How to setup up RADIUS for use with MikroTik - By Ramona

From MikroTik Wiki
Jump to navigation Jump to search

Let's say that you have mysql and freeradius installed in your system and would like to use it with MikroTik.

After FreeRADIUS is installed, we need to configure it. This step will detail how to setup the server for use with the local Unix user accounts for the machine that FreeRADIUS is installed on. If you would like to immediately setup the server for use with the MySQL database proceed to the next step but I highly recommend you do this step first to verify the RADIUS install works properly. Step 4 also builds on this step.

First we are going to need some tool to test the installation of the RADIUS server with, I prefer NTRadPing you can download it from MasterSoft’s website (free download) NTRadPing provides a nice simple testing interface for MS Windows computers.

First we need to authorize access to the RADIUS server to certain computers:

cd /etc/raddb
vi clients

Add the IP address of the Mikrotik box and the IP address of the windows computer you have NTRadPing installed on and pick a secret key for each.


# Client Name Key
#---------------- ---------- testkey testkey

optional step

This step is not crucial and may be skipped, it simply adds functionaility for you to use the two attributes: Mikrotik-Recv-Limit and Mikrotik-Xmit-Limit for limiting how much data a user can use before being knocked offline (ie. once they transfer say 200MB they are kicked offline). I don’t use this, but you may wish to:

We now need to ‘install’ the dictionary file for the Mikrotik:

  • NOTE: if anyone knows anything about this step, ie) if I’m doing it wrong Wink please let me know, my email address is at the top of the page:
cd /usr/local/share/freeradius
vi dictionary

After the last $INCLUDE statement add the following line:

$INCLUDE dictionary.mikrotik


Add the same IP addresses for your test computer and Mikrotik box into this file and select the type of NAS. Example:

# NAS Name Short Name Type
#---------------- ---------- ----
localhost local portslave test portslave hs1 mikrotik


Find the Unix section of the file and ensure that the lines

passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group

are NOT commented out (ie. do not have a # sign in front of them).

Congratulations!!! You now have a fully functional RADIUS server that will uses the local Unix accounts as its authentication base.

Let’s test it out

Start the RADIUS server in debug mode(-x) by typing:

radiusd –x
  • Note: You must be logged in as root (su or real login) to start the server, otherwise you will get a “command not found” error.

If you receive no error messages you have configured the server properly, now on the MS Windows machine open NTRadPing. Enter the following:

RADIUS Server: {ip address of your radius server}
Port: 1812
RADIUS Secret Key: {the key you specified in the clients file}
User-Name: root
Password: {root password for the machine on which freeRADIUS is installed}
  • You should get an “Access-Accept” message.
  • Now change the password to something incorrect, ensure you get an “Access-Reject” message
  • Now correct the password, change the port to 1813, and change the Request Type to: “Accounting Start”. Ensure you get an “Accounting-Response” message.
  • Finally change the Request Type to: “Accounting Stop”. Ensure you get an “Accounting-Response” message.

MySQL Database

If the above tests came back in good order we can go ahead and setup FreeRadius to use the MySQL database.

Stop the RADIUS server by pressing CTRL-C

First of all we will need to setup a database schema for the RADIUS server to use, fortunately FreeRADIUS ships with a SQL script to create the database for us. In this step when I refer to root and the respective root password, I am referring to the root user for the MySQL database, not root of the entire system.

cd /usr/bin
mysql –uroot –p{root password}

You are now in the MySQL shell, all SQL commands end with a semicolon (Wink

We need to create a database before we can create tables within it:


This creates an empty database named “radius”


Now execute the script included with FreeRADIUS to create the database tables:

mysql -uroot -pccsccs radius < /software/freeradius/freeradiusxxx/src/modules

mysql –uroot –p{root password}
USE radius;

You should see 6 different tables in the radius database.

