User Manager (Built-in RADIUS Server)
User Manager (Built-in RADIUS Server)
Section titled “User Manager (Built-in RADIUS Server)”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: enable User Manager, add a router entry, configure RADIUS client.
# Enable User Manager/user-manager set enabled=yes
# Add local router as NAS/user-manager router add name=local address=127.0.0.1 shared-secret=MySecret123
# Create a user/user-manager user add name=testuser password=testpass123
# Configure RADIUS client to use User Manager/radius add address=127.0.0.1 secret=MySecret123 service=ppp,hotspot
# Enable RADIUS for PPP/ppp aaa set use-radius=yes accounting=yesVerify with:
/user-manager session print/radius monitor 0Look for active sessions and accepts incrementing.
Overview
Section titled “Overview”What this does: User Manager is RouterOS’s built-in RADIUS server providing centralized Authentication, Authorization, and Accounting (AAA). It manages users with profiles that define bandwidth limits, session timeouts, data quotas, and validity periods.
When to use this:
- ISP/WISP environments with Hotspot or PPPoE subscribers
- Hotels, cafes, campgrounds needing captive portal with paid access
- Enterprise networks requiring centralized wireless authentication
- Any scenario needing bandwidth limits, data caps, or time-based access
- When you want integrated RADIUS without external server
Prerequisites:
- RouterOS 7.1+ (User Manager rewritten in v7)
- User Manager package installed (separate download for v7)
- NTP configured if using TOTP two-factor authentication
- Understanding of RADIUS concepts
License Limits
User Manager active sessions are limited by RouterOS license level:
- Level 4 (SOHO): 200 active sessions
- Level 5 (WISP): 500 active sessions
- Level 6 (Controller): Unlimited sessions
Multiple sessions per user count against this limit.
Architecture
Section titled “Architecture”
┌─────────────────────────────────────────────────────────────────┐│ USER MANAGER ││ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ ││ │ Users │──▶│ Profiles │──▶│Limitations│──▶│ Counters │ ││ └──────────┘ └──────────┘ └──────────┘ └──────────┘ ││ ││ RADIUS: Auth (1812) │ Acct (1813) │ CoA (3799) │└─────────────────────────────────────────────────────────────────┘ │ │ ▼ ▼ ┌──────────┐ ┌──────────┐ │ Hotspot │ │ PPPoE │ │ Server │ │ Server │ └──────────┘ └──────────┘| Component | Purpose |
|---|---|
| Users | Credentials (username/password), group membership, TOTP secrets |
| User Groups | Common attributes and allowed authentication methods |
| Profiles | Service plans with validity periods and pricing |
| Limitations | Rate limits, data caps, uptime limits, counter resets |
| Routers | NAS devices authorized to query User Manager |
| Sessions | Active and historical connection records |
Installation (RouterOS 7)
Section titled “Installation (RouterOS 7)”User Manager is a separate package in RouterOS 7. Download from mikrotik.com/download:
- Download “Extra packages” for your architecture (arm, arm64, x86, etc.)
- Extract and upload
user-manager-*.npkto router - Reboot to install
# Check architecture/system resource print
# After uploading package, reboot/system reboot
# Verify installation/user-manager printConfiguration Steps
Section titled “Configuration Steps”
Step 1: Enable User Manager
Section titled “Step 1: Enable User Manager”/user-manager set enabled=yesStep 2: Add Router as NAS
Section titled “Step 2: Add Router as NAS”
Register routers that will send RADIUS requests. For local authentication:
/user-manager router add name=local-router \ address=127.0.0.1 \ shared-secret=SecureRadiusSecret123For remote NAS devices:
/user-manager router add name=remote-pppoe \ address=10.0.0.2 \ shared-secret=SecureRadiusSecret123 \ coa-port=3799Step 3: Create Limitation
Section titled “Step 3: Create Limitation”Limitations define bandwidth, data caps, and time restrictions:
# Basic rate limit/user-manager limitation add name=basic-10m \ rate-limit-rx=10M rate-limit-tx=5M
# With data cap and monthly reset/user-manager limitation add name=monthly-50gb \ rate-limit-rx=25M rate-limit-tx=10M \ transfer-limit=53687091200 \ reset-counters-interval=monthlyStep 4: Create Profile
Section titled “Step 4: Create Profile”Profiles link limitations to service plans:
# Enable profile system/user-manager set use-profiles=yes
# Create profile/user-manager profile add name=home-basic \ name-for-users="Home Basic 10Mbps" \ validity=30d
# Link limitation to profile/user-manager profile-limitation add \ profile=home-basic \ limitation=basic-10mStep 5: Create User
Section titled “Step 5: Create User”/user-manager user add name=subscriber1 \ password=SecurePassword123 \ shared-users=1
# Assign profile to user/user-manager user-profile add \ user=subscriber1 \ profile=home-basicStep 6: Configure RADIUS Client
Section titled “Step 6: Configure RADIUS Client”
On the NAS router (can be the same device):
# Add RADIUS server/radius add address=127.0.0.1 \ secret=SecureRadiusSecret123 \ service=ppp,hotspot \ timeout=1s
# Enable RADIUS accounting for PPP/ppp aaa set use-radius=yes accounting=yes interim-update=5mScenarios
Section titled “Scenarios”Scenario 1: Tiered ISP Service Plans
