User Manager: Built-in RADIUS Server for Hotspot and PPP

User Manager: Built-in RADIUS Server for Hotspot and PPP

User Manager is a RouterOS package that provides a built-in RADIUS server. It authenticates and accounts subscribers connecting through Hotspot and PPP services, replacing the need for an external RADIUS server for most small-to-medium deployments.

The internal data model has four core entities: routers (NAS devices sending RADIUS requests), customers (administrative accounts that own users and profiles), profiles and limitations (bandwidth/time/transfer quotas), and users (subscriber accounts).

Prerequisites

• RouterOS v6: user-manager extra package installed and matching the RouterOS version.
• RouterOS v7: user-manager extra package installed (available in the MikroTik download archive for your board architecture).
• The router running User Manager must be reachable by the NAS router(s) on UDP 1812 (authentication) and UDP 1813 (accounting).

Installation

RouterOS v6

1. Download the user-manager package matching your RouterOS version from mikrotik.com/download.
2. Upload it to the router:

   /tool fetch url="http://<host>/user-manager-6.x.x-mipsbe.npk" dst-path=user-manager.npk

3. Reboot to install:

   /system reboot

RouterOS v7

1. Download the user-manager extra package for your architecture.
2. Drag-and-drop upload via WebFig, or:

   /tool fetch url="http://<host>/user-manager-7.x.x-arm64.npk" dst-path=user-manager.npk

3. Reboot:

   /system reboot

Verify Installation

After reboot the /tool user-manager command tree is available:

/tool user-manager print

enabled: yes

If enabled: no, enable it:

/tool user-manager set enabled=yes

Core Configuration

Step 1: Register the NAS Router

User Manager must trust each router (NAS) sending RADIUS requests. Register NAS devices with their shared secret:

/tool user-manager router add \
    name=nas1 \
    ip-address=192.168.1.1 \
    shared-secret=s3cr3tkey \
    comment="Hotspot router — building A"

Property	Description
name	Friendly label for this NAS
ip-address	IP address the NAS sends RADIUS packets from
shared-secret	Must match the secret configured on the NAS RADIUS client

Verify:

/tool user-manager router print

Step 2: Create a Profile and Limitation

Profiles define the service tier. Limitations define the actual constraints (rate, uptime, traffic volume, validity period) and are attached to profiles.

Create a limitation:

/tool user-manager limitation add \
    name=10M-30days \
    rate-limit-rx=10M \
    rate-limit-tx=10M \
    uptime-limit=0 \
    transfer-limit=0 \
    validity=30d

Property	Description
rate-limit-rx / rate-limit-tx	Download / upload rate cap. Uses RouterOS rate notation (k, M, G).
uptime-limit	Maximum cumulative connected time. 0 = unlimited.
transfer-limit	Maximum cumulative bytes transferred. 0 = unlimited.
validity	How long after activation the profile is valid. 0 = unlimited.

Create a profile and add the limitation to it:

/tool user-manager profile add \
    name=basic \
    validity=30d

/tool user-manager profile limitation add \
    profile=basic \
    limitation=10M-30days \
    from-time=0s \
    till-time=23h59m59s \
    weekdays=sun,mon,tue,wed,thu,fri,sat

The from-time/till-time/weekdays fields control when the limitation is active — set the full range for always-on access.

Step 3: Create Users

/tool user-manager user add \
    username=alice \
    password=a1ice2026 \
    customer=admin

/tool user-manager user create-and-activate-profile \
    username=alice \
    profile=basic \
    customer=admin

create-and-activate-profile assigns the profile and starts the validity clock. Always call this after adding a user, or the user has no active profile and will be rejected.

Verify:

/tool user-manager user print detail where username=alice

RADIUS Integration

Configure the NAS RADIUS Client

On each router that will send authentication requests to User Manager, add the RADIUS server entry:

/radius add \
    service=hotspot \
    address=<user-manager-ip> \
    secret=s3cr3tkey \
    authentication-port=1812 \
    accounting-port=1813 \
    protocol=udp \
    timeout=3000ms

For PPP services, add a second entry:

/radius add \
    service=ppp \
    address=<user-manager-ip> \
    secret=s3cr3tkey \
    authentication-port=1812 \
    accounting-port=1813 \
    protocol=udp \
    timeout=3000ms

When User Manager runs on the same router as the NAS, use 127.0.0.1 as the address and set the same shared secret in both the NAS RADIUS client and the User Manager router entry.

