Local authentication is done consulting User Database and Profile Database. The configuration is collected from the respective item in User Database (determined by the username), from the item in Profile Database, that is associated with this item and from the item in Profile Database, that is set as default for the service the user is authenticating to. Settings received from the default profile for the service is overriden by the respective settings from the user's profile, and the resulting settings are overriden by the respective settings taken from the User Database (the only exception is that concrete IP addresses take precedence over IP pools in the local-address and remote-address settings, as described later on).
RADIUS authentication gives the ISP or network administrator the ability to manage P2P user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.
Traffic is accounted locally with Cisco IP pairs and snapshot image can be gathered using Syslog utilities. If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service.
[admin@MikroTik] user group> print 0 ;;; users with read only permission name="read" policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web 1 ;;; users with write permission name="write" policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web 2 ;;; users with complete access name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web [admin@MikroTik] user group>Exclamation sign (!) just before policy name means NOT.
[admin@MikroTik] user group> add name=reboot policy=telnet,reboot,read [admin@MikroTik] user group> print 0 ;;; users with read only permission name="read" policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web 1 ;;; users with write permission name="write" policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web 2 ;;; users with complete access name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web 3 name="reboot" policy=!local,telnet,!ssh,!ftp,reboot,read,!write,!policy,!test,!web [admin@MikroTik] user group>
[admin@MikroTik] user> print Flags: X - disabled # NAME GROUP ADDRESS 0 ;;; system default user admin full 0.0.0.0/0 [admin@MikroTik] user>When the user has logged in he can change his password using the /password command. The user is required to enter his/her current password before entering the new password. When the user logs out and logs in for the next time, the new password must be entered.
[admin@MikroTik] user> add name=joe password=j1o2e3 group=write [admin@MikroTik] user> print Flags: X - disabled 0 ;;; system default user name="admin" group=full address=0.0.0.0/0 1 name="joe" group=write address=0.0.0.0/0 [admin@MikroTik] user>
when (date) - log-in time
name (name) - user name
address (IP address) - IP address from which the user is accessing
the router
[admin@MikroTik] user> active print Flags: R - radius # WHEN NAME ADDRESS VIA 0 feb/21/2003 17:48:21 admin 0.0.0.0 console 1 feb/24/2003 22:14:48 admin 10.0.0.144 ssh 2 mar/02/2003 23:36:34 admin 10.0.0.144 web [admin@MikroTik] user>
[admin@MikroTik] user aaa> print use-radius: no accounting: yes interim-update: 0s default-group: read [admin@MikroTik] user aaa>
[admin@MikroTik] user aaa> set use-radius=yes [admin@MikroTik] user aaa> print use-radius: yes accounting: yes interim-update: 0s default-group: read [admin@MikroTik] user aaa>
[admin@MikroTik] ppp profile> print Flags: * - default 0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0 session-timeout=0s idle-timeout=0s use-compression=no use-vj-compression=no use-encryption=yes require-encryption=no only-one=no tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter="" wins-server="" [admin@MikroTik] ppp profile>Use VJ compression only if You have to because it may slow down the communications on bad or congested channels.
tx-bit-rate and rx-bit-rate are used for PPPoE connections only.
