Site icon System Zone

MikroTik WiFi MAC Authentication with UserMan RADIUS Server

MikroTik Wireless Router is popularly used as WiFi AP. MikroTik WiFi AP has a lot of features to tune WiFi network as your requirements. MAC authentication is one the amazing and useful features in MikroTik WiFi. MAC authentication enables filtering MAC address that means no MAC can be able to connect to WiFi AP without authentication.  MAC authentication can be done either local database or RADIUS Server. MAC authentication with RADIUS Server provides facility to manage multiple APs from centralized database. User Manager is a RADIUS Application developed by MikroTik team and can be used to manage PPPoE, Hotspot, DHCP and Wireless user easily. How to install User Manager RADIUS Server with basic configuration was discussed in my previous article. I also discussed how to configure MikroTik Wireless Router as WiFi AP in another article. In this article I will discuss how to manage WiFi user with User Manager RADIUS Server.

Network Diagram

The following network diagram is being followed for this article configuration.

MikroTik WiFi with RADIUS Server

In this network diagram a MikroTik Wireless Router (RB941-2nD) is being used as WiFi AP (IP: 192.168.70.2) which is connected to a WAN Switch where a User Manager RADIUS Server (IP: 192.168.70.3) is also connected.  The WiFi AP will be configured as MAC authenticated AP so that no Wireless device (Laptop, Smart Phone, Notebook and so on) will be connected without providing MAC Address and the MAC Address will be authenticated from RADIUS Server.

MAC Authenticated WiFi AP Configuration with RADIUS Server

The complete MAC authentication WiFi AP configuration with User Manager RADIUS Server can be divided into the following two parts.

Part 1: Enabling MAC Authentication from RADIUS Server in MikroTik WiFi AP

MikroTik Wireless Router configuration as WiFi AP was discussed in another article. The default authentication scheme in MikroTik WiFi AP is anyone can connect just knowing SSID and Password. This scheme is obviously not prefer for secure network. So, MAC authentication is the best choice for any wireless network. As MAC authentication is not enabled by default, we have to enable MAC authentication manually to apply this scheme. The following steps will show how to enable RADIUS MAC authentication in MikroTik WiFi AP.

Enabling MAC Authentication with RADIUS Server

MikroTik WiFi AP is now MAC authenticated WiFi AP and the MAC authentication will be checked from RADIUS Server. So, if RADIUS Server allows any MAC address, the device will be allowed to connect to WiFi AP otherwise the device will be rejected.

Now we have to configure RADIUS client in MikroTik RouterOS so that RouterOS can communicate to RADIUS Server to send and receive authentication, authorization and accounting data.  The following steps will show how to configure RADIUS client in MikroTik RouterOS.

RADIUS Client Configuration in RouterOS

RADIUS Client configuration in MikroTik RouterOS has been completed. Now MikroTik RouterOS will be able to communicate with the assigned RADIUS Server.

We will now configure User Manager RADIUS Server so that wireless device can be authenticated from RADIUS Server and get proper authorization.

Part 2: User Manager RADIUS Server Configuration for Authenticating WiFi Devices

User Manager is a RADIUS application and RADIUS Server is used to do AAA (Authentication, Authorization and Accounting) solution.  So, using User Manger RADIUS Server we can do authentication, authorization and accounting of WiFi devices in a Wireless Network. How to install User Manager RADIUS Server with basic configuration was discussed in another article. So, here I will only show how to configure User Manger for authenticating WiFi devices.


At first we will add our Wireless Router as a NAS device of User Manager so that User Manager can reply any RADIUS query of our Wireless Router. The following steps will show how to add MikroTik Wireless Router as a NAS device in User Manager RADIUS Server.
Routers Configuration in User Manager

Wireless Router and User Manager RADIUS Server are now ready to communicate with each other. In the next step we will configure RADIUS user that will be authenticated in WiFi AP.

In User Manager RADIUS Server, every user must have a profile otherwise the user cannot be valid. So, before creating user we have to configure profile for the users. In this article we will create three profiles according to the following information.

SNProfile NameLimitation
11 Mb Package1 Mbps download speed
22 Mb Package2 Mbps download speed
35 Mb Package5 Mbps download speed

The following steps will show how to create these three profiles with the described limitation.

User Manager Profile Creation

Similarly create 2 Mb and 5 Mb Packages. After creating profiles we will now create user and assign created profile to the user.

The following steps will show how to create user in User Manager RADIUS Server.

User Creation in User Manager RADIUS Server

You can create as many users as you want for your wireless network following the above steps.

After creating user, now connect the desired wireless device to the WiFi AP. If everything is OK, your desired device will be able to connect to your wireless network and you will find the user’s active session in User Manager RADIUS Server.

User Session in RADIUS Server

You can also find the connected users status in Registration tab in Wireless Tables window. Here you will find the user’s data transfer speed in AP Tx Limit status.

User Registration in Wireless Registration Table

If anyone tries to connect to your WiFi AP who is not allowed, he will be rejected.

A common query is if anyone knows allowed MAC Address and changes his MAC address, he will be able to connect in this hacking process. MikroTik has an easy solution for this situation. Put private password in Preshared key while creating user in User Manager RADIUS Server. To be connected to WiFi AP, a user must match MAC address and Preshared key otherwise he will not be able to connect. So, MAC address hacking will be useless.

If you face any confusion to follow the above steps properly, watch the following video about WiFi MAC Authentication with RADIUS Server. I hope it will reduce your any confusion.

How to Configure RADIUS MAC Authentication in MikroTik Wireless Router has been discussed in this article. I hope you will now be able to configure MAC Authentication WiFi AP with User Manager RADIUS Server. However, if you face any confusion, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.

Exit mobile version