MikroTik RouterOS provides scalable user management including, HotSpot, PPP, Radius client and UserManager (UserManager is radius server application that is separated from RouterOS). Main purpose of user management system is to provide flexible AAA (Authentication, Authorization and Accounting) functionality. Shortly, authentication means – who are you (verify that someone is who they claim they are by a password, digital certificate or other security options), whereas authorization mean – what you can do and what restrictions related to you (what operations you are allowed and what resources you can uses)? Accounting enables to account the amount of network resources users are consuming as well as to track the services they are accessing.
The MikroTik HotSpot Gateway provides authentication for clients before access to public networks. HotSpot gateway is supported by wireless or wired network connections. The user will be presented a login screen when first opening his web browser. When the user entered a login name and password he will be allowed internet access.
HotSpot system does not care how did a client get an address before he/she gets to the HotSpot login page. IP address may be set on the client statically, or leased from a DHCP server. HotSpot can work together with DHCP server (if you set up IP address pool by HotSpot the same as DHCP server use).
HotSpot Gateway may automatically change any IP address of a client to an address from the selected IP pool. This feature gives a possibility to provide a network access (for example, Internet access) to mobile clients that are not willing (or are disallowed, not qualified enough or otherwise unable) to change their networking settings. This technique is called one-to-one NAT. This NAT is changing source address of each packet just after it is received by the router (it is like source NAT that is performed earlier so that even firewall mangle table will 'see' the translated addresses.
NOTE ARP mode must be enabled on the interface you use one-to-one NAT.
This article does not include all available features provided by HotSpot gateway but main of them are:
- different authentication methods of clients using local client database on the router, or remote RADIUS server;
- users accounting in local database on the router, or on remote RADIUS server;
- walled-garden system (/ip hotspot walled-garden), access to some web pages without authorization;
- ip-binding feature (/ip hotspot ip-binding), allows to bypass specific HotSpot clients without any authentication;
- login page modification, where you can put information about the company;
- The HotSpot system enables to limit each particular user's rate limit (bits/s) total upload/download bytes, uptime and some other parameters;
This is ideal for hotel, school, airport, internet cafe or any other public place where administration doesn’t have control over the user computer. No software installation or network configuration needed on client’s computers.
Extensive user management is possible by making different user profiles, each of which can allow certain uptime, upload and download speed limitation, transfer amount limitation and more. Hotspot also supports authentication against standard RADIUS servers and MikroTik’s own User Manager which will give you a centralized management of all users in your networks.
HotSpot gateway configuring example
There are two opportunities how to set up HotSpot gateway the one of them:
- To use quick setup guide (wizard)
- Configure it manually step by step
To better understand submenus of Hotspot I give simple description how to set up it step by step.
Basic steps we need to configure:
- /ip pool
- /ip dhcp-server
- /ip hotspot profile (name, hotspot-address)
- /ip hotspot (name, interface, address-pool, profile)
- /ip hotspot user
- /ip dns
- /ip firewall nat (masquerade)
Network diagram: In this example we will setup HotSpot gateway on local wireless interface (wlan1).
I assume valid IP addresses are configured on both interfaces (ether1 and wlan1).
In this example IP addresses to clients will be assigned dynamically using DHCP server.
The first we define address pool:
[admin@MikroTik] /ip pool> add name=hs-pool ranges=10.10.1.2-10.10.1.254
Configure DHCP server, (used for HotSpot’s clients):
[admin@MikroTik] /ip dhcp-server> add name=hs-dhcp interface=wlan1 address-pool=hs-pool [admin@MikroTik] /ip dhcp-server network> add address=10.10.1.0/24 gateway=10.10.1.1
Create HotSpot profile, define name and assign HotSpot gateway address (IP address is the same as on wlan1 interface):
[admin@MikroTik] /ip hotspot profile> add hotspot-address=10.10.1.1 [admin@MikroTik] /ip hotspot profile> print Flags: * - default 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no \ use-radius=no 1 name="hsprof1" hotspot-address=10.10.1.1 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no
Put HotSpot on the Wlan1 interface, using the same IP address pool as DHCP server uses for that interface:
[admin@MikroTik] /ip hotspot> add name=hotspot interface=wlan1 \ address-pool=hs-pool profile=hsprof1
Add at least one HotSpot user:
[admin@MikroTik] /ip hotspot user> add server=hotspot name=user1 password=user1 [admin@MikroTik] /ip hotspot user> print Flags: X - disabled, D - dynamic # SERVER NAME ADDRESS PROFILE UPTIME 0 hotspot user1 default 0s
Valid DNS configuration must be set up in the /ip dns submenu. Because when HotSpot is started it also creates dynamic nat rules that redirect all DNS requests to the HotSpot service (it means on router where HotSpot is configured):
[admin@MikroTik] /ip dns> set servers=188.8.131.52 \ allow-remote-requests=yes
Masquerade the HotSpot network:
[admin@MikroTik] > add chain=srcnat action=masquerade \ src-address=10.10.1.0/24 [admin@MikroTik] /ip firewall nat> print Flags: X - disabled, I - invalid, D – dynamic 0 ;;; masquerade hotspot network chain=srcnat action=masquerade src-address=10.10.1.0/24
It means that all source address of packets from network 10.10.1.0/24 (with source address 10.10.1.x) will be translated on output interface IP address.
