Manual:User Manager: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
No edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 227: Line 227:
===Users===
===Users===


<p id="shbox"><b>Sub-menu:</b> <code>/tool user-manager users</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/tool user-manager user</code></p>
<br>
<br>
Users are people who use services provided by customers and each user can have time, traffic and speed limitations. Customers can create, modify and delete users but the owner is the subscriber who is also the owner of these customers. To separate users among customers of one subscriber, user prefix is used.
Users are people who use services provided by customers and each user can have time, traffic and speed limitations. Customers can create, modify and delete users but the owner is the subscriber who is also the owner of these customers. To separate users among customers of one subscriber, user prefix is used.
Line 620: Line 620:
===Routers===
===Routers===


<p id="shbox"><b>Sub-menu:</b> <code>/tool user-manager routers</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/tool user-manager router</code></p>
<br>
<br>
This submenu allows for adding routers.
This submenu allows for adding routers.
Line 677: Line 677:
|desc=Router IP address.
|desc=Router IP address.
}}
}}


===History===
===History===
Line 704: Line 703:
===Log===
===Log===


<p id="shbox"><b>Sub-menu:</b> <code>/tool user-manager Log</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/tool user-manager log</code></p>
<br>
<br>
Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.  
Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.  
Line 744: Line 743:
{{ Note | Since RouterOS 4.1, User-manager web interface is unreachable with an HTTP 404 when attempting to navigate to http://inside_ip/userman from behind a Hotspot interface where inside_ip is a non-NAT'd IP address on the router. Two workarounds: change the 'www' service port from 80 to something other than 80 or 8080, such as port 81. Then use http://inside_ip:81/userman, or use an IP address hotspot users are NAT'd to (http://outside_ip/userman) instead. }}
{{ Note | Since RouterOS 4.1, User-manager web interface is unreachable with an HTTP 404 when attempting to navigate to http://inside_ip/userman from behind a Hotspot interface where inside_ip is a non-NAT'd IP address on the router. Two workarounds: change the 'www' service port from 80 to something other than 80 or 8080, such as port 81. Then use http://inside_ip:81/userman, or use an IP address hotspot users are NAT'd to (http://outside_ip/userman) instead. }}


== Reference ==
= Configuration Examples =
 
We will configure PPPoE with the RADIUS server authentication on the following setup:
[[file:Diagram1.png|400px|center|thumb|alt=Alt text| Setup where the PPPoE server uses a remote User Manager database for PPPoE client authentication, authorization and accounting. Both PPPoE server and PPPoE client are MikroTik routers, any other PPPoE client might be used instead. ]]
On the client's (R1) router we configure PPPoE-client:
<pre>
[admin@R1] > /interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 name=Client1 password=test user=test
</pre>
<br>
Add RADIUS client to consult User Manager for PPP service<br>
<code>secret</code> is equal to User Manager router secret. <code>192.168.79.24</code> is the User Manager router address.
<pre>
[admin@R2] > /radius
add address=192.168.79.24 secret=12345 service=ppp
</pre>
There are 2 ways how to assign IP address for the PPPoE-client:
*Create a pool from which assign IP addresses dynamically in the RADIUS client
*Configure IP address manually in the RADIUS server
<pre>
# Dynamically assign IP addresses
[admin@R2] > /ip pool
add name=pool1 ranges=192.168.79.30-192.168.79.50
</pre>
 
Create a new one or update the default ppp profile:
<pre>
[admin@R2] > /ppp profile set [find name=default] remote-address=pool1 local-address=192.168.79.1
</pre>
Enable user authentication via RADIUS. If entry in local secret database is not found, then client will be authenticated via RADIUS
<pre>
[admin@R2] > /ppp aaa
set use-radius=yes
</pre>
 
 
On the RADIUS server (User Manager, R3):
 
Create your own or use by default already created Customer:
<pre>
[admin@R3] > /tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
</pre>
 
Create a profile which you will asing to user. can consist only a <code>name</code> ([https://wiki.mikrotik.com/wiki/Manual:User_Manager#Profile additional parameters] can be updated later)
<pre>
[admin@R3] > /tool user-manager profile
add name=profile1
</pre>
 
Configure User Manager (RADIUS server) communication with RADIUS client<br>
192.168.79.1 is the IP address of the PPPoE-server router, <code>shared-secret</code> should match on both User Manager and PPPoE-server routers
<pre>
[admin@R3] >/tool user-manager router
add customer=admin ip-address=192.168.79.1 log=auth-fail name=router1 shared-secret=12345
</pre>
 
Add a user which will authenificate through the RADIUS server. Previously mentioned static IP address should be configured in this sub-section under <code>ip-address=</code> parameter.
<pre>
/tool user-manager user
add customer=admin disabled=no password=test shared-users=1 username=test
</pre>
Activate a user:
<pre>
[admin@R3] /tool user-manager> user create-and-activate-profile test customer=admin profile=profile1
</pre>
<br>
Monitoring information from <code>R1</code> device:
<pre>
[admin@R1] > interface pppoe-client monitor Client1
          status: connected
          uptime: 1h48m42s
    active-links: 1
        encoding:
    service-name: service1
        ac-name: R2
          ac-mac: 01:23:45:67:8D:49
            mtu: 1480
            mru: 1480
  local-address: 192.168.79.50
  remote-address: 192.168.79.1
</pre>


= Reference =
Articles kept from User Manager in RouterOS v3+
=== [[User Manager/Customer page | Customer page]] ===
=== [[User Manager/Customer page | Customer page]] ===
* [[User Manager/Customer page #Setup | Setup]]
* [[User Manager/Customer page #Setup | Setup]]

Latest revision as of 10:31, 30 September 2020

Introduction

User manager (UM) is a management system that can be used in various setups. UM can be used for HotSpot, PPP, DHCP, Wireless and RouterOS users. User Manager is a RADIUS server application. The first UM test package was introduced in RouterOS version 4. User manager package is supported on all RouterOS architectures including x86 and Cloud Host Router.

Note: SMIPS based devices without additional memory do not have enough free space for UM package.


Getting started

MikroTik User Manager can be downloaded from the MikroTik web site download section. In there find the system and software version that you need this package for and download Extra packages archive for it. In this archive, you will find the User Manager package. To install the package simply upload it on the device and reboot the unit.

A default Customer with login admin and empty password is created when the User Manager package is installed for the first time.

[admin@MikroTik] /tool user-manager customer set admin password=adminpassword

After that, you can use print command to see what you have added.

 [admin@MikroTik] /tool user-manager customer> print
  Flags: X - disabled
   0   login="admin" password="adminpassword" backup-allowed=yes currency="USD" 
       time-zone=-00:00 permissions=owner signup-allowed=no paypal-allowed=no
       paypal-secure-response=no paypal-accept-pending=no

Quick start

Concepts explained

Customers

Sub-menu: /tool user-manager customer


Customers use a web interface to manage users, credits, routers, etc. Each customer can have a zero or more sub-customers and exactly one parent-customer with the same or weaker permission level than its parent.

Subscriber is a customer with owner permissions who's a parent is himself. Subscribers can be thought as domain - each subscriber sees everything that happens with his sub-customers, credits, users, routers, sessions, etc., but has no access to other subscriber's data. All data objects (users, routers, credits, logs) belong to one specific subscriber and can, therefore, belong to many sub-customers of the owner subscriber. To separate users among customers of one subscriber, user prefix is used.


