Skip to content
MikroTik RouterOS Docs

User Manager: Built-in RADIUS Server for Hotspot and PPP

User Manager: Built-in RADIUS Server for Hotspot and PPP

Section titled “User Manager: Built-in RADIUS Server for Hotspot and PPP”

User Manager is a RouterOS package that provides a built-in RADIUS server. It authenticates and accounts subscribers connecting through Hotspot and PPP services, replacing the need for an external RADIUS server for most small-to-medium deployments.

The internal data model has four core entities: routers (NAS devices sending RADIUS requests), profiles (service tiers with validity), limitations (bandwidth/time/transfer quotas attached to profiles), and users (subscriber accounts).

Prerequisites

Section titled “Prerequisites”
  • RouterOS v6: user-manager extra package installed and matching the RouterOS version.
  • RouterOS v7: user-manager extra package installed (available in the MikroTik download archive for your board architecture).
  • The router running User Manager must be reachable by the NAS router(s) on UDP 1812 (authentication) and UDP 1813 (accounting).

Installation

Section titled “Installation”

RouterOS v6

Section titled “RouterOS v6”
  1. Download the user-manager package matching your RouterOS version from mikrotik.com/download.
  2. Upload it to the router: 
    /tool fetch url="http://<host>/user-manager-6.x.x-mipsbe.npk" dst-path=user-manager.npk
  3. Reboot to install: 
    /system reboot

RouterOS v7

Section titled “RouterOS v7”
  1. Download the user-manager extra package for your architecture.
  2. Drag-and-drop upload via WebFig, or: 
    /tool fetch url="http://<host>/user-manager-7.x.x-arm64.npk" dst-path=user-manager.npk
  3. Reboot: 
    /system reboot

Verify Installation

Section titled “Verify Installation”

After reboot the /user-manager command tree is available:

/user-manager print
         enabled: yes
authentication-port: 1812
    accounting-port: 1813
        certificate: none
       use-profiles: no
require-message-auth: yes-access-request

If enabled: no, enable it:

/user-manager set enabled=yes

Core Configuration

Section titled “Core Configuration”

Step 1: Register the NAS Router

Section titled “Step 1: Register the NAS Router”

User Manager must trust each router (NAS) sending RADIUS requests. Register NAS devices with their shared secret:

/user-manager router add \
    name=nas1 \
    address=192.168.1.1 \
    shared-secret=s3cr3tkey \
    comment="Hotspot router — building A"
PropertyDescription
nameFriendly label for this NAS
addressIP address the NAS sends RADIUS packets from
shared-secretMust match the secret configured on the NAS RADIUS client

Verify:

/user-manager router print

Step 2: Create a Profile and Limitation

Section titled “Step 2: Create a Profile and Limitation”

Profiles define the service tier and validity period. Limitations define the actual constraints (rate, uptime, traffic volume) and are linked to profiles via the profile-limitation sub-menu.

Create a limitation:

/user-manager limitation add \
    name=10M-30days \
    rate-limit-rx=10M \
    rate-limit-tx=10M \
    uptime-limit=0 \
    transfer-limit=0
PropertyDescription
rate-limit-rx / rate-limit-txDownload / upload rate cap. Uses RouterOS rate notation (k, M, G).
uptime-limitMaximum cumulative connected time. 0 = unlimited.
transfer-limitMaximum cumulative bytes transferred. 0 = unlimited.

Create a profile and link the limitation to it:

/user-manager profile add \
    name=basic \
    validity=30d


/user-manager profile-limitation add \
    profile=basic \
    limitation=10M-30days \
    from-time=0s \
    till-time=23h59m59s \
    weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday

The from-time/till-time/weekdays fields control when the limitation is active — set the full range for always-on access.

Note: Validity (how long after activation the profile is valid) is set on the profile, not the limitation. Use /user-manager profile add name=... validity=30d.

Step 3: Create Users

Section titled “Step 3: Create Users”
/user-manager user add \
    name=alice \
    password=a1ice2026


/user-manager user-profile add \
    user=alice \
    profile=basic

user-profile add assigns the profile and starts the validity clock. Always call this after adding a user, or the user has no active profile and will be rejected.

Verify:

/user-manager user print detail where name=alice

RADIUS Integration

Section titled “RADIUS Integration”

Configure the NAS RADIUS Client

Section titled “Configure the NAS RADIUS Client”

On each router that will send authentication requests to User Manager, add the RADIUS server entry:

/radius add \
    service=hotspot \
    address=<user-manager-ip> \
    secret=s3cr3tkey \
    authentication-port=1812 \
    accounting-port=1813 \
    protocol=udp \
    timeout=3000ms

For PPP services, add a second entry:

/radius add \
    service=ppp \
    address=<user-manager-ip> \
    secret=s3cr3tkey \
    authentication-port=1812 \
    accounting-port=1813 \
    protocol=udp \
    timeout=3000ms

When User Manager runs on the same router as the NAS, use 127.0.0.1 as the address and set the same shared secret in both the NAS RADIUS client and the User Manager router entry.

Enable RADIUS on HotSpot

Section titled “Enable RADIUS on HotSpot”
/ip hotspot profile set [find name=default] \
    use-radius=yes \
    nas-port-type=wireless-802.11
PropertyDescription
use-radius=yesForwards HotSpot login requests to the configured RADIUS server(s)
nas-port-typeNAS-Port-Type attribute sent in Access-Request. Use ethernet for wired or wireless-802.11 for Wi-Fi deployments.

Accounting for HotSpot is automatically sent when use-radius=yes is set — there is no separate accounting toggle. User Manager receives Accounting-Start when a client logs in, Accounting-Interim-Update at regular intervals, and Accounting-Stop on logout or disconnection.

To set the interim accounting interval on the HotSpot profile:

/ip hotspot profile set [find name=default] \
    use-radius=yes \
    radius-accounting=yes \
    radius-interim-update=5m

Tip: When User Manager runs on the same router as the HotSpot, use 127.0.0.1 as the RADIUS server address. The loopback path bypasses inter-router routing complexity.

Enable RADIUS on PPP

Section titled “Enable RADIUS on PPP”
/ppp aaa set \
    use-radius=yes \
    accounting=yes \
    interim-update=5m
PropertyDescription
use-radius=yesConsult RADIUS for authentication and authorization
accounting=yesSend Accounting-Start/Stop/Interim-Update packets
interim-updateFrequency of usage updates to User Manager. 5m is typical; shorter intervals improve precision at higher overhead.

Enable Incoming RADIUS Messages (CoA / Disconnect)

Section titled “Enable Incoming RADIUS Messages (CoA / Disconnect)”

User Manager can send Change-of-Authorization (CoA) and Disconnect-Message (DM) packets to terminate or modify active sessions when a profile changes or a user is deleted. Enable on the NAS:

/radius incoming set accept=yes

Bulk User Import

Section titled “Bulk User Import”

User Manager does not have a native CSV import command. The standard approach is a RouterOS script that reads a delimited file and calls the User Manager API in a loop.

Prepare the CSV File

Section titled “Prepare the CSV File”

Create a plain-text file on the router (e.g., via FTP/SCP). Use comma as the delimiter, one user per line:

alice,a1ice2026
bob,b0b2026
carol,carol99

Upload the file to the router root as users.csv.

Import Script

Section titled “Import Script”
:local profile "basic"
:local filename "users.csv"


:local data [/file get $filename contents]
:local lines [:toarray $data]


:foreach line in=$lines do={
    :local sep [:find $line "," -1]
    :if ($sep > 0) do={
        :local uname [:pick $line 0 $sep]
        :local upass [:pick $line ($sep + 1) [:len $line]]


        /user-manager user add \
            name=$uname \
            password=$upass


        /user-manager user-profile add \
            user=$uname \
            profile=$profile


        :log info "Added user: $uname"
    }
}

Paste and run in the terminal or save to a file and run with /import. Check /log print for per-user confirmation or errors.