Quick HotSpot setup guide
There is example, how to set up the same HotSpot configuration using quick setup guide
But before we start quick guide we need to set up:
- valid DNS configuration must be set up in the /ip dns submenu
- Start Setup guide:
[admin@MikroTik] > ip hotspot setup Select interface to run HotSpot on hotspot interface: wlan1 Set HotSpot address for interface local address of network: 10.10.1.1/24 masquerade network: yes Set pool for HotSpot addresses address pool of network: 10.10.1.2-10.10.1.254 Select hotspot SSL certificate select certificate: none Select SMTP server ip address of smtp server: 0.0.0.0 Setup DNS configuration dns servers: 184.108.40.206 DNS name of local hotspot server dns name: [admin@MikroTik] >
In this case IP address on wlan1 interface will be assigned automatically as well as IP pool and DHCP server will be implemented dynamically. These simple steps should be sufficient to enable HotSpot system.
Now you can add HotSpot users under /ip hotspot user submenu.
NOTE When you enable HotSpot there are dynamically added destination NAT rules which you can observe on a working HotSpot system. These rules are needed to redirect all HTTP and HTTPS requests from unauthorized users to the HotSpot servlet (i.e. the login page). There still are others rules, that you can see using command /ip firewall nat print all.
For more information is recommended to visit these web sites:
The main purpose of PPP protocol is provided scalable Authentication, Authorization and Accounting (AAA) functionality for PPP connections and primary it was implemented for serial connections (between routers serial ports). Most often PPP is used by ISPs where it gives benefits for user and network management. MikroTik routerOS allow define different kind of PPP profiles used on Ethernet links for different kind of connection services PPPoE, PTPP or L2TP connections. How to implement and configure these services you can read in section “Virtual Private Networks”.
There are two main ppp sub-menus:
- /ppp profile – PPP profiles are used to define default values for user access records stored under /ppp secret submenu.
- /ppp secret - PPP User Database stores PPP user access records with PPP user profile assigned to each user.
Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP addresses under /ppp secret menu always take precedence over IP pools when specified as ‘local-address’ or ‘remote-address’ parameters .
PPP configuration examples:
Configuring PPP profile and users for PPPoE server:
Add PPP profile, called “profile_for_pppoe” where local address will be the router’s address and clients will have an address from ‘’pppoe-pool’’ defined under /ip pool menu. Here we can define also rate-limit for all users which use this profile (i.e. 256k-upload and 512k-download). Add user with username ‘’tom’’ and password 12345.
[admin@MikroTik] /ppp profile> add name=profile_for_pppoe local-address=10.10.1.1 \ remote-address=pppoe-pool rate-limit=256k/512k [admin@MikroTik] /ppp secret add name=tom password=12345 service=pppoe profile=profile_for_pppoe
In such way we can define profiles and users for different services that uses PPP concept.
Configuring PPP profile and users for PPTP server:
[admin@MikroTik] /ppp profile> add name=profile_for_pptp local-address=10.11.1.1 \ remote-address=pppoe-pool [admin@MikroTik] /ppp secret add name=jerry password=54321 service=pptp profile=profile_for_pptp [admin@MikroTik] /ppp secret> print detail Flags: X - disabled 0 name="tom" service=pppoe caller-id="" password="12345" profile=profile_for_pppoe routes="" limit-bytes-in=0 limit-bytes-out=0 1 name="jerry" service=pptp caller-id="" password="54321" profile=profile_for_pptp routes="" limit-bytes-in=0 limit-bytes-out=0
- /ppp secret print – check user list which are active and which not.