Property Description
access (config-payment-gw | own-profiles | own-users | parent-payment-gw | parent-routers | own-limits | own-routers | parent-limits | parent-profiles | parent-users; Default: ) Configureable parameters
  • config-payment-gw
  • own-limits
  • own-profiles
  • own-routers
  • own-users
  • parent-limits
  • parent-payment-gw
  • parent-profiles
  • parent-routers
  • parent-users
backup-allowed (yes | no; Default: yes) Allow to manage backups.
city (string; Default: ) Informational
company (string; Default: ) Informational
copy-from (string; Default: ) Copy data from a specific customer.
country (string; Default: ) Informational
currency (string; Default: ) Used for payments and money-related data representation on the web page.
date-format (string; Default: ) Used on web pages for data representation. Only allowed formats (listed in the drop-down) can be used. When the value doesn't match any of allowed (it's possible to enter any value from console) formats, default is used.
disabled (yes | no; Default: no) Allow to disable/enable customer.
email (string; Default: ) Email address. Used to send emails (for ex., sign up information) to users.
parent (string; Default: ) Customers parent.
password (string; Default: )
paypal-accept-pending= (yes | no; Default: no) When true, payments with status "Pending" are accepted as valid. This may be used for multi-currency payments where manual approvals must be made.
paypal-allowed= (yes | no; Default: no) Whether Paypal is allowed.
paypal-business-id (string; Default: no) Business ID of the PayPal account where the money will be sent.
paypal-secure-response (yes | no; Default: no) Whether to use HTTPS (when true) or HTTP (when false) to receive payment feedback from PayPal. An additional security mechanism is used to check the validity of this feedback information so using HTTP is not mandatory.
permissions (full | owner | read-only | read-write; Default: owner) Customer account permissions.
public-host (string; Default: ) IP address or DNS name specifying the public address of this User Manager router. Payment gateways use this address to send transaction status response. This field has sense only if users access the User Manager site through local IP address (for, example, http://192.168.0.250/user) and another address is used for public access (for example, http://userman.mt.lv/user).
public-id (string; Default: ) It's an ID used to identify customer because Login names are allowed to be equal and for security reasons, they are kept in secret.
signup-allowed= (yes | no; Default: no) When checked, this customer allows users to use sign-up.
time-zone (string; Default: ) Specific for each customer. By default equals to 00:00. Session and credit info is stored as GMT regardless of ROS time zone on the User Manager router. This value specifies the way data is displayed on the User Manager web pages.
user-prefix (string; Default: ) Used to separate users between customers of one subscriber.
login (string; Default: )


A WEB interface provides the same options as CLI. Usually, people choose to use "User managers" WEB interface, because it is more transparent and comfortable to manage.

Alt text
Customer section in the WEB inteface

Users

Sub-menu: /tool user-manager user


Users are people who use services provided by customers and each user can have time, traffic and speed limitations. Customers can create, modify and delete users but the owner is the subscriber who is also the owner of these customers. To separate users among customers of one subscriber, user prefix is used.

Property Description
caller-id (string; Default: )
caller-id-bind-on-first-use (yes | no; Default: no)
copy-from (string; Default: ) Copy parameters from specific user.
disabled (yes | no; Default: no) Whether user is disabled.
email (string; Default: ) Email. Used to send notifications to User (for ex., sign-up email).
first-name (string; Default: ) Informational
ip-address (string; Default: 0.0.0.0.) If not blank, User will get this IP address on successful authorization.
last-name (string; Default: ) Informational
location (string; Default: ) Informational
password (string; Default: )
phone (string; Default: ) Informational
random-password (yes | no; Default: no) Randomly generates password for a user.
reg-key (string; Default: )
registration-date (string; Default: )
shared-users (number | unlimited; Default: unlimited)
username (string; Default: )
wireless-enc-algo (40bit-wep | 104bit-wep | aes-ccm | none | tkip; Default: )
wireless-enc-key (string; Default: )
wireless-psk (string; Default: )
customer (string; Default: ) User account owner.

Profile

Sub-menu: /tool user-manager profile


Profiles can be assigned to users manually or allocated by the user when they make a successful payment.

If the Profile property 'Starts' is set to 'At first Logon', the Profile assigned to a user is inactive until that user logs on to the system (e.g. via a Hotspot). When the user starts a new session, that User's 'start time' is fixed and accordingly the 'end time' is calculated. The 'end time' cannot then be changed, no matter if the session remains active until the 'end time' or the session closes sooner.

If the user has several profiles, the next inactive profile is then started (it's activated as the 'actual profile') when the previous actual profile reaches it's 'end time'. If there are no more inactive profiles to start, the user is forced to log off.

If there is already one active profile when a user logs on, this profile is used instead of starting the next one (if one is available).

If the user logs off before the profile's 'end time', the next inactive profile is started only when the user logs on again after the 'end time' of the earlier profile.

Only one profile (for the same user) can be active at a time.

The last profile of a user can be removed by customer only if it is inactive.


Property Description
copy-from (string; Default: ) Copy data from specific customer.
name-for-users (string; Default: ) Descriptive name for the Profile that is displayed to the end user when they login to their user page.
override-shared-users= (off | unlimited; Default: off)
price (string; Default: ) How much it will cost for the user. If left blank, there is no payment required.
starts-at (logon | now; Default: logon) When time limitation starts.
validity (string; Default: ) Defines the period of time the Profile is valid for. (Note: NOT the same as the online time that could be set in Limitations).
name (string; Default: )
owner (string; Default: ) The 'Owner' of the Profile (usually 'admin').


Validity If the 'Starts' value is set to 'At first logon', then the Validity value starts counting. E.g. If Validity is set to 1d, then 1 day after the first logon, regardless if the user has used all their online time or not, the profile will become invalid and they will be unable to log on again unless a new profile is available in their list of valid profiles.

Note: If the 'Starts' value is set to 'At first logon', then the Validity value starts counting. E.g. If Validity is set to 1d, then 1 day after the first logon, regardless if the user has used all their online time or not, the profile will become invalid and they will be unable to log on again unless a new profile is available in their list of valid profiles.


Limitation

Sub-menu: /tool user-manager profile limitation


In this subsection, you can configure upload/download limitations including bursts.

Property Description
address-list (string; Default: ) Copy data from a specific Customer.
copy-from (string; Default: ) Copy data from a specific Profile.
download-limit (number; Default: ) Speciffy a download limit.
group-name (string; Default: )
ip-pool (ip-prefix; Default: 0.0.0.0)
rate-limit-... (number; Default: ) Various rate limits:
  • rate-limit-burst-rx
  • rate-limit-burst-time-tx
  • rate-limit-burst-treshold-tx
  • rate-limit-min-rx
  • rate-limit-priority
  • rate-limit-tx
  • rate-limit-burst-time-rx
  • rate-limit-burst-treshold-rx
  • rate-limit-burst-tx
  • rate-limit-min-tx
  • rate-limit-rx
transfer-limit (number; Default: )
upload-limit (number; Default: )
uptime-limit (number; Default: )
name (string; Default: ) Used to identify a Profile limitations.
owner (string; Default: ) Profile limitations owner.


Profile limitations

Sub-menu: /tool user-manager profile profile-limitation


In this subsection, you can configure various limitations, for example, time range and weekdays when limitations are active.

Property Description
copy-from (string; Default: ) Copy data from specific profile-limitations.
from-time (number; Default: )
till-time (number; Default: )
weekdays (friday | monday | saturday | sunday | thursday | tuesday | wednesday; Default: all) Specific day or days when profile-limitations are active.
limitation (string; Default: )
profile (string; Default: ) Profile to which assign limitations.

Routers

Sub-menu: /tool user-manager router


This submenu allows for adding routers.

Property Description
copy-from (string; Default: ) Copy data from specific router.
log (acct-fail | acct-ok | auth-fail | auth-ok; Default: auth-fail) To allow logging entries.
name (string; Default: ) Used to identify a router.
shared-secret (string; Default: )
use-coa (yes | no; Default: no)
customer (string; Default: ) Customer to a which router will be assigned.
ip-address (string; Default: ) Router IP address.

History

Sub-menu: /tool user-manager history


This subsection allows overviewing any changes confirmed in UM database. Some of them can be reverted back.

[admin@MikroTik] /tool user-manager history> print
Flags: U - undoable, R - redoable, F - failed 
  ACTION                                                                                                                                                          SUB-CHANGES TIME                
U UMS customer test1 added                                                                                                                                                    may/22/2019 13:26:07
U UMS Profile test added                                                                                                                                                      may/22/2019 13:25:57
U multiple objects removed                                                                                                                                                    may/22/2019 12:02:37
U UMS customer customer1 added                                                                                                                                                may/22/2019 12:00:29
U UMS user user1 added                                                                                                                                                        may/22/2019 12:00:17
U UMS Profile testprofile added                                                                                                                                               may/22/2019 11:47:06
U multiple objects removed                                                                                                                                                  2 may/22/2019 11:14:53
U UMS user kkol added                                                                                                                                                         may/22/2019 10:53:57
U UMS user testtest added                                                                                                                                                     may/22/2019 10:45:53
U UMS Profile testu added                                                                                                                                                     may/22/2019 10:33:31
U UMS customer test added                                                                                                                                                     may/22/2019 10:09:35

Log

Sub-menu: /tool user-manager log


Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.

