MikroTik RADIUS Server Setup with User Manager – RouterOS7
MikroTik User Manager RADIUS Server is an awesome service for user Authentication, Authorization and Accounting (AAA) for a small or medium business. User Manager RADIUS Server can be used to maintain Hotspot, PPP, DHCP, IPsec, Wireless and System User authentication. In RouterOS 7, User Manager has come with new features and looking, specially, maintaining from Winbox.
As User Mange package does not come with the default system package in RouterOS 7, we have to install User Manger package manually before use it. In my previous article, I discussed how to install User Manager package in RouterOS 7 and in this article, I am going to show how to setup MikroTik RADIUS (as a NAS) with User Manager RADIUS Server and authenticate login users with RADIUS user.
MikroTik RADIUS Server Configuration
After installing User Manager Package, we need to configure RADIUS in RouterOS (as a RADIUS NAS) and Router in User Manager RADIUS Server so that both RouterOS and User Manager can communicate with each other for user authentication. At first, we will configure RADIUS Server in RouterOS 7. So, Follow the following steps to configure RADIUS Server in MikroTik RouterOS 7.
- Login to MikroTik RouterOS with Winbox using full access username and password.
- Click on RADIUS menu item. RADIUS window will appear.
- Click on PLUS SIGN (+). New RADIUS Server window will appear.
- From the Services panel, we have to choose which service will be authenticated through the RADIUS Server. In this article, we will test RADIUS Server Configuration with System User authentication. So, Click on Login check box from Services panel.
- In the Address input box, we will put the RADIUS Server’s IP address. As I have installed User Manager Package in the same RouterOS, I am putting the localhost IP address (127.0.0.1) in Address input box. If you installed User Manager Package in any different RouterOS, put that RouterOS IP address in the Address input box.
- In the Secret input box, put a secure secret key and keep remember this secret because this secret has to provide while configuring the Router in User Manager RADISU Server.
- Click Apply and OK button.
- Now click on Incoming button and click on Accept checkbox and keep remember the Port for incoming packets. By default it will be 3799.
RADIUS Server Configuration in RouterOS 7 has been completed. We will now enable AAA for System Users so that any system user authentication request can go to User Manager RADIUS Server. To enable AAA for System User Login, do the following steps.
- From Winbox, go to System and click on Users menu item. User List window will appear.
- Click on AAA button. Login Authentication & Accounting window will appear.
- Click the Use RADIUS checkbox and make sure Accounting checkbox is checked if you want to keep accounting data.
- Click Apply and OK button.
RouterOS is now ready to send user authentication request to User Manager RADIUS Server. Now we will configure User Manager RADIUS Server so that the RADIUS Server can response any request made by the NAS RouterOS.
Router (NAS) Configuration in User Manager RADIUS Server
After configuring RADIUS in RouterOS, we will add this RouterOS as a Router in User Manager RADISU Server. Before going to add Router, we have to enable authentication (1812) and accounting(1813) port in User Manager RADIUS Server. Do the following steps to enable Authentication and Accounting Port in User Manager RADIUS Server.
- From Winbox, click on User Manager menu item. User Manager window will appear.
- From Session tab, click on Settings button. Settings window will appear.
- Click on Enabled check box and then click on Apply and OK button.
Authentication and Accounting Ports are now enabled in User Manager RADIUS Server. We will now add Router or NAS device from which request will be accepted. To add Router, follow the following steps.
- From User Manager window, click on Routers tab and then click on PLUS SIGN (+). New Router window will appear.
- In Name input field, put any name that you wish.
- In Secret input field, put the secret that you have provided while configuring RADIUS Server in RouterOS. This secret must be matched. Otherwise, communication between RouterOS and User Manager RADIUS Server will not be possible.
- In Address field, put the IP address of RouterOS. As I am using same router for both Router and User Manager package, I am putting my localhost IP (127.0.0.1).
- Now click Apply and OK button.
Router configuration in User Manager RADIUS Server has been completed. In the next section, we will create user who will be authenticated from RADIUS Server. To create user for system login in User Manager RADIUS Server, follow the following steps.
- From User Manager window, click on Users tab and then click on PLUS SIGN (+). New User window will appear.
- In General tab, put username in Name input field and password in Password input field. User will be authenticated using this credential.
- In Attributes property, we have to supply the AVP (Attribute Value Pair) that will assigned when the user will be authenticated. For example, we want to provide write permission when the user will be authenticated. For this, we will choose MikroTik-Group AVP and put write as value. So, click on Attributes dropdown menu and choose MikroTik-Group AVP and type write in value input field.
- Click Apply and OK button.
User configuration as well as all RADIUS Server configuration in MikroTik RouterOS 7 has been completed. Now it’s time to test. Open Winbox and login with your provided username and password. If everything is OK, you will find that you are logged in with a write permission user.
If you face any confusion to follow the above steps, watch the below video on step by step User Manager RADIUS Server configuration on RouterOS 7.
How to configure User Manager RADIUS Server in RouterOS 7 has been discussed in this article. I hope you will now be able to configure User Manager RADIUS Server in your RouterOS 7 without any hassle. However, if you face any confusion, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
Why not a Cup of COFFEE if the solution?