Let’s insert a test user while we are at it:

INSERT INTO usergroup (UserName, GroupName) {press enter, it will bring you to a new line}
VALUES (“radiustest”, “testgroup”);

Verify the user was added by viewing the rows of the usergroup table:

SELECT * FROM usergroup;

We still need to set more attributes for the user:

INSERT INTO radcheck (UserName, Attribute, Value)
VALUES (“radiustest”, “Password”, “testpassword”);
Verify it is in there:
SELECT * FROM radcheck;

We will configure a quick test response here as well (not to be used in the final implementation, you will have to configure that depending on what you want, this will work however):

INSERT INTO radgroupreply (GroupName, Attribute, op, Value)
VALUES (“testgroup”,”Framed-Compression”,”==”,”Van-Jacobsen-TCP-IP”);

INSERT INTO radgroupreply (GroupName, Attribute, op, Value)
VALUES (“testgroup”,”Framed-Protocol”,”==”,”PPP”);

INSERT INTO radgroupreply (GroupName, Attribute, op, Value)
VALUES (“testgroup”,”Framed-MTU”,”==”,”1500”);

INSERT INTO radgroupreply (GroupName, Attribute, op, Value)
VALUES (“testgroup”,”Service-Type”,”==”,”Framed-User”);

Configuration Files

We finally need to change a few configuration files:

cd /etc/raddb


Find the “authorize” section (near the bottom) and add “sql” (no quotes) between “suffix” and “files”. Comment out “files” by putting a # in front of it. Do the same to “suffix”.

Find the “accounting” section (a bit underneath the authorize section) and place the word “sql” (without quotes” between “unix” and radutmp”


Find And modify the following fields:

#connect info
server = "localhost"
login = "root"
password = "rootpass" ß {change this to the root password of the MySQL DB}
# Print all SQL statements when in debug mode (-x)
sqltrace = no ß {change this to yes, not necessary but useful for debugging}

Starting the Radius Server

Start the RADIUS server:

radiusd –x (omitting the –x will run it as a background purpose, when ready to deploy permanently you should omit the –x)

Let’s test the RADIUS server using NTRadPing as before but use the username and password of the test user listed in the SQL database. You should receive an “Access-Accept” response and assuming you correctly entered the entries into the radgroupreply table you should also see the following in the Attribute Dump portion of the response in NTRadPing:

Framed Protocol=PPP

Congratulations you now have a fully functional RADIUS server authenticating against a MySQL database, and storing the accounting data in the MySQL database!!!

Getting the Mikrotik RouterOS Box to Work with the RADIUS Server

Log into the Mikrotik box and execute these simple commands:

For simplicities’ sake later ensure you can ping the radius server from the Mikrotik box:

ping {ip address of your RADIUS server}
CTRL-C to break when you are satisfied you can/can not talk to the server

If you can not ping your server you must fix that first before continuing

add service=hotspot address={ip address of your RADIUS server} secret={secret key you defined in the clients file of the RADIUS server}

/ip hotspot aaa set use-radius=yes

You should now, as a hotspot client, be able to request any page and be directed to the login page as normal, if you login as an entry in the SQL database (username: radiustest, password: testpassword) you shold be authenticated no problem.

Note on RADIUS Applications

There are many ways to use RADIUS with Mikrotik, the common applications are authorizing associations based on MAC address, and PPP(oE/TP) user authorization. Both of these are very simple to do, but can cause some frustration as they are not well documented in the manual. Keep in mind that you will need to add definitions for RADIUS servers in the RADIUS table. Each definition in the RADIUS table (click the RADIUS menu in winbox) is for a specific server, and you can have each specific server authenticate for different types of services, such as HotSpot, PPP[oE/TP], and Wireless.

To authorize associations on an AP interface, first set up a RADIUS server with "Wireless" enabled, then you simply need to set "radius-mac-authentication=yes" in the security profile for the AP. You can do this through winbox by going to the Wireless->Security Profiles tab, double clicking your profile and ticking the "RADIUS MAC Authentication" box. Mikrotik will submit the MAC address as the username in the format 00:11:22:33:44:55 with a blank password. Since Mikrotik submits a blank password, you will need to keep this in mind when developing your security systems.

To authorize PPP[oE/TP] sessions, first set up a RADIUS server with "PPP" enabled, then on the PPP menu click "Secrets" and "AAA", then check radius (At the console, /ppp aaa use-radius=yes). There are many supported attributes that allow you to do many useful things with PPP/RADIUS, such as individual client WEP keys, and per-user queue limits. Read more about the available radius attributes on the Radius manual page

--N. Bright


To view the Accounting database table for a user:

cd /usr/bin (if you aren’t already there)
mysql –uroot –p{root password}
USE radius;
SELECT * FROM radacct;
  • Note each login/logout pair is recorded as one row in the table

See also