Voucher-Based Access

Section titled “Voucher-Based Access”

Vouchers are pre-generated username/password credentials printed on slips and handed to users. User Manager supports voucher workflows through batch user creation and a built-in voucher export command.

Generate a Batch of Voucher Users

Section titled “Generate a Batch of Voucher Users”
/user-manager user add-batch-users \
    number-of-users=20 \
    username-length=8 \
    password-length=8 \
    username-characters=lowercase,numbers \
    password-characters=lowercase,uppercase,numbers
PropertyDescription
number-of-usersHow many voucher accounts to create in one batch
username-lengthCharacter length of the generated username
password-lengthCharacter length of the generated password
username-charactersCharacter set for usernames: lowercase, uppercase, numbers
password-charactersCharacter set for passwords: lowercase, uppercase, numbers

This creates randomised users but does not assign a profile. Activate a profile on each new user before they can authenticate.

Assign a Profile to All New Voucher Users

Section titled “Assign a Profile to All New Voucher Users”
:foreach u in=[/user-manager user find] do={
    :local uname [/user-manager user get $u name]
    /user-manager user-profile add \
        user=$uname \
        profile=basic
}

Run this immediately after add-batch-users. Users without an active profile receive Access-Reject.

Export Vouchers for Printing

Section titled “Export Vouchers for Printing”
/user-manager user generate-voucher [find] voucher-template=printable_vouchers

User Manager writes the voucher output to um5files/PRIVATE/TEMPLATES/vouchers/printable_vouchers.html in the router’s file system. Download it via Winbox Files or FTP, then print.

To customise the voucher layout, replace or edit the template file at um5files/PRIVATE/TEMPLATES/vouchers/. The template receives substitution variables for name, password, profile, and uptime/transfer limits from the attached limitation.

Single-User Voucher

Section titled “Single-User Voucher”
/user-manager user generate-voucher [find where name=alice] voucher-template=printable_vouchers

Generates a voucher for one specific user.

Voucher Workflow Summary

Section titled “Voucher Workflow Summary”
  1. Create batch users with add-batch-users.
  2. Activate a profile on each user with user-profile add.
  3. Export with generate-voucher → download the HTML file → print.
  4. Give each printed slip to a subscriber; they log in through the HotSpot portal using the credentials on the slip.
  5. When the profile expires the voucher is consumed. Re-activation requires assigning a new profile.

Session Tracking

Section titled “Session Tracking”

User Manager stores session history for each user, populated from RADIUS Accounting packets.

View Active Sessions

Section titled “View Active Sessions”
/user-manager session print where status=active

View Session History for a User

Section titled “View Session History for a User”
/user-manager session print where user=alice

Key columns:

ColumnDescription
userSubscriber identifier
statusactive or closed
uptimeDuration of session
upload / downloadBytes transferred this session
nas-ipNAS router that reported this session
calling-station-idClient MAC address (Hotspot) or calling number (PPP)

View User Remaining Quota

Section titled “View User Remaining Quota”
/user-manager user-profile print detail where user=alice

The user-profile record shows the active profile, state, and end-time (expiry) based on the validity set on the profile.

