Authentication, Authorization and Accounting

Document revision 1.14 (06-Oct-2003)
This document applies to MikroTik RouterOS v2.7

Table of Contents

Summary

Authentication, Authorization and Accounting feature provides a possibility of local and/or remote (on RADIUS server) Point-to-Point and HotSpot user management and traffic accounting (all IP traffic passing the router is accounted)

Specifications

Packages required : system
License required : Any
Home menu level : /user, /ppp, /ip accounting, /radius
Protocols utilized : RADIUS (RFC2865)
Hardware usage: local traffic accounting requires some memory

Related Documents

Software Package Installation and Upgrading
IP Addresses and Address Resolution Protocol (ARP)
HotSpot Gateway

Description

The MikroTik RouterOS provides scalable Authentication Athorization and Accounting (AAA) functionality.

Local authentication is done consulting User Database and Profile Database. The configuration is collected from the respective item in User Database (determined by the username), from the item in Profile Database, that is associated with this item and from the item in Profile Database, that is set as default for the service the user is authenticating to. Settings received from the default profile for the service is overriden by the respective settings from the user's profile, and the resulting settings are overriden by the respective settings taken from the User Database (the only exception is that concrete IP addresses take precedence over IP pools in the local-address and remote-address settings, as described later on).

RADIUS authentication gives the ISP or network administrator the ability to manage P2P user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.

Traffic is accounted locally with Cisco IP pairs and snapshot image can be gathered using Syslog utilities. If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service.

Router User AAA

Description

The router user can manage the router connecting from the local console, via serial terminal, telnet, SSH and Winbox. Router user permissions are determined by the group the user belongs to.

Router User Groups

Submenu level : /user group

Property Description

name (name) - group name
policy (multiple choice: local | telnet | ssh | ftp | reboot | read | write | policy | test | web) - group rights:
  • local - User can log on locally via console
  • telnet - User can log on remotely via telnet
  • ssh - User can log on remotely via secure shell
  • ftp - User can log on remotely via ftp and send and retrieve files from the router
  • reboot - User can reboot the router
  • read - User can retrieve the configuration
  • write - User can retrieve and change the configuration
  • policy - Manage user policies, add and remove user
  • test - User can run ping, traceroute, bandwidth test
  • web - user can log on remotely via winbox

    Notes

    There are three system groups which cannot be deleted:
    [admin@MikroTik] user group> print
      0 ;;; users with read only permission
        name="read"
        policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web
    
      1 ;;; users with write permission
        name="write"
        policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web
    
      2 ;;; users with complete access
        name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web
    
    [admin@MikroTik] user group>
    
    Exclamation sign (!) just before policy name means NOT.

    Example

    To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration:

    [admin@MikroTik] user group> add name=reboot policy=telnet,reboot,read
    [admin@MikroTik] user group> print
      0 ;;; users with read only permission
        name="read"
        policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web
    
      1 ;;; users with write permission
        name="write"
        policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web
    
      2 ;;; users with complete access
        name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web
    
      3 name="reboot"
        policy=!local,telnet,!ssh,!ftp,reboot,read,!write,!policy,!test,!web
    
    [admin@MikroTik] user group>
    

    Router Users

    Submenu level : /user

    Property Description

    name (name) - user name. Must start with an alphanumeric character and may contain alphanumeric characters, "*", "_", ".", "@"
    group (name) - name of the group the user belongs to
    password (string; default: "")- user password. If not specified, it is left blank (hit 'Enter' when logging in). It conforms to standard Unix characteristics of passwords. Can contain letters, digits, "*" and "_"
    address (IP address/mask; default: 0.0.0.0/0)- IP address form which the user is allowed to log in
    netmask (IP address) - network mask of addresses assigned to the user

    Notes

    There is one predefined user that cannot be deleted:
    [admin@MikroTik] user> print
    Flags: X - disabled
      #   NAME                                             GROUP ADDRESS
      0   ;;; system default user
          admin                                            full  0.0.0.0/0
    
    [admin@MikroTik] user>
    
    When the user has logged in he can change his password using the /password command. The user is required to enter his/her current password before entering the new password. When the user logs out and logs in for the next time, the new password must be entered.