[admin@MikroTik] > tool user-manager log print
 0 customer=admin user-orig="Client1" nas-port=15728780 nas-port-type=ethernet nas-port-id="bridge-to-clients" 
   calling-station-id="01:23:45:67:E1:BB" host-ip=172.16.16.1 status=authorization-failure time=may/23/2019 06:34:59 
   description="no valid profile found for user <Client1>" 

Send User Manager related logging entries to the different device:

/system logging add topics=manager,account action=remote
/system logging action set remote target=remote remote=192.168.88.1:514

Session

Sub-menu: /tool user-manager session


A session refers to a period when a user is using customer's services. It has nothing to do with User Manager web-page sessions. Flags: A - active

[admin@MikroTik] > tool user-manager session print

 1 A customer=admin user="test" nas-port=15728795 nas-port-type=ethernet nas-port-id="bridge-to-clients" 
     calling-station-id="01:23:45:67:E1:BB" acct-session-id="81d0009b" user-ip=172.16.16.253 host-ip=172.16.16.1 
     status=start,interim from-time=may/23/2019 08:55:43 till-time=may/23/2019 09:25:43 uptime=30m download=38 upload=4533


Web Interface

To access User managers Web interface type IP address and /Userman at the end of it, for example, http://192.168.88.1/userman

Alt text
Default login is admin with empty password

Note: Since RouterOS 4.1, User-manager web interface is unreachable with an HTTP 404 when attempting to navigate to http://inside_ip/userman from behind a Hotspot interface where inside_ip is a non-NAT'd IP address on the router. Two workarounds: change the 'www' service port from 80 to something other than 80 or 8080, such as port 81. Then use http://inside_ip:81/userman, or use an IP address hotspot users are NAT'd to (http://outside_ip/userman) instead.


Configuration Examples

We will configure PPPoE with the RADIUS server authentication on the following setup:

Alt text
Setup where the PPPoE server uses a remote User Manager database for PPPoE client authentication, authorization and accounting. Both PPPoE server and PPPoE client are MikroTik routers, any other PPPoE client might be used instead.

On the client's (R1) router we configure PPPoE-client:

[admin@R1] > /interface pppoe-client
add add-default-route=yes disabled=no interface=ether2 name=Client1 password=test user=test


Add RADIUS client to consult User Manager for PPP service
secret is equal to User Manager router secret. 192.168.79.24 is the User Manager router address.

[admin@R2] > /radius
add address=192.168.79.24 secret=12345 service=ppp

There are 2 ways how to assign IP address for the PPPoE-client:

  • Create a pool from which assign IP addresses dynamically in the RADIUS client
  • Configure IP address manually in the RADIUS server
# Dynamically assign IP addresses
[admin@R2] > /ip pool
add name=pool1 ranges=192.168.79.30-192.168.79.50

Create a new one or update the default ppp profile:

[admin@R2] > /ppp profile set [find name=default] remote-address=pool1 local-address=192.168.79.1

Enable user authentication via RADIUS. If entry in local secret database is not found, then client will be authenticated via RADIUS

[admin@R2] > /ppp aaa
set use-radius=yes


On the RADIUS server (User Manager, R3):

Create your own or use by default already created Customer:

[admin@R3] > /tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw

Create a profile which you will asing to user. can consist only a name (additional parameters can be updated later)

[admin@R3] > /tool user-manager profile
add name=profile1

Configure User Manager (RADIUS server) communication with RADIUS client
192.168.79.1 is the IP address of the PPPoE-server router, shared-secret should match on both User Manager and PPPoE-server routers

[admin@R3] >/tool user-manager router
add customer=admin ip-address=192.168.79.1 log=auth-fail name=router1 shared-secret=12345

Add a user which will authenificate through the RADIUS server. Previously mentioned static IP address should be configured in this sub-section under ip-address= parameter.

/tool user-manager user
add customer=admin disabled=no password=test shared-users=1 username=test

Activate a user:

[admin@R3] /tool user-manager> user create-and-activate-profile test customer=admin profile=profile1


Monitoring information from R1 device:

[admin@R1] > interface pppoe-client monitor Client1 
          status: connected
          uptime: 1h48m42s
    active-links: 1
        encoding: 
    service-name: service1
         ac-name: R2
          ac-mac: 01:23:45:67:8D:49
             mtu: 1480
             mru: 1480
   local-address: 192.168.79.50
  remote-address: 192.168.79.1

Reference

Articles kept from User Manager in RouterOS v3+

Customer page

User page

User sign-up

User payments