[admin@MikroTik] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex [admin@MikroTik] ppp profile> print Flags: * - default 0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0 session-timeout=0s idle-timeout=0s use-compression=no use-vj-compression=no use-encryption=yes require-encryption=no only-one=no tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter="" wins-server="" 1 name="ex" local-address=10.0.0.1 remote-address=ex session-timeout=0s idle-timeout=0s use-compression=no use-vj-compression=no use-encryption=no require-encryption=no only-one=no tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter="" wins-server="" [admin@MikroTik] ppp profile>
[admin@MikroTik] ppp secret> add name=ex password=lkjrht service=pptp profile=ex [admin@MikroTik] ppp secret> print Flags: X - disabled # NAME SERVICE CALLER-ID PASSWORD PROFILE 0 ex pptp lkjrht ex [admin@MikroTik] ppp secret> print detail Flags: X - disabled 0 name="ex" service=pptp caller-id="" password="lkjrht" profile=ex local-address=0.0.0.0 remote-address=0.0.0.0 routes="" [admin@MikroTik] ppp secret>
name (name) - user name
service (async | isdn | l2tp | pppoe | pptp) - what service the user is using
caller-id (string) - unique client identifier
address (IP address) - the IP address the client got from the server
uptime (time) - uptime
encoding (string) - encryption and encoding (if asymmetric,
separated with '/') being used in this connection
[admin@MikroTik] ppp profile> .. active print Flags: R - radius # NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING 0 ex pptp 10.0.0.148 10.1.0.148 1d15h... MPPE12... [admin@MikroTik] ppp profile> .. active print detail Flags: R - radius 0 name="ex" service=pptp caller-id="10.0.0.148" address=10.1.0.148 uptime=1d15h4m41s encoding="MPPE128 stateless" [admin@MikroTik] ppp profile>
[admin@MikroTik] ppp aaa> print use-radius: no accounting: yes interim-update: 0s [admin@MikroTik] ppp aaa>
[admin@MikroTik] ppp aaa> set use-radius=yes [admin@MikroTik] ppp aaa> print use-radius: yes accounting: yes interim-update: 0s [admin@MikroTik] ppp aaa>
[admin@MikroTik] ip accounting> print enabled: no threshold: 256 [admin@MikroTik] ip accounting>
If no matching IP or user pair exists, a new entry to the table will be created.
Note that for bidirectional connections two entries will be created.
Only packets that enter and leave the router are accounted. Packets that are dropped in the router are not counted. Packets that are sent from the router itself are not counted – such as packets used for administration connections (i.e. web and telnet connections to the router). Packets that are NATted on the router will be accounted for with the actual IP addresses on each side. Packets that are going through bridged interfaces (i.e. inside the bridge interface) are also accounted correctly.
When the threshold limit is reached, no new IP pairs will be added to the accounting table. Each packet that is not accounted in the accounting table will then be added to the uncounted counter. To see if the limit on pairs has been reached, check the uncounted counter:
[admin@MikroTik] ip accounting uncounted> print packets: 0 bytes: 0
[admin@MikroTik] ip accounting> set enabled=yes [admin@MikroTik] ip accounting> print enabled: yes threshold: 256 [admin@MikroTik] ip accounting>
src-address (IP address) - source address
dst-address (IP address) - destination address
packets (integer) - total number of packets matched by this entry
bytes (integer) - total number of bytes matched by this entry
src-user (string) - sender's name (if aplicable)
dst-user (string) - recipient's name (if aplicable)
Before the first snapshot is taken, the table is empty.
[admin@MikroTik] ip accounting> snapshot takeTo view the current snapshot:
[admin@MikroTik] ip accounting> snapshot print # SRC-ADDRESS DST-ADDRESS PACKETS BYTES SRC-USER DST-USER 0 10.5.8.8 10.0.0.4 194 15132 1 10.0.0.4 10.5.8.8 194 15132 2 10.0.0.144 10.5.8.23 4960 4097835 3 10.5.8.23 10.0.0.144 4807 3843113 [admin@MikroTik] ip accounting> snapshot print
[admin@MikroTik] ip accounting web-access> print accessible-via-web: no address: 0.0.0.0/0 [admin@MikroTik] ip accounting web-access>
[admin@MikroTik] ip accounting web-access> set accessible-via-web=yes \ \... address=10.0.0.1/32 [admin@MikroTik] ip accounting web-access> print accessible-via-web: yes address: 10.0.0.1/32 [admin@MikroTik] ip accounting web-access>
Windows clients send their usernames in form: domain\username
[admin@MikroTik] radius> add service=hotspot,ppp address=10.0.0.3 secret=ex [admin@MikroTik] radius> print Flags: X - disabled # SERVICE CALLED-ID DOMAIN ADDRESS SECRET 0 ppp,hotspot 10.0.0.3 ex [admin@MikroTik] radius>AAA for the respective services should be enabled too:
[admin@MikroTik] radius> /ppp aaa set use-radius=yes [admin@MikroTik] radius> /ip hotspot aaa set use-radius=yesTo view some statistics for a client:
[admin@MikroTik] radius> monitor 0 pending: 0 requests: 10 accepts: 4 rejects: 1 resends: 15 timeouts: 5 bad-replies: 0 last-request-rtt: 0s [admin@MikroTik] radius>
FreeRADIUS : http://www.freeradius.org/
XTRadius : http://xtradius.sourceforge.net/
(do not support MS-CHAP)
Steel-Belted Radius : http://www.funk.com/
Note that it may conflict with the default configuration files of RADIUS server, which have references to the Attributes, absent in this dictionary. Please correct the configuration files, not the dictionary, as no other Attributes are supported by MikroTik RouterOS.