    Example

    To add user joe with password j1o2e3 belonging to write group:
    [admin@MikroTik] user> add name=joe password=j1o2e3 group=write
    [admin@MikroTik] user> print
    Flags: X - disabled
      0   ;;; system default user
          name="admin" group=full address=0.0.0.0/0
    
      1   name="joe" group=write address=0.0.0.0/0
    
    
    [admin@MikroTik] user>
    

    Monitoring Active Router Users

    Command name : /user active print

    Property Description

    Statistics:

    when (date) - log-in time
    name (name) - user name
    address (IP address) - IP address from which the user is accessing the router

  • 0.0.0.0 - if the user is logged in locally
    via (console | telnet | ssh | web) - access method

    Example

    [admin@MikroTik] user> active print
    Flags: R - radius
      #   WHEN                 NAME                         ADDRESS         VIA
      0   feb/21/2003 17:48:21 admin                        0.0.0.0         console
      1   feb/24/2003 22:14:48 admin                        10.0.0.144      ssh
      2   mar/02/2003 23:36:34 admin                        10.0.0.144      web
    
    [admin@MikroTik] user>
    

    Router User Remote AAA

    Submenu level : /user aaa
    [admin@MikroTik] user aaa> print
            use-radius: no
            accounting: yes
        interim-update: 0s
         default-group: read
    [admin@MikroTik] user aaa>
    

    Property Description

    use-radius (yes | no, default: no) - whether user database in a RADIUS server should be consulted
    accounting (yes | no, default: yes) - whether RADIUS accounting is used
    interim-update (time, default: 0s) - Interim-Update time interval
    default-group (name; default: read) - group used by default for users authenticated via RADIUS server

    Notes

    RADIUS user database is consulted only if the required username is not found in local user database

    Example

    To enable RADIUS AAA:
    [admin@MikroTik] user aaa> set use-radius=yes
    [admin@MikroTik] user aaa> print
            use-radius: yes
            accounting: yes
        interim-update: 0s
         default-group: read
    [admin@MikroTik] user aaa>
    

    Local Point-to-Point AAA

    Local P2P User Profiles

    Submenu level : /ppp profile

    Description

    P2P profiles are used to define default values to users managed in /ppp secret submenu. Settings in /ppp secret override corresponding /ppp profile settings except in the case when local-address or remote-address are configured in both /ppp secret and /ppp profile, but in one of them ip pool is referred, concrete IP addresses always take precedence.

    Property Descripion

    name (name) - profile name
    local-address (IP address | name; default: 0.0.0.0) - either address or pool of the P2P server
    remote-address (IP address | name; default: 0.0.0.0) - either address or pool of the P2P client
    session-timeout (time; default: 0s) - the maximum time the connection can stay up
  • 0s - no timeout
    idle-timeout (time; default: 0s) - the link will be terminated if there is no activity within the time set
  • 0s - no timeout
    use-compression (yes | no, default: no) - defines whether compress traffic or not
    use-vj-compression (yes | no, default: no) - use Van Jacobson header compression
    use-encryption (yes | no, default: no) - defines whether encrypt traffic or not
    require-encryption (yes | no, default: no) - defines whether require encryption from the client or simply prefer it
    only-one (yes | no, default: no) - allow only one connection at a time
    tx-bit-rate (integer, default: 0) - Transmit bitrate in bits/s
    rx-bit-rate (integer, default: 0) - Receive bitrate in bits/s
    incoming-filter (name; default: "") - firewall chain name for incoming packets. If not empty for each packet coming from client, this firewall chain will get control
    outgoing-filter (name; default: "") - firewall chain name for outgoing packets. If not empty for each packet coming to client, this firewall chain will get control
    wins-server (string; default: "") - the Windows DHCP client will use this as the default WINS server. Two comma-separated WINS servers can be specified to be used by P2P user as primary and secondary WINS servers

    Notes

    One default profile is created:
    [admin@MikroTik] ppp profile> print
    Flags: * - default
      0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0
          session-timeout=0s idle-timeout=0s use-compression=no
          use-vj-compression=no use-encryption=yes require-encryption=no
          only-one=no tx-bit-rate=0 rx-bit-rate=0 incoming-filter=""
          outgoing-filter="" wins-server=""
    
    [admin@MikroTik] ppp profile>
    
    Use VJ compression only if You have to because it may slow down the communications on bad or congested channels.

    tx-bit-rate and rx-bit-rate are used for PPPoE connections only.