Enable RADIUS on HotSpot

/ip hotspot profile set [find name=default] \
    use-radius=yes \
    nas-port-type=wireless-802.11

Property	Description
use-radius=yes	Forwards HotSpot login requests to the configured RADIUS server(s)
nas-port-type	NAS-Port-Type attribute sent in Access-Request. Use ethernet for wired or wireless-802.11 for Wi-Fi deployments.

Accounting for HotSpot is automatically sent when use-radius=yes is set — there is no separate accounting toggle. User Manager receives Accounting-Start when a client logs in, Accounting-Interim-Update at regular intervals, and Accounting-Stop on logout or disconnection.

To set the interim accounting interval on the HotSpot profile:

/ip hotspot profile set [find name=default] \
    use-radius=yes \
    radius-accounting=yes \
    radius-interim-update=5m

Tip: When User Manager runs on the same router as the HotSpot, use 127.0.0.1 as the RADIUS server address. The loopback path bypasses inter-router routing complexity.

Enable RADIUS on PPP

/ppp aaa set \
    use-radius=yes \
    accounting=yes \
    interim-update=5m

Property	Description
use-radius=yes	Consult RADIUS for authentication and authorization
accounting=yes	Send Accounting-Start/Stop/Interim-Update packets
interim-update	Frequency of usage updates to User Manager. 5m is typical; shorter intervals improve precision at higher overhead.

Enable Incoming RADIUS Messages (CoA / Disconnect)

User Manager can send Change-of-Authorization (CoA) and Disconnect-Message (DM) packets to terminate or modify active sessions when a profile changes or a user is deleted. Enable on the NAS:

/radius incoming set accept=yes

Bulk User Import

User Manager does not have a native CSV import command. The standard approach is a RouterOS script that reads a delimited file and calls the User Manager API in a loop.

Prepare the CSV File

Create a plain-text file on the router (e.g., via FTP/SCP). Use comma as the delimiter, one user per line:

alice,a1ice2026
bob,b0b2026
carol,carol99

Upload the file to the router root as users.csv.

Import Script

:local profile "basic"
:local customer "admin"
:local filename "users.csv"

:local data [/file get $filename contents]
:local lines [:toarray $data]

:foreach line in=$lines do={
    :local sep [:find $line "," -1]
    :if ($sep > 0) do={
        :local uname [:pick $line 0 $sep]
        :local upass [:pick $line ($sep + 1) [:len $line]]

        /tool user-manager user add \
            username=$uname \
            password=$upass \
            customer=$customer

        /tool user-manager user create-and-activate-profile \
            username=$uname \
            profile=$profile \
            customer=$customer

        :log info "Added user: $uname"
    }
}

Paste and run in the terminal or save to a file and run with /import. Check /log print for per-user confirmation or errors.

Voucher-Based Access

Vouchers are pre-generated username/password credentials printed on slips and handed to users. User Manager supports voucher workflows through batch user creation and a built-in voucher export command.

Generate a Batch of Voucher Users

/tool user-manager user add-batch-users \
    number-of-users=20 \
    username-length=8 \
    password-length=8 \
    username-characters=lowercase,numbers \
    password-characters=lowercase,uppercase,numbers \
    customer=admin

Property	Description
number-of-users	How many voucher accounts to create in one batch
username-length	Character length of the generated username
password-length	Character length of the generated password
username-characters	Character set for usernames: lowercase, uppercase, numbers
password-characters	Character set for passwords: lowercase, uppercase, numbers
customer	Customer account that owns the generated users

This creates randomised users but does not assign a profile. Activate a profile on each new user before they can authenticate.

Assign a Profile to All New Voucher Users

:foreach u in=[/tool user-manager user find where customer=admin] do={
    :local uname [/tool user-manager user get $u username]
    /tool user-manager user create-and-activate-profile \
        username=$uname \
        profile=basic \
        customer=admin
}

Run this immediately after add-batch-users. Users without an active profile receive Access-Reject.

Export Vouchers for Printing

/tool user-manager user generate-voucher [find where customer=admin]

User Manager writes the voucher output to a file in the router’s file system (default template: user-manager/voucher.html). Download it via Winbox Files or FTP, then print.

To customise the voucher layout, replace or edit the template file. The template receives substitution variables for username, password, profile, and uptime-limit/transfer-limit from the attached limitation.

Single-User Voucher

/tool user-manager user generate-voucher [find where username=alice]

Generates a voucher for one specific user.

Voucher Workflow Summary

1. Create batch users with add-batch-users.
2. Activate a profile on each user with create-and-activate-profile.
3. Export with generate-voucher → download the HTML file → print.
4. Give each printed slip to a subscriber; they log in through the HotSpot portal using the credentials on the slip.
5. When the profile expires the voucher is consumed. Re-activation requires assigning a new profile.