User Manager vs External RADIUS

Section titled “User Manager vs External RADIUS”
CapabilityUser ManagerExternal RADIUS (e.g. FreeRADIUS)
Installation effortInstall one NPK packageInstall + configure a separate server
User databaseLocal SQLite, managed via RouterOS CLI/WebFigExternal database (MySQL, PostgreSQL, LDAP, AD)
High availabilityNone — single point of failureRedundant servers, database replication
ScaleSuitable for hundreds to low thousands of usersScales to millions of users
Voucher supportBuilt-in batch generation and HTML exportRequires custom scripts or a RADIUS front-end
Attribute flexibilityFixed attribute set; no EAP methodsFull RFC 2865/2866 + EAP, vendor extensions, custom attributes
802.1X / WPA-EnterpriseNot supportedSupported (EAP-TLS, PEAP, EAP-TTLS)
CoA / Disconnect-MessageSupported for active session terminationFully supported
Reporting and billingBasic session history in RouterOS CLIFull billing systems (DALORADIUS, RADIUSdesk, custom)
CostFree (bundled with RouterOS)Free (software) + server infrastructure cost

Choose User Manager when:

  • Single-router or small multi-router deployment.
  • No external server infrastructure is available or desirable.
  • Voucher or captive-portal-only use case.
  • Subscriber count stays below a few thousand.

Choose external RADIUS when:

  • High availability is required (no single point of failure).
  • Active Directory or LDAP integration is needed.
  • 802.1X wireless or wired port authentication is required.
  • Deployment will exceed several thousand simultaneous users.
  • A billing or self-care portal is needed.

Limitations and Caveats

Section titled “Limitations and Caveats”
  • No IPv6 support in legacy builds: Some older User Manager versions do not handle IPv6 Framed-IPv6-Prefix attributes. Verify against your build.
  • No native bulk export: Exporting all users requires a script reading /user-manager user and writing to a file.
  • Single database, no replication: User Manager stores its database locally. For high-availability, deploy a separate external RADIUS server (FreeRADIUS) instead.
  • Large deployments: Performance degrades with very large user databases (tens of thousands of users) and high interim-update frequencies. Tune interim-update to 5–15 minutes for large installations.
  • PPP vs HotSpot attribute differences: Hotspot always sends accounting; PPP requires explicit accounting=yes. Rate-limit enforcement is via MikroTik-Rate-Limit RADIUS attribute returned in Access-Accept — verify your limitation’s rate fields are set correctly.
  • Profile changes take effect at next session: Modifying a profile limitation does not disconnect active sessions; the new limits apply when the user reconnects or when a CoA/DM is sent.
  • v6 vs v7 CLI differences: The command path changed from /tool user-manager (v6) to /user-manager (v7). The customer hierarchy from v6 is not present in v7. Always confirm with ? inline help on your installed version.

Troubleshooting

Section titled “Troubleshooting”

Users Cannot Authenticate

Section titled “Users Cannot Authenticate”
  1. Verify User Manager is enabled: 
    /user-manager print
  2. Confirm the NAS router address and shared secret match: 
    /user-manager router print
  3. Check firewall — UDP 1812 must reach the User Manager interface: 
    /ip firewall filter print where dst-port=1812
  4. Confirm the user exists and has an active profile: 
    /user-manager user print detail where name=<user>
    /user-manager user-profile print detail where user=<user>

Sessions Not Tracked / Quotas Not Decremented

Section titled “Sessions Not Tracked / Quotas Not Decremented”
  1. Confirm accounting is enabled on the NAS (PPP): 
    /ppp aaa print
  2. Confirm interim-update is non-zero.
  3. Check User Manager sessions for closed sessions with zero bytes — this indicates accounting start/stop was received but no interim updates: 
    /user-manager session print where user=<user>

User Rejected After Profile Expires

Section titled “User Rejected After Profile Expires”

Expired profiles cause Access-Reject. To renew:

/user-manager user-profile add \
    user=<user> \
    profile=basic

Verification

Section titled “Verification”
# User Manager status
/user-manager print


# Registered NAS routers
/user-manager router print


# Profiles
/user-manager profile print


# Profile-limitation links
/user-manager profile-limitation print


# All users
/user-manager user print detail


# User profile assignments and expiry
/user-manager user-profile print detail


# Active sessions
/user-manager session print where status=active

See Also

Section titled “See Also”