    Example

    To add the profile ex that will assign the router itself the 10.0.0.1 address, and the addresses from the ex pool to the clients:
    [admin@MikroTik] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex
    [admin@MikroTik] ppp profile> print
    Flags: * - default
      0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0
          session-timeout=0s idle-timeout=0s use-compression=no
          use-vj-compression=no use-encryption=yes require-encryption=no
          only-one=no tx-bit-rate=0 rx-bit-rate=0 incoming-filter=""
          outgoing-filter="" wins-server=""
    
      1   name="ex" local-address=10.0.0.1 remote-address=ex session-timeout=0s
          idle-timeout=0s use-compression=no use-vj-compression=no
          use-encryption=no require-encryption=no only-one=no tx-bit-rate=0
          rx-bit-rate=0 incoming-filter="" outgoing-filter="" wins-server=""
    
    
    
    [admin@MikroTik] ppp profile>
    

    Local P2P User Database

    Submenu level : /ppp secret

    Description

    P2P User Database stores P2P users and defines owner and profile for each of them.

    Property Description

    name (name) - user name
    service (any | async | isdn | l2tp | pppoe | pptp; default: any) - specifies service that will use this user
    caller-id (string; default: "") :
  • PPTP and L2TP - the IP address which a client must connect from
  • PPPoE - the MAC address (written in CAPITAL letters) which the client must connect from
  • ISDN - the caller's number (that may or may not be provided by the operator) that the client may dial-in from
  • if not set - there are no restrictions on from where clients may connect
    password (string; default: "") - user password
    profile (name; default: default) - profile name for the user
    local-address (IP address | name; default: 0.0.0.0) - either address or pool of the P2P server
    remote-address (IP address | name; default: 0.0.0.0) - either address or pool of the P2P client
    routes - routes that appear on the server when the client is connected. The route format is: "dst-address gateway metric" (for example, "10.1.0.0/ 24 10.0.0.1 1"). Several routes may be specified separated with commas

    Example

    To add the user ex with lkjrht password for PPTP service only and with ex profile:
    [admin@MikroTik] ppp secret> add name=ex password=lkjrht service=pptp profile=ex
    [admin@MikroTik] ppp secret> print
    Flags: X - disabled
      #   NAME              SERVICE CALLER-ID       PASSWORD        PROFILE
      0   ex                pptp                    lkjrht          ex
    [admin@MikroTik] ppp secret> print detail
    Flags: X - disabled
      0   name="ex" service=pptp caller-id="" password="lkjrht" profile=ex
          local-address=0.0.0.0 remote-address=0.0.0.0 routes=""
    
    
    [admin@MikroTik] ppp secret>
    

    Monitoring Active P2P Users

    Command name : /ppp active print

    Property Description

    Statistics:

    name (name) - user name
    service (async | isdn | l2tp | pppoe | pptp) - what service the user is using
    caller-id (string) - unique client identifier
    address (IP address) - the IP address the client got from the server
    uptime (time) - uptime
    encoding (string) - encryption and encoding (if asymmetric, separated with '/') being used in this connection

    Example

    [admin@MikroTik] ppp profile> .. active print
    Flags: R - radius
      #   NAME         SERVICE CALLER-ID         ADDRESS         UPTIME   ENCODING
      0   ex           pptp    10.0.0.148        10.1.0.148      1d15h... MPPE12...
    
    [admin@MikroTik] ppp profile> .. active print detail
    Flags: R - radius
      0   name="ex" service=pptp caller-id="10.0.0.148" address=10.1.0.148
          uptime=1d15h4m41s encoding="MPPE128 stateless"
    
    [admin@MikroTik] ppp profile>
    

    P2P User Remote AAA

    Submenu level : /ppp aaa
    [admin@MikroTik] ppp aaa> print
            use-radius: no
            accounting: yes
        interim-update: 0s
    [admin@MikroTik] ppp aaa>
    

    Property Description

    use-radius (yes | no, default: no) - whether user database in a RADIUS server should be consulted
    accounting (yes | no, default: yes) - whether RADIUS accounting is used
    interim-update (time, default: 0s) - Interim-Update time interval

