User Manager/PPP Example
From MikroTik Wiki
User Manager can be used as a remote authentication, authorization and accounting server for PPP clients.
Since 2.9.35 PAP,CHAP, MS-CHAPv1 and MS-CHAPv2 protocols are supported by the User Manager.
Let us consider the following configuration steps for PPP and User Manager routers.
We consider PPPoE server <-> PPPoE client configuration example, where the PPPoE server uses a remote User Manager database for PPPoE client authentication, authorization and accounting. Both PPPoE server and PPPoE client are MikroTik routers, any other PPPoE client might be used instead.
PPP server configuration
- First, add the PPPoE server to the local interface, :
/ interface pppoe-server server add interface=ether1 service-name=MikroTik one-session-per-host=yes disabled=no
- Specify the use of User Manager for PPPoE clients:
/ ppp aaa set use-radius=yes
- Set IP address of the PPPoE server, IP address might not be assigned to the interface of PPPoE server. Moreover static IP address or DHCP should not be used on the same interfaces as the PPPoE server for security reasons.
/ ppp profile set default local-address=192.168.0.1
- Add radius client to consult User Manager for PPP service.
/ radius add service=ppp address=y.y.y.y secret=123456
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
- Note, first the local PPP database is consulted, then the User Manager database.
PPP client configuration
- Add PPPoE client to the interface
/ interface pppoe-client add interface=ether1 user=MikroTik password=MikroTik service-name=MikroTik disabled=no
User Manager configuration
- First, you need to download and install User Manager package;
- Create User Manager subscriber (root customer). Note that when using a version 3.0 or newer, a subscriber called 'admin' is created automatically - you can skip the following stage and change 'MikroTik' to 'admin' in subsequent steps;
/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner
- Add PPP server information to router list,
In version 3:
/ tool user-manager router add subscriber=MikroTik ip-address=x.x.x.x shared-secret=123456
In version 4:
/ tool user-manager router add customer=MikroTik ip-address=x.x.x.x shared-secret=123456
'x.x.x.x' is the address of the PPPoE-server router, 'shared-secret' should match on both User Manager and PPPoE-server routers.
- Add PPPoE client information,
In version 3:
/ tool user-manager user add username=demo password=demo subscriber=MikroTik ip-address=192.168.0.2
In version 4:
/ tool user-manager user add username=demo password=demo customer=MikroTik ip-address=192.168.0.2
- Let us verify, that PPPoE client is connected and using User Manager for authentication, authorization and accounting. First we monitor if PPPoE client is connected, then we verify that User Manager was used. The first command is executed on PPPoE client router, second on PPPoE server:
/ interface pppoe-client monitor pppoe-out1 status: "connected" uptime: 12h2m29s idle-time: 12h2m17s service-name: "MikroTik" ac-name: "MikroTik" ac-mac: 00:0C:42:05:54:8F mtu: 1480 mru: 1480
/ ppp active> print Flags: R - radius # NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING 0 R MikroTik pppoe 00:0C:42:05:54:6E 192.168.0.2 12h1m48s