RADIUS Dynamic Address Assignment
RADIUS Dynamic Address Assignment
Section titled “RADIUS Dynamic Address Assignment”Summary
Section titled “Summary”RouterOS can assign IP addresses to PPP (PPPoE, L2TP, PPTP, SSTP, OVPN) and DHCP clients based on attributes returned in a RADIUS Access-Accept. Two attributes control addressing:
Framed-IP-Address— assigns a specific static IP to the clientFramed-Pool— names a local/ip poolfrom which RouterOS allocates an address
If both attributes are returned, Framed-IP-Address takes precedence and Framed-Pool is ignored. This lets you centrally control whether a subscriber receives a fixed or dynamic address without changing NAS configuration.
Attribute Precedence
Section titled “Attribute Precedence”| Priority | Attribute | Behaviour |
|---|---|---|
| 1 | Framed-IP-Address | Assigns the exact IP returned. Overrides Framed-Pool. |
| 2 | Framed-Pool | Allocates from the named local /ip pool. Used only when Framed-IP-Address is absent. |
| 3 | PPP profile remote-address | Falls back to profile-defined pool when neither RADIUS attribute is present. |
Special Framed-IP-Address Values
Section titled “Special Framed-IP-Address Values”RouterOS treats certain Framed-IP-Address ranges as signals to fall back to pool allocation from the default profile:
| Range | Meaning |
|---|---|
127.0.0.0/8 | Use the default profile pool (dynamic allocation) |
224.0.0.0/3 | Use the default profile pool (dynamic allocation) |
These ranges allow a RADIUS server to force pool allocation even via the Framed-IP-Address attribute.
Prerequisites
Section titled “Prerequisites”- A
/radiusentry must exist with the appropriateserviceflag (ppp,dhcp). - RADIUS must be enabled for the service (
/ppp aaa use-radius=yesor DHCP serveruse-radius=yes). - For
Framed-Pool, a matching/ip poolwith the same name must exist on the router.
Configuration
Section titled “Configuration”Step 1 — Add RADIUS Server
Section titled “Step 1 — Add RADIUS Server”/radiusadd address=10.0.0.3 secret=RadiusSecret service=pppFor DHCP address assignment via RADIUS, add dhcp to the service list:
/radiusadd address=10.0.0.3 secret=RadiusSecret service=ppp,dhcpStep 2 — Enable RADIUS for the Service
Section titled “Step 2 — Enable RADIUS for the Service”PPP (covers PPPoE, L2TP, PPTP, SSTP, OVPN):
/ppp aaaset use-radius=yesDHCP Server:
/ip dhcp-serverset [find name=dhcp1] use-radius=yesStep 3 — Create Local Pools (for Framed-Pool)
Section titled “Step 3 — Create Local Pools (for Framed-Pool)”Define the pools that RADIUS will reference by name:
/ip pooladd name=broadband-standard ranges=100.64.0.2-100.64.0.254add name=broadband-premium ranges=100.64.1.2-100.64.1.254add name=broadband-business ranges=100.64.2.2-100.64.2.10Pool names must match exactly what the RADIUS server returns in Framed-Pool.
RADIUS Server Side
Section titled “RADIUS Server Side”Your RADIUS server returns one of the following in Access-Accept:
Static IP assignment:
Framed-IP-Address = 100.64.5.42Pool-based assignment:
Framed-Pool = broadband-standardForce dynamic from default profile pool:
Framed-IP-Address = 127.0.0.1PPP Profile Integration
Section titled “PPP Profile Integration”The PPP profile provides a default pool when RADIUS does not specify one. This is the fallback, not an override:
/ppp profileadd name=isp-default \ local-address=10.0.0.1 \ remote-address=broadband-standard \ use-compression=noWhen RADIUS returns Framed-Pool=broadband-premium, the client receives an address from broadband-premium, ignoring the profile’s remote-address.
Verifying Address Assignment
Section titled “Verifying Address Assignment”Check which addresses are currently allocated from each pool:
/ip pool used printFind the address assigned to a specific PPP client:
/ppp active print where name=subscriber1Check DHCP leases assigned via RADIUS:
/ip dhcp-server lease print where radius=yesCommon Issues
Section titled “Common Issues”Framed-Pool name not resolving
RouterOS silently falls back to the profile pool if the pool named in Framed-Pool does not exist locally. Always verify pool names match:
/ip pool printClient receives wrong address
Confirm what RADIUS is actually returning by enabling PPP logging:
/system loggingadd topics=ppp,debug action=memoryThen review /log print after a client connects.
DHCP client not receiving RADIUS-assigned address
Ensure the DHCP server has use-radius=yes and that /radius has service=dhcp. DHCP does not use /ppp aaa — each service has its own RADIUS enable flag.
Related Documentation
Section titled “Related Documentation”- RADIUS Client — Server configuration and attribute handling
- RADIUS Accounting and CoA — Session tracking and dynamic policy updates
- IP Pools — Pool creation and management
- ISP Subscriber Management — End-to-end PPPoE/DHCP service design