The MikroTik RouterOS provides scalable Authentication, Athorization and Accounting (AAA) functionality.
Local authentication is performed using the User Database and the Profile Database. The actual configuration for the given user is composed using respective user record from the User Database, associated item from the Profile Database and the item in the Profile database which is set as default for a given service the user is authenticating to. Default profile settings from the Profile database have lowest priority while the user access record settings from the User Database have highest priority with the only exception being particular IP addresses take precedence over IP pools in the local-address and remote-address settings, which described later on.
Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.
PPP profiles are used to define default values for user access records stored under /ppp secret submenu. Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP addresses always take precedence over IP pools when specified as local-address or remote-address parameters.
|change-tcp-mss (yes | no | default; Default: default)||Modifies connection MSS settings
|dns-server (IP; Default: )||IP address of the DNS server to supply to clients|
|idle-timeout (time; Default: )||Specifies the amount of time after which the link will be terminated if there was no activity present. There is no timeout set by default|
|incoming-filter (string; Default: )||Firewall chain name for incoming packets. Specified chain gets control for each packet coming from the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp should be added to other relevant chains in order for this feature to work. For more information look at the Examples section|
|local-address (IP; Default: )||IP address or IP address pool name for PPP server|
|name (string; Default: )||PPP profile name|
|only-one (yes | no | default; Default: default)||Defines whether a user is allowed to have more than one connection at a time
There are two default profiles that cannot be removed:
[admin@rb13] ppp profile> print Flags: * - default 0 * name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=no change-tcp-mss=yes 1 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=default [admin@rb13] ppp profile>
Use Van Jacobson compression only if you have to because it may slow down the communications on bad or congested channels.
incoming-filter and outgoing-filter arguments add dynamic jump rules to chain ppp, where the jump-target argument will be equal to incoming-filter or outgoing-filter argument in /ppp profile. Therefore, chain ppp should be manually added before changing these arguments.
only-one parameter is ignored if RADIUS authentication is used.
If there are more that 10 simultaneous PPP connections planned, it is recommended to turn the change-mss property off, and use one general MSS changing rule in mangle table instead, to reduce CPU utilization.