    Notes

    RADIUS user database is consulted only if the required username is not found in local user database

    Example

    To enable RADIUS AAA:
    [admin@MikroTik] ppp aaa> set use-radius=yes
    [admin@MikroTik] ppp aaa> print
            use-radius: yes
            accounting: yes
        interim-update: 0s
    [admin@MikroTik] ppp aaa>
    

    Local IP Traffic Accounting

    Local IP Traffic Accounting Setup

    Submenu level : /ip accounting
    [admin@MikroTik] ip accounting> print
          enabled: no
        threshold: 256
    [admin@MikroTik] ip accounting>
    

    Description

    As each packet passes through the router, the packet source and destination address is matched to an IP pair in the accounting table and the traffic for that pair is increased. The source and destination users for PPP, PPTP, PPPoE, ISDN and HotSpot client traffic is accounted too. Both the number of packets and number of bytes are accounted.

    If no matching IP or user pair exists, a new entry to the table will be created.

    Note that for bidirectional connections two entries will be created.

    Only packets that enter and leave the router are accounted. Packets that are dropped in the router are not counted. Packets that are sent from the router itself are not counted – such as packets used for administration connections (i.e. web and telnet connections to the router). Packets that are NATted on the router will be accounted for with the actual IP addresses on each side. Packets that are going through bridged interfaces (i.e. inside the bridge interface) are also accounted correctly.

    Property Description

    enabled (yes | no; default: no) - whether local IP traffic accounting is enabled
    threshold (integer; default: 256) - maximum number of IP pairs in the accounting table (maximal value is 8192)

    Notes

    Each IP pair uses approximately 100 bytes

    When the threshold limit is reached, no new IP pairs will be added to the accounting table. Each packet that is not accounted in the accounting table will then be added to the uncounted counter. To see if the limit on pairs has been reached, check the uncounted counter:

    [admin@MikroTik] ip accounting uncounted> print
        packets: 0
          bytes: 0
    

    Example

    To enable traffic accounting:
    [admin@MikroTik] ip accounting> set enabled=yes
    [admin@MikroTik] ip accounting> print
          enabled: yes
        threshold: 256
    [admin@MikroTik] ip accounting>
    

    Local IP Traffic Acounting Table

    Submenu level : /ip accounting snapshot

    Description

    When a snapshot is made for data collection, the accounting table is cleared and new IP pairs and traffic data are added. The more frequently traffic data is collected, the less likelihood that the IP pairs threshold limit will be reached.

    Property Description

    Statistics:

    src-address (IP address) - source address
    dst-address (IP address) - destination address
    packets (integer) - total number of packets matched by this entry
    bytes (integer) - total number of bytes matched by this entry
    src-user (string) - sender's name (if aplicable)
    dst-user (string) - recipient's name (if aplicable)

    Notes

    Usernames are shown only if the users are connected to the router via a P2P tunnel or ar authenticated by HotSpot.

    Before the first snapshot is taken, the table is empty.

    Example

    To take a new snapshot:
    [admin@MikroTik] ip accounting> snapshot take
    
    To view the current snapshot:
    [admin@MikroTik] ip accounting> snapshot print
      # SRC-ADDRESS     DST-ADDRESS     PACKETS    BYTES      SRC-USER   DST-USER
      0 10.5.8.8        10.0.0.4        194        15132
      1 10.0.0.4        10.5.8.8        194        15132
      2 10.0.0.144      10.5.8.23       4960       4097835
      3 10.5.8.23       10.0.0.144      4807       3843113
    [admin@MikroTik] ip accounting> snapshot print
    

    Web Access to the Local IP Traffic Accounting Table

    Submenu level : /ip accounting web-access
    [admin@MikroTik] ip accounting web-access> print
        accessible-via-web: no
                   address: 0.0.0.0/0
    [admin@MikroTik] ip accounting web-access>
    

    Description

    The web page report makes it possible to use the standard Unix/Linux tool wget to collect the traffic data and save it to a file or to use MikroTik shareware Traffic Counter to display the table. If the web report is enabled and the web page is viewed, the snapshot will be made when connection is initiated to the web page. The snapshot will then be displayed on the web page. TCP protocol used by http connections with the wget tool guarantees that none of the traffic data will be lost. The snapshot image will be made when the connection from wget is initiated. Web browsers or wget should connect to URL http://routerIP/accounting/ip.cgi

