User manager (UM) is a management system that can be used in various setups. UM can be used for HotSpot, PPP, DHCP, Wireless and RouterOS users. User Manager is a RADIUS server application. The first UM test package was introduced in RouterOS version 4. User manager package is supported on all RouterOS architectures including x86 and Cloud Host Router.
MikroTik User Manager can be downloaded from the MikroTik web site download section. In there find the system and software version that you need this package for and download Extra packages archive for it. In this archive, you will find the User Manager package. To install the package simply upload it on the device and reboot the unit.
A default Customer with login admin and empty password is created when the User Manager package is installed for the first time.
[admin@MikroTik] /tool user-manager customer set admin password=adminpassword
After that, you can use print command to see what you have added.
[admin@MikroTik] /tool user-manager customer> print Flags: X - disabled 0 login="admin" password="adminpassword" backup-allowed=yes currency="USD" time-zone=-00:00 permissions=owner signup-allowed=no paypal-allowed=no paypal-secure-response=no paypal-accept-pending=no
- User Manager and HotSpot
- User Manager and PPP servers
- User Manager and DHCP
- User Manager and Wireless
- User Manager and RouterOS user
/tool user-manager customer
Customers use a web interface to manage users, credits, routers, etc. Each customer can have a zero or more sub-customers and exactly one parent-customer with the same or weaker permission level than its parent.
Subscriber is a customer with owner permissions who's a parent is himself. Subscribers can be thought as domain - each subscriber sees everything that happens with his sub-customers, credits, users, routers, sessions, etc., but has no access to other subscriber's data. All data objects (users, routers, credits, logs) belong to one specific subscriber and can, therefore, belong to many sub-customers of the owner subscriber. To separate users among customers of one subscriber, user prefix is used.
|access (config-payment-gw | own-profiles | own-users | parent-payment-gw | parent-routers | own-limits | own-routers | parent-limits | parent-profiles | parent-users; Default: )||Configureable parameters
|backup-allowed (yes | no; Default: yes)||Allow to manage backups.|
|city (string; Default: )||Informational|
|company (string; Default: )||Informational|
|copy-from (string; Default: )||Copy data from a specific customer.|
|country (string; Default: )||Informational|
|currency (string; Default: )||Used for payments and money-related data representation on the web page.|
|date-format (string; Default: )||Used on web pages for data representation. Only allowed formats (listed in the drop-down) can be used. When the value doesn't match any of allowed (it's possible to enter any value from console) formats, default is used.|
|disabled (yes | no; Default: no)||Allow to disable/enable customer.|
|email (string; Default: )||Email address. Used to send emails (for ex., sign up information) to users.|
|parent (string; Default: )||Customers parent.|
|password (string; Default: )|
|paypal-accept-pending= (yes | no; Default: no)||When true, payments with status "Pending" are accepted as valid. This may be used for multi-currency payments where manual approvals must be made.|
|paypal-allowed= (yes | no; Default: no)||Whether Paypal is allowed.|
|paypal-business-id (string; Default: no)||Business ID of the PayPal account where the money will be sent.|
|paypal-secure-response (yes | no; Default: no)||Whether to use HTTPS (when true) or HTTP (when false) to receive payment feedback from PayPal. An additional security mechanism is used to check the validity of this feedback information so using HTTP is not mandatory.|
|permissions (full | owner | read-only | read-write; Default: owner)||Customer account permissions.|
|public-host (string; Default: )||IP address or DNS name specifying the public address of this User Manager router. Payment gateways use this address to send transaction status response. This field has sense only if users access the User Manager site through local IP address (for, example, http://192.168.0.250/user) and another address is used for public access (for example, http://userman.mt.lv/user).|
|public-id (string; Default: )||It's an ID used to identify customer because Login names are allowed to be equal and for security reasons, they are kept in secret.|
|signup-allowed= (yes | no; Default: no)||When checked, this customer allows users to use sign-up.|
|time-zone (string; Default: )||Specific for each customer. By default equals to 00:00. Session and credit info is stored as GMT regardless of ROS time zone on the User Manager router. This value specifies the way data is displayed on the User Manager web pages.|
|user-prefix (string; Default: )||Used to separate users between customers of one subscriber.|
|login (string; Default: )|
A WEB interface provides the same options as CLI. Usually, people choose to use "User managers" WEB interface, because it is more transparent and comfortable to manage.