Section titled “Scenario 1: Tiered ISP Service Plans”Create multiple service tiers with different speeds:
# Bronze - 10/5 Mbps/user-manager limitation add name=lim-bronze \ rate-limit-rx=10M rate-limit-tx=5M/user-manager profile add name=plan-bronze \ name-for-users="Bronze 10Mbps" validity=30d/user-manager profile-limitation add \ profile=plan-bronze limitation=lim-bronze
# Silver - 25/10 Mbps with burst/user-manager limitation add name=lim-silver \ rate-limit-rx=25M rate-limit-tx=10M \ rate-limit-burst-rx=50M rate-limit-burst-tx=20M \ rate-limit-burst-threshold-rx=20M rate-limit-burst-threshold-tx=8M \ rate-limit-burst-time-rx=10s rate-limit-burst-time-tx=10s/user-manager profile add name=plan-silver \ name-for-users="Silver 25Mbps" validity=30d/user-manager profile-limitation add \ profile=plan-silver limitation=lim-silver
# Gold - 100/50 Mbps unlimited/user-manager limitation add name=lim-gold \ rate-limit-rx=100M rate-limit-tx=50M/user-manager profile add name=plan-gold \ name-for-users="Gold 100Mbps" validity=30d/user-manager profile-limitation add \ profile=plan-gold limitation=lim-goldScenario 2: Hotspot with User Manager
Section titled “Scenario 2: Hotspot with User Manager”# Configure Hotspot to use RADIUS/ip hotspot profile set hsprof1 \ use-radius=yes \ radius-accounting=yes \ radius-interim-update=5m
# Add User Manager as RADIUS server/radius add address=127.0.0.1 \ secret=HotspotSecret123 \ service=hotspot
# Add router in User Manager/user-manager router add name=hotspot-server \ address=127.0.0.1 \ shared-secret=HotspotSecret123
# Create hotspot users/user-manager user add name=guest1 password=welcome123/user-manager user add name=guest2 password=welcome456Scenario 3: PPPoE Server with User Manager
Section titled “Scenario 3: PPPoE Server with User Manager”# On PPPoE server/ppp aaa set use-radius=yes accounting=yes interim-update=5m
/radius add address=10.0.0.1 \ secret=PPPoESecret123 \ service=ppp \ timeout=1s
# On User Manager router/user-manager router add name=pppoe-nas \ address=10.0.0.2 \ shared-secret=PPPoESecret123
# Create PPPoE subscriber/user-manager user add name=pppoe-user1 \ password=SecurePass123 \ shared-users=1Scenario 4: TOTP Two-Factor Authentication
Section titled “Scenario 4: TOTP Two-Factor Authentication”Enable time-based one-time passwords for enhanced security:
# Set TOTP secret for user (Base32 encoded)/user-manager user set [find name=adminuser] \ otp-secret=JBSWY3DPEHPK3PXPUser authenticates with: password + 6-digit TOTP code
Example: MyPassword123456 (where 123456 is the current TOTP)
Scenario 5: Daily Data Cap with Reset
Section titled “Scenario 5: Daily Data Cap with Reset”# 5GB daily limit, resets at midnight/user-manager limitation add name=daily-5gb \ transfer-limit=5368709120 \ reset-counters-interval=daily \ reset-counters-start-time="jan/01/2024 00:00:00"
/user-manager profile add name=daily-plan validity=30d/user-manager profile-limitation add \ profile=daily-plan limitation=daily-5gbScenario 6: Time-Based Access (Business Hours Only)
Section titled “Scenario 6: Time-Based Access (Business Hours Only)”# Internet access only Mon-Fri 8:00-18:00/user-manager limitation add name=business-hours \ rate-limit-rx=50M rate-limit-tx=20M
/user-manager profile add name=office-hours validity=365d/user-manager profile-limitation add \ profile=office-hours \ limitation=business-hours \ from-time=08:00:00 \ till-time=18:00:00 \ weekdays=monday,tuesday,wednesday,thursday,fridayScenario 7: Batch User Creation
Section titled “Scenario 7: Batch User Creation”# Generate 10 users with random credentials/user-manager user add-batch-users \ number-of-users=10 \ username-length=8 \ username-characters=lowercase \ password-length=8 \ password-characters=lowercase,uppercase,numbers
# Export credentials to file/user-manager user generate-voucher \ voucher-template=export.csv [find]Scenario 8: Static IP Assignment
Section titled “Scenario 8: Static IP Assignment”# Assign specific IP to user via RADIUS attribute/user-manager user set [find name=server-user] \ attributes=Framed-IP-Address:192.168.1.100
# Assign from specific pool/user-manager user set [find name=vip-user] \ attributes=Framed-Pool:vip-poolWeb Portal
Section titled “Web Portal”User Manager includes a web interface at http://router-ip/um/:
- User self-service: View usage statistics, active sessions
- Profile purchases: PayPal integration for paid access
- Customizable: CSS, JavaScript, HTML templates
Configure admin access:
/user-manager advanced set \ web-private-username=admin \ web-private-password=SecureAdminPassAccess admin area at: http://router-ip/um/PRIVATE/
Migrating from RouterOS 6
Section titled “Migrating from RouterOS 6”If upgrading from RouterOS 6 User Manager:
# Copy old user-manager folder to router# Then migrate/user-manager database migrate-legacy-db \ database-path=user-manager \ overwrite=noThis imports: users, profiles, limitations, routers, and sessions.
Verification Commands
Section titled “Verification Commands”# Check User Manager status/user-manager print
# List all users/user-manager user print
# Monitor specific user statistics/user-manager user monitor [find name=subscriber1]
# View active sessions/user-manager session print where active=yes
# Check profiles/user-manager profile print
# View limitations/user-manager limitation print
# Check configured routers/NAS/user-manager router print
# RADIUS client statistics/radius monitor 0
# Database status/user-manager database printTroubleshooting
Section titled “Troubleshooting”| Problem | Possible Cause | Solution |
|---|---|---|
| Authentication fails | Shared secret mismatch | Verify secret matches in /user-manager router and /radius |
| Auth fails after v7.15 upgrade | Message-authenticator requirement | Set /radius set 0 require-message-auth=none |
| Login fails with special chars | Password encoding issue | Avoid #, $, & in passwords, or escape them |
| Sessions not tracked | Accounting disabled | Enable accounting=yes on service and RADIUS |
| Rate limit not applied | Service doesn’t support | IPsec doesn’t support rate limits; check service compatibility |
| User can’t connect | No profile assigned | Assign profile with /user-manager user-profile add |
| Quota not resetting | Wrong reset config | Check reset-counters-interval and reset-counters-start-time |
| TOTP fails | Clock out of sync | Configure NTP on both devices |
| Can’t access /um/ web | www service disabled | Enable /ip service set www disabled=no |
Debug Authentication Issues
Section titled “Debug Authentication Issues”# Enable RADIUS debug/system logging add topics=radius,debug action=memory
# Watch log/log print where topics~"radius"
# Check if RADIUS server is receiving requests/user-manager session printCommon Mistakes
Section titled “Common Mistakes”Avoid These Pitfalls
- Different shared secrets between User Manager and RADIUS client
- Forgetting
use-profiles=yeswhen using profiles/limitations - Not enabling accounting so sessions aren’t tracked
- Using 127.0.0.1 incorrectly - both router and radius entries need same IP
- Special characters in passwords before migration - can cause login issues
Properties Reference
Section titled “Properties Reference”User Properties
Section titled “User Properties”| Property | Type | Description |
|---|---|---|
name | string | Username for authentication |
password | string | User password |
group | string | User group (default: default) |
shared-users | integer | Max simultaneous sessions (default: 1) |
otp-secret | string | Base32 TOTP secret for 2FA |
caller-id | string | Restrict to specific Calling-Station-Id |
attributes | string | Custom RADIUS attributes |
disabled | yes/no | Disable user account |
Limitation Properties
Section titled “Limitation Properties”| Property | Type | Description |
|---|---|---|
name | string | Limitation identifier |
rate-limit-rx | rate | Download speed limit |
rate-limit-tx | rate | Upload speed limit |
rate-limit-burst-rx/tx | rate | Burst rate |
rate-limit-burst-threshold-rx/tx | rate | Burst threshold |
rate-limit-burst-time-rx/tx | time | Burst duration |
rate-limit-min-rx/tx | rate | Guaranteed bandwidth |
rate-limit-priority | 1-8 | Queue priority |
download-limit | bytes | Total download allowed |
upload-limit | bytes | Total upload allowed |
transfer-limit | bytes | Combined traffic limit |
uptime-limit | time | Maximum session time |
reset-counters-interval | enum | hourly/daily/weekly/monthly |
reset-counters-start-time | datetime | When counters reset |
Profile Properties
Section titled “Profile Properties”| Property | Type | Description |
|---|---|---|
name | string | Profile identifier |
name-for-users | string | Display name in web portal |
validity | time | How long profile is valid |
starts-when | enum | assigned or first-auth |
override-shared-users | integer | Override user’s shared-users |
price | decimal | Cost for PayPal purchases |
Related Features
Section titled “Related Features”- RADIUS Client - Configure router as RADIUS client
- Hotspot - Captive portal configuration
- PPPoE Server - PPPoE server setup
- Dot1X - 802.1X port authentication