RADIUS Client
RADIUS Client
Section titled “RADIUS Client”Summary
Section titled “Summary”RouterOS acts as a RADIUS client, forwarding authentication and accounting requests to one or more external RADIUS servers. A single /radius entry can serve multiple services simultaneously — PPP tunnels (L2TP, PPPoE, PPTP, OVPN, SSTP), HotSpot captive portal, router login (login), wireless 802.1X, and DHCP. When RADIUS is enabled for a service, RouterOS checks the local user database first; if no local match exists, the request is forwarded to the configured RADIUS servers in order.
Command Paths
Section titled “Command Paths”| Menu | Purpose |
|---|---|
/radius | Add/manage RADIUS server entries |
/radius incoming | Accept unsolicited CoA/DM messages from RADIUS server |
/ppp aaa | Enable RADIUS for all PPP services |
/ip hotspot aaa | Enable RADIUS for HotSpot |
/user aaa | Enable RADIUS for router login |
Adding RADIUS Servers
Section titled “Adding RADIUS Servers”Each entry in /radius represents one RADIUS server. Add one or more servers and assign services to each.
/radius add \ address=10.0.0.10 \ secret=MySecret123 \ service=ppp,hotspot,login \ timeout=300msMultiple services can be listed as a comma-separated value. When more than one entry shares a service, RouterOS tries them in configured order and moves to the next on timeout.
Properties
Section titled “Properties”| Property | Type | Default | Description |
|---|---|---|---|
| address | IP address | RADIUS server IP address | |
| secret | string | Shared secret for HMAC-MD5 message signing | |
| service | flag list | Services using this server: hotspot, dhcp, ppp, pptp, pppoe, l2tp, ovpn, sstp, login, wireless, dhcpv6, dot1x | |
| port | integer | 1812 | Authentication port |
| accounting-port | integer | 1813 | Accounting port (use 1646/1647 for legacy servers) |
| timeout | time | 300ms | Response wait time before trying next server |
| src-address | IP address | Source IP for RADIUS packets (useful on multi-homed routers) | |
| realm | string | Realm appended to username in Access-Request | |
| called-id | string | Called-Station-ID attribute value (HotSpot primarily) | |
| domain | string | Domain for request routing | |
| vrf | name | main | VRF for outbound RADIUS traffic |
| encryption | yes | no | yes | Include Message-Authenticator for integrity verification |
| accounting-backup | yes | no | yes | Send accounting to this server when primary fails |
| disabled | yes | no | no | Disable this server entry |
| comment | string | Administrative note |
Service-Specific AAA Configuration
Section titled “Service-Specific AAA Configuration”RADIUS must be enabled per-service. Each service has its own AAA submenu.
PPP (/ppp aaa)
Section titled “PPP (/ppp aaa)”Applies to all PPP services: L2TP, PPPoE, PPTP, OVPN, SSTP, async.
/ppp aaa set use-radius=yes accounting=yes interim-update=5m| Property | Default | Description |
|---|---|---|
| use-radius | no | Forward authentication to RADIUS when user not found locally |
| accounting | yes | Send Accounting-Start/Stop/Interim-Update packets |
| interim-update | 0s | Interval for Acct-Interim-Update (0 = disabled). Set >0 for live session billing |
| enable-ipv6-accounting | no | Track IPv6 prefix traffic separately in accounting records |
HotSpot (/ip hotspot aaa)
Section titled “HotSpot (/ip hotspot aaa)”Applies to the HotSpot captive portal login service.
/ip hotspot aaa set use-radius=yes accounting=yes interim-update=5m| Property | Description |
|---|---|
| use-radius | Forward HotSpot logins to RADIUS |
| accounting | Enable HotSpot accounting packets |
| interim-update | Accounting update interval |
Router Login (/user aaa)
Section titled “Router Login (/user aaa)”Applies to administrator logins via Winbox, SSH, Telnet, and the web interface.
/user aaa set use-radius=yes accounting=yes| Property | Default | Description |
|---|---|---|
| use-radius | no | Try RADIUS if local username not found |
| accounting | yes | Send accounting for admin sessions |
| exclude-groups | Local groups exempt from RADIUS lookup |
:::tip Local fallback For all services, local users always take precedence. If a username exists locally, RADIUS is never contacted. If RADIUS is unreachable, local users with matching credentials still authenticate normally. :::
Incoming RADIUS Messages (CoA / Disconnect)
Section titled “Incoming RADIUS Messages (CoA / Disconnect)”RADIUS servers can send unsolicited Change-of-Authorization (CoA) or Disconnect-Messages (DM) to modify or terminate active sessions. RouterOS listens on /radius incoming.
/radius incoming set accept=yes port=1700| Property | Default | Description |
|---|---|---|
| accept | no | Enable processing of incoming CoA/DM packets |
| port | 1700 | UDP port to listen on |
| vrf | main | VRF for the listener |
RADIUS Attributes
Section titled “RADIUS Attributes”Sent in Access-Request
Section titled “Sent in Access-Request”| Attribute | Description |
|---|---|
| User-Name | Username |
| User-Password / MS-CHAP | Credentials (protocol-dependent) |
| NAS-Identifier | Router identity (/system identity) |
| NAS-IP-Address | Router source IP |
| NAS-Port | Port or interface index |
| NAS-Port-Type | Ethernet, Virtual, Wireless, etc. |
| Service-Type | Framed (PPP), Login (router login), HotSpot |
| Framed-Protocol | PPP |
| Acct-Session-Id | Unique session ID |
| Called-Station-Id | Value from called-id property |
Accepted in Access-Accept
Section titled “Accepted in Access-Accept”| Attribute | Effect |
|---|---|
| Framed-IP-Address | Assigns IP to the client |
| Framed-Pool | Picks IP from named local pool |
| Framed-Route | Adds static route when session starts |
| MikroTik-Rate-Limit | Applies queue rate limit (format: rx/tx e.g. 10M/20M) |
| Session-Timeout | Maximum session length |
| Idle-Timeout | Disconnect after idle period |
| Filter-Id | Firewall chain to apply |
| Reply-Message | Message shown to user (HotSpot) |
Sent in Accounting-Request
Section titled “Sent in Accounting-Request”| Attribute | Description |
|---|---|
| Acct-Status-Type | Start, Stop, or Interim-Update |
| Acct-Session-Id | Matches the Access-Request session ID |
| Acct-Input-Octets | Bytes received by router |
| Acct-Output-Octets | Bytes sent by router |
| Acct-Input-Packets | Packets received |
| Acct-Output-Packets | Packets sent |
| Acct-Session-Time | Session duration in seconds |
| Acct-Terminate-Cause | Reason for disconnection |
Configuration Examples
Section titled “Configuration Examples”PPP/L2TP with RADIUS Authentication
Section titled “PPP/L2TP with RADIUS Authentication”# 1. Add RADIUS server for PPP services/radius add address=192.168.1.100 secret=pppSecret service=ppp,pptp,pppoe,l2tp,ovpn,sstp
# 2. Enable RADIUS AAA for PPP/ppp aaa set use-radius=yes accounting=yes interim-update=5m
# 3. Configure L2TP server/interface l2tp-server server set enabled=yes default-profile=default
# 4. Verify active sessions/ppp active printHotSpot with RADIUS
Section titled “HotSpot with RADIUS”# 1. Add RADIUS server for HotSpot/radius add address=192.168.1.100 secret=hsSecret service=hotspot
# 2. Enable RADIUS AAA/ip hotspot aaa set use-radius=yes accounting=yes interim-update=10m
# 3. Confirm HotSpot is running/ip hotspot print/ip hotspot active printRouter Login via RADIUS (with Local Fallback)
Section titled “Router Login via RADIUS (with Local Fallback)”# 1. Add RADIUS server for login/radius add address=192.168.1.100 secret=loginSecret service=login
# 2. Enable RADIUS for admin login/user aaa set use-radius=yes accounting=yes
# Keep at least one local admin user for fallback:/user print:::warning Keep a local admin account
If the RADIUS server becomes unreachable and no local admin account exists, you will be locked out. Always maintain a local user with group=full as a recovery path.
:::
Redundant RADIUS Servers
Section titled “Redundant RADIUS Servers”# Primary server/radius add address=10.0.0.10 secret=sharedSecret service=ppp,hotspot,login timeout=300ms
# Secondary server (tried if primary times out)/radius add address=10.0.0.11 secret=sharedSecret service=ppp,hotspot,login timeout=300msEnable CoA / Disconnect Messages
Section titled “Enable CoA / Disconnect Messages”# Allow RADIUS server to terminate sessions remotely/radius incoming set accept=yes port=1700
# Allow inbound CoA/DM from RADIUS server in firewall/ip firewall filter add chain=input protocol=udp dst-port=1700 \ src-address=192.168.1.100 action=accept comment="RADIUS CoA/DM" place-before=0Verification
Section titled “Verification”# View configured RADIUS servers and their state/radius print detail
# Check PPP AAA settings/ppp aaa print
# Check HotSpot AAA settings/ip hotspot aaa print
# Check router login AAA settings/user aaa print
# View active PPP sessions/ppp active print
# View active HotSpot sessions/ip hotspot active print
# Tail RADIUS-related log entries/log print follow where message~"radius"Troubleshooting
Section titled “Troubleshooting”RADIUS Authentication Not Working
Section titled “RADIUS Authentication Not Working”-
Verify connectivity to the RADIUS server:
/ping 192.168.1.100 -
Check shared secret — it must match exactly on both sides:
/radius print detail -
Confirm service flag — the
/radiusentry must list the relevant service:/radius set 0 service=ppp,hotspot,login -
Check firewall — RADIUS traffic (UDP 1812/1813) must be allowed outbound:
/ip firewall filter print -
Enable RADIUS logging for detailed packet traces:
/system logging add topics=radius action=memory/log print follow where topics~"radius"
Accounting Not Updating
Section titled “Accounting Not Updating”- Ensure
interim-updateis set to a value greater than0s:/ppp aaa set interim-update=5m - Verify the RADIUS server accepts accounting packets (port 1813 by default).
Users Not Receiving IP Address from RADIUS
Section titled “Users Not Receiving IP Address from RADIUS”- Confirm the RADIUS server returns
Framed-IP-AddressorFramed-Poolin Access-Accept. - Check that the named pool exists on the router if using
Framed-Pool:/ip pool print
Rate Limits Not Applied
Section titled “Rate Limits Not Applied”- The
MikroTik-Rate-Limitattribute must use the formatrx-rate/tx-rate(e.g.,10M/20M). - Verify with
/queue simple printor/queue tree printafter a user connects.
See Also
Section titled “See Also”- User Management, Groups, and AAA — local users, SSH keys, group policies
- HotSpot — captive portal setup
- PPP — PPP profiles and server configuration