/tool user-manager users
Users are people who use services provided by customers and each user can have time, traffic and speed limitations. Customers can create, modify and delete users but the owner is the subscriber who is also the owner of these customers. To separate users among customers of one subscriber, user prefix is used.
|caller-id (string; Default: )|
|caller-id-bind-on-first-use (yes | no; Default: no)|
|copy-from (string; Default: )||Copy parameters from specific user.|
|disabled (yes | no; Default: no)||Whether user is disabled.|
|email (string; Default: )||Email. Used to send notifications to User (for ex., sign-up email).|
|first-name (string; Default: )||Informational|
|ip-address (string; Default: 0.0.0.0.)||If not blank, User will get this IP address on successful authorization.|
|last-name (string; Default: )||Informational|
|location (string; Default: )||Informational|
|password (string; Default: )|
|phone (string; Default: )||Informational|
|random-password (yes | no; Default: no)||Randomly generates password for a user.|
|reg-key (string; Default: )|
|registration-date (string; Default: )|
|shared-users (number | unlimited; Default: unlimited)|
|username (string; Default: )|
|wireless-enc-algo (40bit-wep | 104bit-wep | aes-ccm | none | tkip; Default: )|
|wireless-enc-key (string; Default: )|
|wireless-psk (string; Default: )|
|customer (string; Default: )||User account owner.|
/tool user-manager profile
Profiles can be assigned to users manually or allocated by the user when they make a successful payment.
If the Profile property 'Starts' is set to 'At first Logon', the Profile assigned to a user is inactive until that user logs on to the system (e.g. via a Hotspot). When the user starts a new session, that User's 'start time' is fixed and accordingly the 'end time' is calculated. The 'end time' cannot then be changed, no matter if the session remains active until the 'end time' or the session closes sooner.
If the user has several profiles, the next inactive profile is then started (it's activated as the 'actual profile') when the previous actual profile reaches it's 'end time'. If there are no more inactive profiles to start, the user is forced to log off.
If there is already one active profile when a user logs on, this profile is used instead of starting the next one (if one is available).
If the user logs off before the profile's 'end time', the next inactive profile is started only when the user logs on again after the 'end time' of the earlier profile.
Only one profile (for the same user) can be active at a time.
The last profile of a user can be removed by customer only if it is inactive.
|copy-from (string; Default: )||Copy data from specific customer.|
|name-for-users (string; Default: )||Descriptive name for the Profile that is displayed to the end user when they login to their user page.|
|override-shared-users= (off | unlimited; Default: off)|
|price (string; Default: )||How much it will cost for the user. If left blank, there is no payment required.|
|starts-at (logon | now; Default: logon)||When time limitation starts.|
|validity (string; Default: )||Defines the period of time the Profile is valid for. (Note: NOT the same as the online time that could be set in Limitations).|
|name (string; Default: )|
|owner (string; Default: )||The 'Owner' of the Profile (usually 'admin').|
Validity If the 'Starts' value is set to 'At first logon', then the Validity value starts counting. E.g. If Validity is set to 1d, then 1 day after the first logon, regardless if the user has used all their online time or not, the profile will become invalid and they will be unable to log on again unless a new profile is available in their list of valid profiles.
/tool user-manager profile limitation
In this subsection, you can configure upload/download limitations including bursts.
|address-list (string; Default: )||Copy data from a specific Customer.|
|copy-from (string; Default: )||Copy data from a specific Profile.|
|download-limit (number; Default: )||Speciffy a download limit.|
|group-name (string; Default: )|
|ip-pool (ip-prefix; Default: 0.0.0.0)|
|rate-limit-... (number; Default: )||Various rate limits:
|transfer-limit (number; Default: )|
|upload-limit (number; Default: )|
|uptime-limit (number; Default: )|
|name (string; Default: )||Used to identify a Profile limitations.|
|owner (string; Default: )||Profile limitations owner.|
/tool user-manager profile profile-limitation
In this subsection, you can configure various limitations, for example, time range and weekdays when limitations are active.
|copy-from (string; Default: )||Copy data from specific profile-limitations.|
|from-time (number; Default: )|
|till-time (number; Default: )|
|weekdays (friday | monday | saturday | sunday | thursday | tuesday | wednesday; Default: all)||Specific day or days when profile-limitations are active.|
|limitation (string; Default: )|
|profile (string; Default: )||Profile to which assign limitations.|
/tool user-manager routers
This submenu allows for adding routers.
|copy-from (string; Default: )||Copy data from specific router.|
|log (acct-fail | acct-ok | auth-fail | auth-ok; Default: auth-fail)||To allow logging entries.|
|name (string; Default: )||Used to identify a router.|
|shared-secret (string; Default: )|
|use-coa (yes | no; Default: no)|
|customer (string; Default: )||Customer to a which router will be assigned.|
|ip-address (string; Default: )||Router IP address.|
/tool user-manager history
This subsection allows overviewing any changes confirmed in UM database. Some of them can be reverted back.