There is also dictionary.mikrotik that can be included in an existing dictionary to support MikroTik vendor-specific Attributes.
Service-Type always is Framed-User (only for P2P) Framed-Protocol always is PPP (only for P2P) NAS-Identifier router identity NAS-IP-Address router IP address NAS-Port-Type Async (for async PPP) Virtual (for PPTP and L2TP) Ethernet (for PPPoE and HotSpot) ISDN Sync (for ISDN) Calling-Station-Id client MSN (for ISDN) client public IP address (for PPTP and L2TP) client MAC address (with CAPITAL letters) (for PPPoE) client MAC address (with CAPITAL letters) (for HotSpot) Called-Station-Id service name (for PPPoE) server IP address (for PPTP and L2TP) interface MSN (for ISDN) HotSpot server MAC address (for HotSpot) NAS-Port interface ID that may be used by SNMP client to retrieve statistics information (only for P2P) a unique session ID (for HotSpot) NAS-Port-Id serial port name (for async PPP) ethernet interface name server is running on (for PPPoE and HotSpot) User-Name client login name MS-CHAP-Domain authentication domain if username is in "domain\username" form (if Windows client set the "include domain name" parameter (only for P2P)Depending on authentication methods (always CHAP for HotSpot):
User-Password encrypted password (used with PAP auth.) CHAP-Password, CHAP-Challenge encrypted password and challenge (used with CHAP auth.) MS-CHAP-Response, MS-CHAP-Challenge encrypted password and challenge (used with MS-CHAPv1 auth.) MS-CHAP2-Response, MS-CHAP2-Challenge encrypted password and challenge (used with MS-CHAPv2 auth.)
Framed-IP-Address IP address given to the client NOTE for P2P: If address belongs to networks 127.0.0.0/8, 224.0.0.0/4, 240.0.0.0/4, IP pool is used from the default profile to allocate client IP address NOTE for HotSpot: If address is 255.255.255.254, IP pool is used from hotspot settings. If Framed-IP-Address is specified, Framed-Pool is ignored Framed-IP-Netmask client netmask For P2P: If specified, the route will be created to the network Framed-IP-Address belongs to via the Framed-IP-Address gateway. For HotSpot: Framed-IP-Address netmask for DHCP-pool login method. Framed-Pool IP pool name (on the router) from which to get IP address for the client. If specified, overrides Framed-IP-Address Idle-Timeout idle-timeout parameter Session-Timeout session-timeout parameter Class cookie, will be included in Accounting-Request unchanged Framed-Route routes to add on the server. Format is specified in RFC2865 (Ch. 5.22), can be specified as many times as needed Filter-Id firewall filter chain name. It is used to make dynamic firewall rule that will jump to specified chain, if a packet is came to or from the client. Firewall chain name can have suffix .in or .out, that will install rule only for incoming or outgoing traffic. Multiple filter-id can be provided, but only last ones for incoming and outgoing is used Acct-Interim-Interval interim-update for RADIUS client, if 0 uses the one specified in RADIUS client MS-MPPE-Encryption-Policy require-encryption parameter (only for P2P) MS-MPPE-Encryption-Type use-encryption parameter. Non 0 value means use encryption (only for P2P) Ascend-Data-Rate tx/rx data rate limitation (for PPPoE and HotSpot). If multiple attributes are provided, first limits tx data rate, second - rx data rate. 0 if unlimited Ascend-Xmit-Rate tx data rate limitation (for PPPoE and HotSpot only). It may be used to specify tx limit only instead of sending two sequental Ascend-Data-Rate attributes. 0 if unlimited Ascend-Client-Gateway Client gateway for DHCP-pool HotSpot login method (only for HotSpot) Mikrotik-Recv-Limit total receive limit in bytes for the client (only for HotSpot) Mikrotik-Xmit-Limit total transmit limit in bytes for the client (only for HotSpot) MS-CHAP2-Success auth. response if MS-CHAPv2 was used (only for P2P) MS-MPPE-Send-Key and MS-MPPE-Recv-Key encryption keys for encrypted PPP, PPTP, L2TP and PPPoE, provided by RADIUS server only if MS-CHAP (both v1 and v2) was used for authentication (for PPP, PPTP, L2TP, PPPoE only)
Note that the received attributes override the default ones (set in the default profile), but if an attribute is not received from RADIUS server, the default one is to be used.
