=cookie,http-chap,https name=Customers \
    rate-limit=100M/100M ssl-certificate=hotspot-cert use-radius=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=OFFICE_POOL ranges=10.40.20.20-10.40.20.254
add name=CUSTOMERS_POOL ranges=10.40.40.20-10.40.41.254
add name=BASE_POOL ranges=10.40.10.10-10.40.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=OFFICE_POOL interface=OFFICE_VLAN name=OFFICE_DHCP
add address-pool=CUSTOMERS_POOL interface=CUSTOMERS_VLAN name=CUSTOMERS_DHCP
add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP
/ip hotspot
add address-pool=CUSTOMERS_POOL disabled=no interface=CUSTOMERS_VLAN name=\
    Customers profile=Customers
/ip hotspot user profile
add address-pool=CUSTOMERS_POOL advertise=yes name=Customers rate-limit=\
    70M/70M shared-users=3 transparent-proxy=yes
/user-manager limitation
add name=Customers-20M rate-limit-burst-rx=30000000B \
    rate-limit-burst-threshold-rx=20000000B rate-limit-burst-threshold-tx=\
    20000000B rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=10s \
    rate-limit-burst-tx=30000000B rate-limit-rx=20000000B rate-limit-tx=\
    20000000B
/user-manager profile
add name=Customers-Free name-for-users=Free override-shared-users=5 \
    starts-when=first-auth validity=20m
/user-manager user group
add inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 \
    name=Customers outer-auths=\
    pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=20
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=40
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=40
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether4,ether5 vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=OFFICE_VLAN list=VLAN
add interface=CUSTOMERS_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=OFFICE_VLAN list=OFFICE
add interface=CUSTOMERS_VLAN list=CUSTOMERS
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.40.10.1/24 interface=BASE_VLAN network=10.40.10.0
add address=10.40.20.1/24 interface=OFFICE_VLAN network=10.40.20.0
add address=10.40.40.1/23 interface=CUSTOMERS_VLAN network=10.40.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.40.10.0/24 dns-server=10.40.10.1 gateway=10.40.10.1
add address=10.40.20.0/24 dns-server=10.40.10.1 gateway=10.40.20.1
add address=10.40.40.0/23 dns-server=10.40.10.1 gateway=10.40.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow WinBox" dst-port=8291 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Allow WebFig" dst-port=80 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Allow VLAN DNS" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 \
    in-interface-list=VLAN protocol=udp src-port=68
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot user
add name=testuser password=user profile=Customers
/ip hotspot walled-garden
add dst-host=download.mikrotik.com
add dst-host=upgrade.mikrotik.com
/ip service
set www-ssl certificate=https-cert disabled=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/radius
add address=127.0.0.1 comment="Customers HotSpot" secret=\
    Olj8XHcCtPAShPQF8Z7se service=hotspot
/system clock
set time-zone-name=Pacific/Noumea
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/user-manager
set certificate=*0 enabled=yes
/user-manager profile-limitation
add limitation=Customers-20M profile=Customers-Free
/user-manager router
add address=127.0.0.1 name=Customers shared-secret=Olj8XHcCtPAShPQF8Z7se
/user-manager user
add group=*66 name=user1
add group=*66 name=user2
add comment=test group=*66 name=ntr shared-users=5
add comment=test group=*66 name=law shared-users=5
add comment=test group=*66 name=tzx shared-users=5
add comment=test group=*66 name=lnu shared-users=5
add comment=test group=*66 name=wrw shared-users=5
add comment=test group=*66 name=b1f shared-users=5
add comment=test group=*66 name=zqs shared-users=5
add comment=test group=*66 name=tdg shared-users=5
add comment=test group=*66 name=axy shared-users=5
add comment=test group=*66 name=q4r shared-users=5
/user-manager user-profile
add profile=Customers-Free user=ntr
add profile=Customers-Free user=law
add profile=Customers-Free user=tzx
add profile=Customers-Free user=lnu
add profile=Customers-Free user=wrw
add profile=Customers-Free user=b1f
add profile=Customers-Free user=zqs
add profile=Customers-Free user=tdg
add profile=Customers-Free user=axy
add profile=Customers-Free user=q4r