[admin@MikroTik] /tool user-manager history> print Flags: U - undoable, R - redoable, F - failed ACTION SUB-CHANGES TIME U UMS customer test1 added may/22/2019 13:26:07 U UMS Profile test added may/22/2019 13:25:57 U multiple objects removed may/22/2019 12:02:37 U UMS customer customer1 added may/22/2019 12:00:29 U UMS user user1 added may/22/2019 12:00:17 U UMS Profile testprofile added may/22/2019 11:47:06 U multiple objects removed 2 may/22/2019 11:14:53 U UMS user kkol added may/22/2019 10:53:57 U UMS user testtest added may/22/2019 10:45:53 U UMS Profile testu added may/22/2019 10:33:31 U UMS customer test added may/22/2019 10:09:35
/tool user-manager Log
Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.
[admin@MikroTik] > tool user-manager log print 0 customer=admin user-orig="Client1" nas-port=15728780 nas-port-type=ethernet nas-port-id="bridge-to-clients" calling-station-id="01:23:45:67:E1:BB" host-ip=172.16.16.1 status=authorization-failure time=may/23/2019 06:34:59 description="no valid profile found for user <Client1>"
Send User Manager related logging entries to the different device:
/system logging add topics=manager,account action=remote /system logging action set remote target=remote remote=192.168.88.1:514
/tool user-manager session
A session refers to a period when a user is using customer's services. It has nothing to do with User Manager web-page sessions. Flags: A - active
[admin@MikroTik] > tool user-manager session print 1 A customer=admin user="test" nas-port=15728795 nas-port-type=ethernet nas-port-id="bridge-to-clients" calling-station-id="01:23:45:67:E1:BB" acct-session-id="81d0009b" user-ip=172.16.16.253 host-ip=172.16.16.1 status=start,interim from-time=may/23/2019 08:55:43 till-time=may/23/2019 09:25:43 uptime=30m download=38 upload=4533
To access User managers Web interface type IP address and /Userman at the end of it, for example, http://192.168.88.1/userman
We will configure PPPoE with the RADIUS server authentication on the following setup:
On the client's (R1) router we configure PPPoE-client:
[admin@R1] > /interface pppoe-client add add-default-route=yes disabled=no interface=ether2 name=Client1 password=test user=test
On the RADIUS client (R2):
Configure RADIUS server address
[admin@R2] > /radius add address=192.168.79.24 secret=12345 service=ppp
There are 2 ways how to assign IP address for the PPPoE-client:
- Create a pool from which assign IP addresses dynamically in the RADIUS client
- Configure IP address manually in the RADIUS server
# Dynamically assign IP addresses [admin@R2] > /ip pool add name=pool1 ranges=192.168.79.30-192.168.79.50
Create a new one or update the default ppp profile:
[admin@R2] > /ppp profile set [find name=default] remote-address=pool1 local-address=192.168.79.1
Enable user authentication via RADIUS. If entry in local secret database is not found, then client will be authenticated via RADIUS
[admin@R2] > /ppp aaa set use-radius=yes
On the RADIUS server (User Manager, R3):
Create your own or use by default already created Customer:
[admin@R3] > /tool user-manager customer set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
Create a profile which you will asing to user. can consist only a
name (additional parameters can be updated later)
[admin@R3] > /tool user-manager profile add name=profile1
Configure User Manager (RADIUS server) communication with RADIUS client
[admin@R3] >/tool user-manager router add customer=admin ip-address=192.168.79.1 log=auth-fail name=router1 shared-secret=12345
Add a user which will authenificate through the RADIUS server. Previously mentioned static IP address should be configured in this sub-section under
/tool user-manager user add customer=admin disabled=no password=test shared-users=1 username=test
Activate a user:
[admin@R3] /tool user-manager> user create-and-activate-profile test customer=admin profile=profile1
Articles kept from User Manager in RouterOS v3+