Acct-Status-Type Start, Stop, or Interim-Update Acct-Session-Id accounting session ID Service-Type same as in request (only for P2P) Framed-Protocol same as in request (only for P2P) NAS-Identifier same as in request NAS-IP-Address same as in request User-Name same as in request MS-CHAP-Domain same as in request (only for P2P) NAS-Port-Type same as in request NAS-Port same as in request (only for P2P) NAS-Port-Id same as in request Calling-Station-Id same as in request Called-Station-Id same as in request Acct-Authentic either authenticated by the RADIUS or Local authority (only for P2P) Framed-IP-Address IP address given to the user Framed-IP-Netmask same as in request (only for P2P) Class RADIUS server cookie Acct-Delay-Time how long does the router try to send this Accounting-Request packetRADIUS attributes additionally included in Stop and Interim-Update Accounting-Request packets:
Acct-Session-Time connection uptime in seconds Acct-Input-Octects bytes received from the client Acct-Input-Packets packets received from the client Acct-Output-Octets bytes sent to the client Acct-Output-Packets packets sent to the clientStop Accounting-Request packets can additionally have:
Acct-Terminate-Cause session termination cause (described in RFC2866 Ch. 5.10)
Name | VendorID | Value | RFC where it is defined |
Acct-Authentic | 45 | RFC2866 | |
Acct-Delay-Time | 41 | RFC2866 | |
Acct-Input-Octects | 42 | RFC2866 | |
Acct-Input-Packets | 47 | RFC2866 | |
Acct-Interim-Interval | 85 | RFC2869 | |
Acct-Output-Octets | 43 | RFC2866 | |
Acct-Output-Packets | 48 | RFC2866 | |
Acct-Session-Id | 44 | RFC2866 | |
Acct-Session-Time | 46 | RFC2866 | |
Acct-Status-Type | 40 | RFC2866 | |
Acct-Terminate-Cause | 49 | RFC2866 | |
Ascend-Client-Gatway | 529 | 132 | |
Ascend-Data-Rate | 529 | 197 | |
Ascend-Xmit-Rate | 529 | 255 | |
Called-Station-Id | 30 | RFC2865 | |
Calling-Station-Id | 31 | RFC2865 | |
CHAP-Challenge | 60 | RFC2866 | |
CHAP-Password | 3 | RFC2865 | |
Class | 25 | RFC2865 | |
Filter-Id | 11 | RFC2865 | |
Framed-IP-Address | 8 | RFC2865 | |
Framed-IP-Netmask | 9 | RFC2865 | |
Framed-Pool | 88 | RFC2869 | |
Framed-Protocol | 7 | RFC2865 | |
Framed-Route | 22 | RFC2865 | |
Idle-Timeout | 28 | RFC2865 | |
MS-CHAP-Challenge | 311 | 11 | RFC2548 |
MS-CHAP-Domain | 311 | 10 | RFC2548 |
MS-CHAP-Response | 311 | 1 | RFC2548 |
MS-CHAP2-Response | 311 | 25 | RFC2548 |
MS-CHAP2-Success | 311 | 26 | RFC2548 |
MS-MPPE-Encryption-Policy | 311 | 7 | RFC2548 |
MS-MPPE-Encryption-Type | 311 | 8 | RFC2548 |
MS-MPPE-Recv-Key | 311 | 17 | RFC2548 |
MS-MPPE-Send-Key | 311 | 16 | RFC2548 |
Mikrotik-Recv-Limit | 14988 | 1 | |
Mikrotik-Xmit-Limit | 14988 | 2 | |
NAS-Identifier | 32 | RFC2865 | |
NAS-IP-Address | 4 | RFC2865 | |
NAS-Port | 5 | RFC2865 | |
NAS-Port-Id | 87 | RFC2869 | |
NAS-Port-Type | 61 | RFC2865 | |
Service-Type | 6 | RFC2865 | |
Session-Timeout | 27 | RFC2865 | |
User-Name | 1 | RFC2865 | |
User-Password | 2 | RFC2865 |