    Property Description

    accessible-via-web (yes | no; default: no) - whether the snapshot is available via web
    address (IP address/mask; default: 0.0.0.0/0) - IP address range that is allowed to access the sapshot

    Example

    To enable web access from 10.0.0.1 server only:
    [admin@MikroTik] ip accounting web-access> set accessible-via-web=yes \
    \... address=10.0.0.1/32
    [admin@MikroTik] ip accounting web-access> print
        accessible-via-web: yes
                   address: 10.0.0.1/32
    [admin@MikroTik] ip accounting web-access>
    

    RADIUS Client Setup

    Submenu level : /radius

    Description

    This table sets the RADIUS servers the router is using to authenticate users.

    Property Description

    service (multiple choice:hotspot | login | ppp | telephony | wireless; default: "") - services that use this RADIUS server:
  • hotspot - HotSpot authentication
  • login - local user authentication
  • ppp - P2P client authentication
  • telephony - accounting for IP telephony
  • wireless - wireless client authentication (client's MAC address is sent as User-Name)
    called-id (string; default: "") - depending on P2P protocol:
  • ISDN - phone number dialed (MSN)
  • PPPoE - service name
  • PPTP and L2TP - server IP address
    domain (string; default: "") - Windows client's domain
    address (IP address; default: 0.0.0.0) - IP address of the RADIUS server
    secret - shared secret to access the server
    authentication-port (integer; default: 1812) - server's port for authentication
    accounting-port (integer; default: 1813) - server's port for accounting
    timeout (time; default: 100ms) - timeout, after which the request should be resent

    Notes

    The order of the items is important.

    Windows clients send their usernames in form: domain\username

    Example

    To set the RADIUS server HotSpot and PPP services will be using has 10.0.0.3 IP address and ex shared secret is:
    [admin@MikroTik] radius> add service=hotspot,ppp address=10.0.0.3 secret=ex
    [admin@MikroTik] radius> print
    Flags: X - disabled
      #   SERVICE         CALLED-ID     DOMAIN        ADDRESS         SECRET
      0   ppp,hotspot                                 10.0.0.3        ex
    
    [admin@MikroTik] radius>
    
    AAA for the respective services should be enabled too:
    [admin@MikroTik] radius> /ppp aaa set use-radius=yes
    [admin@MikroTik] radius> /ip hotspot aaa set use-radius=yes
    
    To view some statistics for a client:
    [admin@MikroTik] radius> monitor 0
                 pending: 0
                requests: 10
                 accepts: 4
                 rejects: 1
                 resends: 15
                timeouts: 5
             bad-replies: 0
        last-request-rtt: 0s
    
    [admin@MikroTik] radius>
    

    RADIUS Servers Suggested

    MikroTik RouterOS RADIUS CLIENT should work well with all RFC compliant servers. It has been tested with:

    FreeRADIUS : http://www.freeradius.org/
    XTRadius : http://xtradius.sourceforge.net/ (do not support MS-CHAP)
    Steel-Belted Radius : http://www.funk.com/

    RADIUS Attributes Utilized

    Here you can download MikroTik reference dictionary, which incorporates all the needed RADIUS attributes. This dictionary is the minimal dictionary, which is enough to support all features of MikroTik RouterOS. It is designed for FreeRADIUS, but may also be used with many other UNIX RADIUS servers (eg. XTRadius).

    Note that it may conflict with the default configuration files of RADIUS server, which have references to the Attributes, absent in this dictionary. Please correct the configuration files, not the dictionary, as no other Attributes are supported by MikroTik RouterOS.

    There is also dictionary.mikrotik that can be included in an existing dictionary to support MikroTik vendor-specific Attributes.