- /ppp active – submenu allows to monitor active (connected) users.
- /ppp active print – command will show all currently connected users.
- /ppp active print stats – command will show received/sent bytes and packets.
Full command references you can found here:
RADIUS (Remote Authentication Dial-In User Service) is a remote server that provides authentication and accounting facilities to various network appliances.
RADIUS authentication and accounting gives the ISP or network administrator ability to manage user access and accounting from one server throughout a large network. RADIUS can be used on any network that needs a centralized authentication and/or accounting service for its users. The MikroTik RouterOS has a RADIUS client which can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile. RADIUS attributes – specific values included in RADIUS massages sends between RADIUS client and Server.
RADIUS acts upon client-server mode and provide secure information exchange between client and server.
Basic RADIUS operation steps are given below:
- RADIUS client sends ‘Access-Request’ message to a RADIUS server, including username and encrypted password. (As transport protocol RADIUS uses UDP instead of TCP).
- ‘Access-Reject’ – deny access to all requested network resources
- ‘Access-Accept’ – user gets access to requested network services, but it does not mean that user get full access to all resources, it can browse Internet but cannot access to VPN service, for example.
- RADIUS server authenticates and authorizes requests and sends back a response with Accept, Reject, or Challenge message.
- ‘Access-Challenge’ – is used when additional information from user is needed to create more complex authentication.
- If request from RADIUS server is not rejected user gets access to services and obtain services parameters.
Specific information included into Access-Reject, Access-Accept and Access-Challenge massages called as RADIUS attributes that carry the specific authentication, authorization information, and configuration parameters for RADIUS requests and replies.
Here you can see also MikroTik reference dictionary for the Radius attributes as well as MikroTik specific RADIUS attributes values. This dictionary is the minimal dictionary, which is enough to support all features of MikroTik RouterOS. It is designed for FreeRADIUS, but may also be used with many other UNIX RADIUS servers.
RADIUS client setup example
[admin@MikroTik] /radius add service=hotspot,ppp address=10.5.5.2 secret=mypassword
- services – router services that will use this RADIUS server
- address – IP address of the RADIUS server
- secret - shared secret used to access the RADIUS server
RADIUS client settings allow define also others parameters that will be used for connecting to RADIUS servers the router will use to authenticate users. Check this manual for them here.
When RADIUS server is authenticating user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not using shared secret, secret is used only in authentication reply, and router is verifying it. So, if you have wrong shared secret, RADIUS server will accept request, but router won't accept reply. You can see that with /radius monitor command, "bad-replies" number should increase whenever somebody tries to connect.
MikroTik RouterOS RADIUS Client should work well with all RFC compliant servers.
HotSpot + RADIUS server configuring example
As you see that figure 13.3 are very similar to figure 13.1 the only difference is RADIUS server. In this case HotSpot works as the RADIUS client. HotSpot can authenticate users consulting the local user database or a RADIUS server (local database is consulted first, then RADIUS Server). If authorization is delegated to the RADIUS server it delivers similar user’s configuration options as the local database.
HotSpot configuration is almost the same as you can see previous in HotSpot section of this document, the only difference that we need to configure:
- HotSpot to use RADIUS server for clients AAA
- To set up the HotSpot to use RADIUS for user authentication.
Look at example below.
Set up RADIUS client on server:
[admin@MikroTik] /radius add service=hotspot address=10.5.5.2 secret=12345
NOTE Remember if you have both services (HotSpot and RADIUS server (i.e “UserManager”)) on the same box, the IP address should be set to 127.0.0.1.
- UserManager – is RADIUS server application created by MikroTik.
Configure HotSpot itself to use a RADIUS server:
[admin@MikroTik] /ip hotspot profile> set 1 use-radius=yes
And now you can to define all settings for clients under RADIUS server unless /ip hotspot user menu. But remember, the RADIUS server database is consulted only if no matching user access record is found in router's local database.
Basically MikroTik UserManager is user management system and act as a Radius Server. It is RADIUS server application created by MikroTik can be configured from CLI as well as from web interface implemented into separate package. UserManager can be used creating centralized authentication and authorization system together with HotSpot. Figure below you can see screenshot from UserManager web interface.
How to set up and configure UserManager is out of this article.
More information can be found: