RADIUS Integration
RADIUS Integration
Section titled “RADIUS Integration”HotSpot can authenticate users against an external RADIUS server instead of (or in addition to) the local user database. This enables centralised credential management, per-user policy delivery via RADIUS reply attributes, and accounting records for billing or auditing.
How HotSpot Uses RADIUS
Section titled “How HotSpot Uses RADIUS”When use-radius=yes is set in the HotSpot profile, the authentication flow changes:
- Client submits credentials on the login page
- RouterOS sends a RADIUS
Access-Requestto the configured server - RADIUS server replies with
Access-Accept(including optional policy attributes) orAccess-Reject - On accept, the session starts; RouterOS sends
Accounting-Start - Periodic
Accounting-Interim-Updatepackets are sent at the configured interval - On logout or timeout, RouterOS sends
Accounting-Stop
The local HotSpot user database is not consulted when RADIUS is enabled for a profile — users must exist on the RADIUS server, not the router.
Prerequisites
Section titled “Prerequisites”- A reachable RADIUS server (FreeRADIUS, User Manager, or any RFC 2865/2866-compliant server)
- Shared secret configured on both the router and RADIUS server
- Network connectivity from the router’s management or HotSpot interface to the RADIUS server on UDP ports 1812 (authentication) and 1813 (accounting)
Step 1: Add the RADIUS Server
Section titled “Step 1: Add the RADIUS Server”/radiusadd address=192.0.2.10 \ service=hotspot \ secret=strong-radius-secret \ authentication-port=1812 \ accounting-port=1813 \ timeout=300ms \ comment="Primary HotSpot RADIUS"For high-availability, add a secondary server with backup=yes:
/radiusadd address=192.0.2.11 \ service=hotspot \ secret=strong-radius-secret \ authentication-port=1812 \ accounting-port=1813 \ backup=yes \ comment="Secondary HotSpot RADIUS"RADIUS Client Parameters
Section titled “RADIUS Client Parameters”| Parameter | Description | Default |
|---|---|---|
address | IP address of the RADIUS server | — |
service | Which RouterOS service uses this entry; set hotspot | — |
secret | Shared secret (must match server configuration) | — |
authentication-port | UDP port for Access-Request packets | 1812 |
accounting-port | UDP port for Accounting packets | 1813 |
timeout | How long to wait for a response before trying next server | 300ms |
src-address | Source IP for RADIUS packets; useful when the router has multiple interfaces | 0.0.0.0 |
realm | Domain appended to the username in Access-Request (e.g. example.com) | — |
backup | Mark as secondary; only used when primary is unreachable | no |
called-id | Value sent as Called-Station-Id attribute | — |
Step 2: Enable RADIUS in the HotSpot Profile
Section titled “Step 2: Enable RADIUS in the HotSpot Profile”/ip hotspot profileset [find name=hsprof1] \ use-radius=yes \ radius-accounting=yes \ radius-interim-update=5mHotSpot Profile RADIUS Parameters
Section titled “HotSpot Profile RADIUS Parameters”| Parameter | Description | Default |
|---|---|---|
use-radius | Enable RADIUS for this HotSpot profile | no |
radius-accounting | Send accounting packets (Start/Stop/Interim) to RADIUS | yes |
radius-interim-update | Interval for interim accounting updates; received uses the value from Access-Accept | received |
radius-mac-authentication | Attempt MAC-based RADIUS auth before showing the login page | no |
radius-mac-format | MAC format sent to RADIUS (XX:XX:XX:XX:XX:XX, XXXXXXXXXXXX, etc.) | XX:XX:XX:XX:XX:XX |
radius-mac-mode | Whether MAC auth uses MAC as username only, or both username and password | as-username |
radius-default-domain | Domain suffix appended to username in Access-Request | — |
radius-location-id | Sent as NAS-Identifier attribute | — |
radius-location-name | Sent as WISPr-Location-Name VSA | — |
MAC-Based Authentication
Section titled “MAC-Based Authentication”MAC authentication allows devices to be authenticated by their hardware address without a login page interaction. This is useful for devices that cannot display a browser (printers, IoT, set-top boxes).
/ip hotspot profileset [find name=hsprof1] \ use-radius=yes \ radius-mac-authentication=yes \ radius-mac-format=XX:XX:XX:XX:XX:XX \ login-by=mac,http-chapWith radius-mac-authentication=yes, RouterOS sends a RADIUS Access-Request using the client’s MAC address as the username (and optionally password). If RADIUS returns Access-Accept, the client is authenticated silently. If rejected, the login page is shown.
Accounting and Interim Updates
Section titled “Accounting and Interim Updates”RADIUS accounting tracks session start, live usage, and end for billing and audit purposes.
/ip hotspot profileset [find name=hsprof1] \ radius-accounting=yes \ radius-interim-update=1mRouterOS sends:
| Packet | When |
|---|---|
Accounting-Start | Client successfully authenticates |
Accounting-Interim-Update | Periodically (per radius-interim-update interval) |
Accounting-Stop | Session ends (logout, timeout, disconnect) |
Standard accounting attributes included in each packet:
| Attribute | Description |
|---|---|
Acct-Session-Id | Unique session identifier |
Acct-Status-Type | Start, Interim-Update, or Stop |
Acct-Input-Octets | Bytes received by client (download) |
Acct-Output-Octets | Bytes sent by client (upload) |
Acct-Input-Packets | Packets received by client |
Acct-Output-Packets | Packets sent by client |
Acct-Session-Time | Session duration in seconds |
Acct-Terminate-Cause | Reason for session end (on Stop only) |
MikroTik Vendor-Specific Attributes (VSAs)
Section titled “MikroTik Vendor-Specific Attributes (VSAs)”RouterOS honours MikroTik VSAs returned in Access-Accept to apply per-user policy without local user entries.
| VSA | Direction | Description |
|---|---|---|
Mikrotik-Rate-Limit | Reply | Bandwidth limit in simple-queue format (e.g. 5M/10M) |
Mikrotik-Group | Reply | HotSpot user profile to apply |
Mikrotik-Recv-Limit | Reply | Download byte cap for the session |
Mikrotik-Xmit-Limit | Reply | Upload byte cap for the session |
Mikrotik-Realm | Request | HotSpot DNS name (sent by router) |
Mikrotik-Host-IP | Request | Client IP address (sent by router) |
Using Mikrotik-Group, you can assign a user profile (and all its limits) from the RADIUS server:
# FreeRADIUS: authorize file examplealice Cleartext-Password := "s3cr3t" Mikrotik-Group := "premium", Mikrotik-Rate-Limit := "20M/20M", Session-Timeout := 28800, Reply-Message := "Welcome, Alice"User Manager (Built-in RADIUS)
Section titled “User Manager (Built-in RADIUS)”RouterOS includes a built-in RADIUS server called User Manager. It handles HotSpot authentication without requiring an external server and supports usage-based billing (time and data quotas).
# Enable User Manager/tool user-managerset enabled=yes
# Point HotSpot RADIUS client at localhost/radiusadd address=127.0.0.1 \ service=hotspot \ secret=um-local-secret \ authentication-port=1812 \ accounting-port=1813
# Enable RADIUS in HotSpot profile/ip hotspot profileset [find name=hsprof1] use-radius=yes radius-accounting=yesUser Manager profiles can define:
- Time-based validity (e.g. 30-day vouchers)
- Uptime limits (e.g. 10 hours total)
- Transfer limits (e.g. 5 GB)
FreeRADIUS Configuration Example
Section titled “FreeRADIUS Configuration Example”For FreeRADIUS 3.x, add the MikroTik dictionary and configure clients and users:
client routeros { ipaddr = 192.0.2.1 # Router IP secret = strong-radius-secret nas_type = other}# Basic user with rate limit and session capguest Cleartext-Password := "guest123" Mikrotik-Rate-Limit := "5M/5M", Session-Timeout := 3600, Reply-Message := "Welcome to guest WiFi"
# Premium user via group (profile must exist in HotSpot)premium_user Cleartext-Password := "prempass" Mikrotik-Group := "premium", Reply-Message := "Premium access granted"Ensure the MikroTik dictionary is loaded:
# Check /etc/freeradius/3.0/dictionary includes:$INCLUDE /usr/share/freeradius/dictionary.mikrotikVerifying RADIUS Operation
Section titled “Verifying RADIUS Operation”# Check RADIUS server entries/radius print detail
# Monitor RADIUS statistics (requests, accepts, rejects, timeouts)/radius monitor 0
# Watch active HotSpot sessions (should show RADIUS-authenticated users)/ip hotspot active print
# View HotSpot log messages including RADIUS exchange results/log print topic=hotspot
# View system log for RADIUS errors/log print topic=radiusTroubleshooting
Section titled “Troubleshooting”Access-Reject for valid credentials
- Confirm the shared secret matches on both sides
- Check
radius-default-domain— if set, username sent isuser@domain; ensure the RADIUS server expects this format - Test with
/tool ping address=<radius-server>to confirm reachability - Check RADIUS server logs for the specific reject reason
MAC authentication silently failing
- Confirm
radius-mac-authentication=yesin the HotSpot profile - Verify
login-byincludesmac(e.g.login-by=mac,http-chap) - Check
radius-mac-formatmatches the format your RADIUS server stores (delimiter and case) - Check RADIUS
authorizefile or database for the MAC entry
Accounting packets not reaching RADIUS
- Ensure
radius-accounting=yesand check/radius monitorfor accounting counters - Verify UDP 1813 is not blocked between the router and RADIUS server
- Confirm the RADIUS server is configured to accept accounting (some minimal configs disable it)
Session not disconnected at data limit
- The router enforces byte limits at the next accounting cycle; use a short
radius-interim-updateinterval (e.g.1m) for near-real-time enforcement - Ensure the RADIUS server sends
Session-TimeoutorAcct-Interim-Intervalreply attributes if centralised cutoff is needed
Related Documentation
Section titled “Related Documentation”- HotSpot Overview — Full setup guide including DHCP, NAT, and certificates
- User Profiles — Session timeouts, rate limits, and data quotas applied locally
- Walled Garden — Pre-authentication access to specific hosts
- User Management: AAA, Groups, and RADIUS — Router login (SSH/WinBox) via RADIUS