Session Tracking

User Manager stores session history for each user, populated from RADIUS Accounting packets.

View Active Sessions

/tool user-manager session print where status=active

View Session History for a User

/tool user-manager session print where username=alice

Key columns:

Column	Description
username	Subscriber identifier
status	active or closed
uptime	Duration of session
upload / download	Bytes transferred this session
nas-ip	NAS router that reported this session
calling-station-id	Client MAC address (Hotspot) or calling number (PPP)

View User Remaining Quota

/tool user-manager user print detail where username=alice

The active-profile section shows the remaining uptime, transfer, and validity against the assigned limitation.

User Manager vs External RADIUS

Capability	User Manager	External RADIUS (e.g. FreeRADIUS)
Installation effort	Install one NPK package	Install + configure a separate server
User database	Local SQLite, managed via RouterOS CLI/WebFig	External database (MySQL, PostgreSQL, LDAP, AD)
High availability	None — single point of failure	Redundant servers, database replication
Scale	Suitable for hundreds to low thousands of users	Scales to millions of users
Voucher support	Built-in batch generation and HTML export	Requires custom scripts or a RADIUS front-end
Attribute flexibility	Fixed attribute set; no EAP methods	Full RFC 2865/2866 + EAP, vendor extensions, custom attributes
802.1X / WPA-Enterprise	Not supported	Supported (EAP-TLS, PEAP, EAP-TTLS)
CoA / Disconnect-Message	Supported for active session termination	Fully supported
Reporting and billing	Basic session history in RouterOS CLI	Full billing systems (DALORADIUS, RADIUSdesk, custom)
Cost	Free (bundled with RouterOS)	Free (software) + server infrastructure cost

Choose User Manager when:

• Single-router or small multi-router deployment.
• No external server infrastructure is available or desirable.
• Voucher or captive-portal-only use case.
• Subscriber count stays below a few thousand.

Choose external RADIUS when:

• High availability is required (no single point of failure).
• Active Directory or LDAP integration is needed.
• 802.1X wireless or wired port authentication is required.
• Deployment will exceed several thousand simultaneous users.
• A billing or self-care portal is needed.

Limitations and Caveats

• No IPv6 support in legacy builds: Some older User Manager versions do not handle IPv6 Framed-IPv6-Prefix attributes. Verify against your build.
• No native bulk export: Exporting all users requires a script reading /tool user-manager user and writing to a file.
• Single database, no replication: User Manager stores its database locally. For high-availability, deploy a separate external RADIUS server (FreeRADIUS) instead.
• Large deployments: Performance degrades with very large user databases (tens of thousands of users) and high interim-update frequencies. Tune interim-update to 5–15 minutes for large installations.
• PPP vs HotSpot attribute differences: Hotspot always sends accounting; PPP requires explicit accounting=yes. Rate-limit enforcement is via MikroTik-Rate-Limit RADIUS attribute returned in Access-Accept — verify your limitation’s rate fields are set correctly.
• Profile changes take effect at next session: Modifying a profile limitation does not disconnect active sessions; the new limits apply when the user reconnects or when a CoA/DM is sent.
• v6 vs v7 CLI differences: Some command paths and property names differ between major versions. Always confirm with ? inline help on your installed version.

Troubleshooting

Users Cannot Authenticate

1. Verify User Manager is enabled:

   /tool user-manager print

2. Confirm the NAS router IP and shared secret match:

   /tool user-manager router print

3. Check firewall — UDP 1812 must reach the User Manager interface:

   /ip firewall filter print where dst-port=1812

4. Confirm the user exists and has an active profile:

   /tool user-manager user print detail where username=<user>

Sessions Not Tracked / Quotas Not Decremented

1. Confirm accounting is enabled on the NAS (PPP):

   /ppp aaa print

2. Confirm interim-update is non-zero.
3. Check User Manager sessions for closed sessions with zero bytes — this indicates accounting start/stop was received but no interim updates:

   /tool user-manager session print where username=<user>

User Rejected After Profile Expires

Expired profiles cause Access-Reject. To renew:

/tool user-manager user create-and-activate-profile \
    username=<user> \
    profile=basic \
    customer=admin

Verification

# User Manager status
/tool user-manager print

# Registered NAS routers
/tool user-manager router print

# Profiles
/tool user-manager profile print

# All users with active profile status
/tool user-manager user print detail

# Active sessions
/tool user-manager session print where status=active

See Also

• RADIUS Client — configuring RouterOS as a RADIUS client
• User Management: AAA, Groups, and RADIUS — local router user accounts and RADIUS for router login
• HotSpot — configuring the HotSpot captive portal