    Authentication data sent to server (Access-Request)

    Service-Type		always is Framed-User (only for P2P)
    
    Framed-Protocol		always is PPP (only for P2P)
    
    NAS-Identifier		router identity
    
    NAS-IP-Address          router IP address
    
    NAS-Port-Type		Async (for async PPP)
    			Virtual	(for PPTP and L2TP)
    			Ethernet (for PPPoE and HotSpot)
    			ISDN Sync (for ISDN)
    
    Calling-Station-Id	client MSN (for ISDN)
                            client public IP address (for PPTP and L2TP)
                            client MAC address (with CAPITAL letters) (for PPPoE)
                            client MAC address (with CAPITAL letters) (for HotSpot)
    
    Called-Station-Id	service name (for PPPoE)
    			server IP address (for PPTP and L2TP)
    			interface MSN (for ISDN)
    			HotSpot server MAC address (for HotSpot)
    
    NAS-Port                interface ID that may be used by SNMP client to retrieve
                            statistics information (only for P2P)
                            a unique session ID (for HotSpot)
    
    NAS-Port-Id		serial port name (for async PPP)
    			ethernet interface name server is running on (for PPPoE
                            and HotSpot)
    
    User-Name		client login name
    
    MS-CHAP-Domain          authentication domain if username is in "domain\username"
                            form (if Windows client set the "include domain name"
                            parameter (only for P2P)
    
    Depending on authentication methods (always CHAP for HotSpot):
    User-Password		encrypted password (used with PAP auth.)
    
    CHAP-Password,
    CHAP-Challenge          encrypted password and challenge (used with CHAP auth.)
    
    MS-CHAP-Response,
    MS-CHAP-Challenge	encrypted password and challenge (used with MS-CHAPv1 auth.)
    
    MS-CHAP2-Response,
    MS-CHAP2-Challenge	encrypted password and challenge (used with MS-CHAPv2 auth.)
    

    Data received from server (Access-Accept)

    Framed-IP-Address	IP address given to the client
    
                            NOTE for P2P: If address belongs to networks 127.0.0.0/8,
                            224.0.0.0/4, 240.0.0.0/4, IP pool is used from the
                            default profile to allocate client IP address
    
                            NOTE for HotSpot: If address is 255.255.255.254,
                            IP pool is used from hotspot settings. If
                            Framed-IP-Address is specified, Framed-Pool is ignored
    
    Framed-IP-Netmask       client netmask
    
                            For P2P: If specified, the route will be created
                            to the network Framed-IP-Address belongs to via the
                            Framed-IP-Address gateway.
    
                            For HotSpot: Framed-IP-Address netmask for DHCP-pool
                            login method.
    
    Framed-Pool		IP pool name (on the router) from which to get IP address
                            for the client. If specified, overrides Framed-IP-Address
    
    Idle-Timeout		idle-timeout parameter
    
    Session-Timeout		session-timeout parameter
    
    Class			cookie, will be included in Accounting-Request unchanged
    
    Framed-Route		routes to add on the server. Format is specified in
                            RFC2865 (Ch. 5.22), can be specified as many times as 
                            needed
    
    Filter-Id		firewall filter chain name. It is used to make dynamic
                            firewall rule that will jump to specified chain, if a
                            packet is came to or from the client. Firewall chain
                            name can have suffix .in or .out, that will install rule
                            only for incoming or outgoing traffic. Multiple
                            filter-id can be provided, but only last ones for
                            incoming and outgoing is used
    
    Acct-Interim-Interval	interim-update for RADIUS client, if 0 uses the one
                            specified in RADIUS client
    
    MS-MPPE-Encryption-Policy  require-encryption parameter (only for P2P)
    MS-MPPE-Encryption-Type    use-encryption parameter. Non 0 value means use
                               encryption (only for P2P)
    
    Ascend-Data-Rate	tx/rx data rate limitation (for PPPoE and HotSpot). If
                            multiple attributes are provided, first limits tx data
                            rate, second - rx data rate. 0 if unlimited
    
    Ascend-Xmit-Rate        tx data rate limitation (for PPPoE and HotSpot only). It
                            may be used to specify tx limit only instead of sending
                            two sequental Ascend-Data-Rate attributes. 0 if unlimited
    
    Ascend-Client-Gateway   Client gateway for DHCP-pool HotSpot login method
                            (only for HotSpot)
    
    Mikrotik-Recv-Limit	total receive limit in bytes for the client (only for 
                            HotSpot)
    
    Mikrotik-Xmit-Limit	total transmit limit in bytes for the client (only for 
                            HotSpot)
    
    MS-CHAP2-Success	auth. response if MS-CHAPv2 was used (only for P2P)
    
    MS-MPPE-Send-Key
      and MS-MPPE-Recv-Key  encryption keys for encrypted PPP, PPTP, L2TP and PPPoE,
    			provided by RADIUS server only if MS-CHAP (both v1 and
                            v2) was used for authentication (for PPP, PPTP, L2TP, 
                            PPPoE only)
    

    Note that the received attributes override the default ones (set in the default profile), but if an attribute is not received from RADIUS server, the default one is to be used.