To get to this config I start with default configuration and send those CLI commands:

# Start with hEX PoE reseted to default config

# allow winbox and webfig access from wan (for testing)
/ip firewall filter add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=tcp place-before=[find comment="defconf: drop all not coming from LAN"] comment="Allow WinBox"
/ip firewall filter add action=accept chain=input dst-port=80 in-interface-list=WAN protocol=tcp place-before=[find comment="defconf: drop all not coming from LAN"] comment="Allow WebFig"

# Unset protocol-mode on default bridge
/interface bridge set bridge protocol-mode=none vlan-filtering=no

# POE OFF
/interface ethernet set [ find default-name=ether2 ] poe-out=off
/interface ethernet set [ find default-name=ether4 ] poe-out=off

#######################################
#
# -- Access Ports --
#
#######################################

# ingress behavior

# BASE_VLAN (managment)
/interface bridge port set pvid=10 [find interface=ether2]

# Office VLAN
/interface bridge port set pvid=20 [find interface=ether3]

# Customers VLAN
/interface bridge port set pvid=40 [find interface=ether4]
/interface bridge port set pvid=40 [find interface=ether5]

# egress behavior, handled automatically

# L3 switching so Bridge must be a tagged member

# This are from https://forum.mikrotik.com/viewtopic.php?t=143620#p706999
# and didn't work (nothing gets created)
#
# /interface bridge vlan set bridge=bridge tagged=bridge [find vlan-ids=10]
# /interface bridge vlan set bridge=bridge tagged=bridge [find vlan-ids=20]
# /interface bridge vlan set bridge=bridge tagged=bridge [find vlan-ids=40]

/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether2 vlan-ids=10
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=20
/interface bridge vlan add bridge=bridge tagged=bridge untagged=ether4,ether5 vlan-ids=40

#######################################
# IP Services
#######################################

# Management VLAN
/interface vlan add interface=bridge name=BASE_VLAN vlan-id=10
/ip address add address=10.40.10.1/24 interface=BASE_VLAN

# OFFICE VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=OFFICE_VLAN vlan-id=20
/ip address add interface=OFFICE_VLAN address=10.40.20.1/24
/ip pool add name=OFFICE_POOL ranges=10.40.20.20-10.40.20.254
/ip dhcp-server add address-pool=OFFICE_POOL interface=OFFICE_VLAN name=OFFICE_DHCP disabled=no
/ip dhcp-server network add address=10.40.20.0/24 dns-server=10.40.10.1 gateway=10.40.20.1

# CUSTOMERS VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=bridge name=CUSTOMERS_VLAN vlan-id=40
/ip address add interface=CUSTOMERS_VLAN address=10.40.40.1/23
/ip pool add name=CUSTOMERS_POOL ranges=10.40.40.20-10.40.41.254
/ip dhcp-server add address-pool=CUSTOMERS_POOL interface=CUSTOMERS_VLAN name=CUSTOMERS_DHCP disabled=no
/ip dhcp-server network add address=10.40.40.0/23 dns-server=10.40.10.1 gateway=10.40.40.1

# Create a DHCP instance for BASE_VLAN.
/ip pool add name=BASE_POOL ranges=10.40.10.10-10.40.10.254
/ip dhcp-server add address-pool=BASE_POOL interface=BASE_VLAN name=BASE_DHCP disabled=no
/ip dhcp-server network add address=10.40.10.0/24 dns-server=10.40.10.1 gateway=10.40.10.1

#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list add name=OFFICE
/interface list add name=CUSTOMERS

/interface list member add interface=ether1     list=WAN
/interface list member add interface=BASE_VLAN  list=VLAN
/interface list member add interface=OFFICE_VLAN  list=VLAN
/interface list member add interface=CUSTOMERS_VLAN list=VLAN

/interface list member add interface=BASE_VLAN  list=BASE
/interface list member add interface=OFFICE_VLAN  list=OFFICE
/interface list member add interface=CUSTOMERS_VLAN list=CUSTOMERS

# VLAN aware firewall. Order is important.

##################
# INPUT CHAIN
##################

# Allow VLANs to access router services DNS and DHCP. 
/ip firewall filter add action=accept chain=input comment="Allow VLAN DNS" dst-port=53 in-interface-list=VLAN protocol=udp place-before=[find comment="defconf: drop all not coming from LAN"]
/ip firewall filter add action=accept chain=input comment="Allow VLAN DHCP" dst-port=67 in-interface-list=VLAN protocol=udp src-port=68 place-before=[find comment="defconf: drop all not coming from LAN"]

# Allow BASE_VLAN full access.
/ip firewall filter add chain=input action=accept in-interface=BASE_VLAN place-before=[find comment="defconf: drop all not coming from LAN"] comment="Allow Base_Vlan Full Access"


##################
# FORWARD CHAIN
##################
# Allow all VLANs to access the Internet only, NOT each other
/ip firewall filter add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN place-before=[find chain=forward comment="defconf: drop invalid"] comment="VLAN Internet Access only"

#######################################
# VLAN Security
#######################################

# Only allow ingress packets without tags on Access Ports
# /interface bridge port 
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
/interface bridge port set bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, the MGMT network
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=BASE

#######################################
# Turn on VLAN mode
#######################################
/interface bridge set bridge vlan-filtering=yes

#######################################
# Create Certificates
#######################################
/certificate
add name=root-cert common-name=HotelName days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert

add name=https-cert common-name=router.mydomain.com days-valid=3650
sign ca=root-cert https-cert

add name=hotspot-cert common-name=hostspot.mydomain.com days-valid=3650
sign ca=root-cert hotspot-cert

#######################################
# Services
#######################################
/ip service
set www-ssl certificate=https-cert disabled=no
# set www disabled=yes

#######################################
# Radius Server
#######################################
/radius
add address=127.0.0.1 comment="Customers HotSpot" secret=Olj8XHcCtPAShPQF8Z7se service=hotspot

#######################################
# User manager
#######################################
# Customers limitations
/user-manager limitation
add name=Customers-20M rate-limit-burst-rx=30000000B rate-limit-burst-threshold-rx=20000000B \
    rate-limit-burst-threshold-tx=20000000B rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=\
    10s rate-limit-burst-tx=30000000B rate-limit-rx=20000000B rate-limit-tx=20000000B

# Customers profile
/user-manager profile
add name=Customers-Free name-for-users=Free override-shared-users=5 starts-when=first-auth validity=20m

# Apply limitations to profile
/user-manager profile-limitation
add limitation=Customers-20M profile=Customers-Free

# Customers group
/user-manager user group
add inner-auths=\
    ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 name=Customers outer-auths=\
    pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2

# User manager router
/user-manager router
add address=127.0.0.1 name=Customers shared-secret=Olj8XHcCtPAShPQF8Z7se

#Enable 
/user-manager
set certificate=*0 enabled=yes

# add a few users
/user-manager user
add group=*66 name=user1
add group=*66 name=user2
add comment=test group=*66 name=ntr shared-users=5
add comment=test group=*66 name=law shared-users=5
add comment=test group=*66 name=tzx shared-users=5
add comment=test group=*66 name=lnu shared-users=5
add comment=test group=*66 name=wrw shared-users=5
add comment=test group=*66 name=b1f shared-users=5
add comment=test group=*66 name=zqs shared-users=5
add comment=test group=*66 name=tdg shared-users=5
add comment=test group=*66 name=axy shared-users=5
add comment=test group=*66 name=q4r shared-users=5

# assign profiles
/user-manager user-profile
add profile=Customers user=ntr
add profile=Customers user=law
add profile=Customers user=tzx
add profile=Customers user=lnu
add profile=Customers user=wrw
add profile=Customers user=b1f
add profile=Customers user=zqs
add profile=Customers user=tdg
add profile=Customers user=axy
add profile=Customers user=q4r

#######################################
# Hot Spot
#######################################