    Accounting information sent to server (Accounting-Request)

    Acct-Status-Type	Start, Stop, or Interim-Update
    Acct-Session-Id		accounting session ID
    Service-Type		same as in request (only for P2P)
    Framed-Protocol		same as in request (only for P2P)
    NAS-Identifier		same as in request
    NAS-IP-Address          same as in request
    User-Name		same as in request
    MS-CHAP-Domain          same as in request (only for P2P)
    NAS-Port-Type		same as in request
    NAS-Port                same as in request (only for P2P)
    NAS-Port-Id		same as in request
    Calling-Station-Id	same as in request
    Called-Station-Id	same as in request
    Acct-Authentic		either authenticated by the RADIUS or Local authority
                            (only for P2P)
    Framed-IP-Address	IP address given to the user
    Framed-IP-Netmask       same as in request (only for P2P)
    Class			RADIUS server cookie
    Acct-Delay-Time         how long does the router try to send this
                            Accounting-Request packet
    
    RADIUS attributes additionally included in Stop and Interim-Update Accounting-Request packets:
    Acct-Session-Time	connection uptime in seconds
    Acct-Input-Octects	bytes received from the client
    Acct-Input-Packets	packets received from the client
    Acct-Output-Octets	bytes sent to the client
    Acct-Output-Packets	packets sent to the client
    
    Stop Accounting-Request packets can additionally have:
    Acct-Terminate-Cause	session termination cause (described in RFC2866 Ch. 5.10)
    

    RADIUS Attribute Numeric Values

    Name VendorID Value RFC where it is defined
    Acct-Authentic 45 RFC2866
    Acct-Delay-Time 41 RFC2866
    Acct-Input-Octects 42 RFC2866
    Acct-Input-Packets 47 RFC2866
    Acct-Interim-Interval 85 RFC2869
    Acct-Output-Octets 43 RFC2866
    Acct-Output-Packets 48 RFC2866
    Acct-Session-Id 44 RFC2866
    Acct-Session-Time 46 RFC2866
    Acct-Status-Type 40 RFC2866
    Acct-Terminate-Cause 49 RFC2866
    Ascend-Client-Gatway 529 132
    Ascend-Data-Rate 529 197
    Ascend-Xmit-Rate 529 255
    Called-Station-Id 30 RFC2865
    Calling-Station-Id 31 RFC2865
    CHAP-Challenge 60 RFC2866
    CHAP-Password 3 RFC2865
    Class 25 RFC2865
    Filter-Id 11 RFC2865
    Framed-IP-Address 8 RFC2865
    Framed-IP-Netmask 9 RFC2865
    Framed-Pool 88 RFC2869
    Framed-Protocol 7 RFC2865
    Framed-Route 22 RFC2865
    Idle-Timeout 28 RFC2865
    MS-CHAP-Challenge 311 11 RFC2548
    MS-CHAP-Domain 311 10 RFC2548
    MS-CHAP-Response 311 1 RFC2548
    MS-CHAP2-Response 311 25 RFC2548
    MS-CHAP2-Success 311 26 RFC2548
    MS-MPPE-Encryption-Policy 311 7 RFC2548
    MS-MPPE-Encryption-Type 311 8 RFC2548
    MS-MPPE-Recv-Key 311 17 RFC2548
    MS-MPPE-Send-Key 311 16 RFC2548
    Mikrotik-Recv-Limit 14988 1
    Mikrotik-Xmit-Limit 14988 2
    NAS-Identifier 32 RFC2865
    NAS-IP-Address 4 RFC2865
    NAS-Port 5 RFC2865
    NAS-Port-Id 87 RFC2869
    NAS-Port-Type 61 RFC2865
    Service-Type 6 RFC2865
    Session-Timeout 27 RFC2865
    User-Name 1 RFC2865
    User-Password 2 RFC2865

    © Copyright 1999-2003, MikroTik