# hostspot profile for customers
/ip hotspot profile
add dns-name=hostspot.mydomain.com hotspot-address=10.40.40.1 html-directory=\
    flash/hotspot-customers login-by=cookie,http-chap,https name=Customers rate-limit=100M/100M \
    ssl-certificate=hotspot-cert use-radius=yes
    
# hotspot server
/ip hotspot
add address-pool=CUSTOMERS_POOL disabled=no interface=CUSTOMERS_VLAN name=Customers profile=Customers

# user profile for customers
/ip hotspot user profile
add address-pool=CUSTOMERS_POOL advertise=yes name=Customers rate-limit=70M/70M shared-users=3 \
    transparent-proxy=yes

# walled-garden foo CAPs updates
/ip hotspot walled-garden
add dst-host=download.mikrotik.com
add dst-host=upgrade.mikrotik.com

# add test user
/ip hotspot user
add name=testuser password=user profile=Customers

Router can ping itself on 127.0.0.1 :

ping 127.0.0.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                       
    0 127.0.0.1                                  56  64 324us     
    1 127.0.0.1                                  56  64 298us     
    2 127.0.0.1                                  56  64 303us     
    3 127.0.0.1                                  56  64 300us     
    4 127.0.0.1                                  56  64 299us     
    sent=5 received=5 packet-loss=0% min-rtt=298us avg-rtt=304us max-rtt=324us
 
User avatar
rumahnetmks
Frequent Visitor
Frequent Visitor
Posts: 56
Joined: Mon Dec 21, 2020 10:00 am

Re: Radius server is not responding (Hotspot + UserManager)  [SOLVED]

Wed Jan 11, 2023 6:03 am

Try troubleshoot first with using standard hotspot setting with no certificate, RADIUS OFF.
Is this test user (based your setting) can login the hotspot?
/ip hotspot user add name=testuser password=user profile=Customers

If can, still with no certificate enable, but now using RADIUS ON and User-Manager.
I see some of your setting different with mine.

First better to link User Manager Group with Hotspot User Profiles. You have with
/ip hotspot user profile add address-pool=CUSTOMERS_POOL advertise=yes name=Customers rate-limit=70M/70M shared-users=3 transparent-proxy=yes <= there
And I see u have name the user manager group with *Customers" too
so now link it with
/user-manager user group add name="Customers" outer-auths=pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2 inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 attributes=Mikrotik-Group:Customers

Then link the user that you create, I take sample of user 'ntr', with
/user-manager user add name="ntr" password="ntr" otp-secret="" group=Customers shared-users=5 attributes=""

Next I see you have create UserManager Profile with
/user-manager profile add name="Customers-Free" name-for-users="Free" override-shared-users=5 starts-when=first-auth validity=20m

Now link the user and the profile
/user-manager user-profile add user=ntr profile=Customer-Free

Last enable UserManager with using User-Profile
/user-manager enabled=yes use-profiles=yes

Try to login hotspot with user ntr password ntr. If can, then next, applying the cert should be no problem.
 
lox
just joined
Topic Author
Posts: 20
Joined: Wed Oct 05, 2022 1:05 pm

Re: Radius server is not responding (Hotspot + UserManager)

Fri Jan 13, 2023 8:32 am

Thanks for taking time to help. The Hotspot works perfectly with Hotspot local users.

That said, I added attributes=Mikrotik-Group:Customers to the user-manager user group as advised. I fixed users groups and user-profile assignments, and it now works as intended.
I have other issues to solve, but this one is. Thanks.
 
lox
just joined
Topic Author
Posts: 20
Joined: Wed Oct 05, 2022 1:05 pm

Re: Radius server is not responding (Hotspot + UserManager)

Fri Jan 13, 2023 8:34 am

BTW when user-manager is crashed after a reset (times out on any /user-manager command), I found that deleting the sqlite database of user-manager, prior to resetting, solves it.

Who is online

Users browsing this forum: Amazon [Bot], BartoszP, Bing [Bot], DanMos79, robertkjonesjr, VinceKalloe and 82 guests