RADIUS client

Document revision:1.6 (February 14, 2007, 12:00 GMT)
Applies to: V2.9

General Information


This document provides information about RouterOS built-in RADIUS client configuration, supported RADIUS attributes and recommendations on RADIUS server selection.


Packages required: system
License required: Level1
Submenu level: /radius
Standards and Technologies: RADIUS

Related Documents


RADIUS, short for Remote Authentication Dial-In User Service, is a remote server that provides authentication and accounting facilities to various network apliances. RADIUS authentication and accounting gives the ISP or network administrator ability to manage PPP user access and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server override the ones set in the default profile, but if some parameters are not received they are taken from the respective default profile.

The RADIUS server database is consulted only if no matching user acces record is found in router's local database.

Traffic is accounted locally with MikroTik Traffic Flow and Cisco IP pairs and snapshot image can be gathered using Syslog utilities. If RADIUS accounting is enabled, accounting information is also sent to the RADIUS server default for that service.

RADIUS Client Setup

Submenu level: /radius


This facility allows you to set RADIUS servers the router will use to authenticate users.

Property Description

accounting-backup (yes | no; default: no) - this entry is a backup RADIUS accounting server

accounting-port (integer; default: 1813) - RADIUS server port used for accounting

address (IP address; default: - IP address of the RADIUS server

authentication-port (integer; default: 1812) - RADIUS server port used for authentication

called-id (text; default: "") - value depends on Point-to-Point protocol:
ISDN - phone number dialled (MSN)
PPPoE - service name
PPTP - server's IP address
L2TP - server's IP address

domain (text; default: "") - Microsoft Windows domain of client passed to RADIUS servers that require domain validation

realm (text) - explicitly stated realm (user domain), so the users do not have to provide proper ISP domain name in user name

secret (text; default: "") - shared secret used to access the RADIUS server

service (multiple choice: hotspot | login | ppp | telephony | wireless | dhcp; default: "") - router services that will use this RADIUS server
hotspot - HotSpot authentication service
login - router's local user authentication
ppp - Point-to-Point clients authentication
telephony - IP telephony accounting
wireless - wireless client authentication (client's MAC address is sent as User-Name)
dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)

timeout (time; default: 100ms) - timeout after which the request should be resend


The order of the items in this list is significant.

Microsoft Windows clients send their usernames in form domain\username

When RADIUS server is authenticating user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not using shared secret, secret is used only in authentication reply, and router is verifying it. So if you have wrong shared secret, RADIUS server will accept request, but router won't accept reply. You can see that with /radius monitor command, "bad-replies" number should increase whenever somebody tries to connect.


To set a RADIUS server for HotSpot and PPP services that has IP address and ex shared secret, you need to do the following:

[admin@MikroTik] radius> add service=hotspot,ppp address= secret=ex
[admin@MikroTik] radius> print
Flags: X - disabled
  #   SERVICE         CALLED-ID     DOMAIN        ADDRESS         SECRET
  0   ppp,hotspot                               ex
[admin@MikroTik] radius>
AAA for the respective services should be enabled too:
[admin@MikroTik] radius> /ppp aaa set use-radius=yes
[admin@MikroTik] radius> /ip hotspot profile set default use-radius=yes
To view some statistics for a client:
[admin@MikroTik] radius> monitor 0
             pending: 0
            requests: 10
             accepts: 4
             rejects: 1
             resends: 15
            timeouts: 5
         bad-replies: 0
    last-request-rtt: 0s
[admin@MikroTik] radius>

Connection Terminating from RADIUS

Submenu level: /radius incoming


This facility supports unsolicited messages sent from RADIUS server. Unsolicited messages extend RADIUS protocol commands, that allow to terminate a session which has already been connected from RADIUS server. For this purpose DM (Disconnect-Messages) are used. Disconnect messages cause a user session to be terminated immediately

Property Description

accept (yes | no; default: no) - Whether to accept the unsolicited messages

port (integer; default: 1700) - The port number to listen for the requests on


RouterOS doesn't support POD (Packet of Disconnect) the other RADIUS access request packet that performs a similar function as Disconnect Messages

Suggested RADIUS Servers


MikroTik RouterOS RADIUS Client should work well with all RFC compliant servers. It has been tested with:

Supported RADIUS Attributes


MikroTik RADIUS Dictionaries

Here you can download MikroTik reference dictionary, which incorporates all the needed RADIUS attributes. This dictionary is the minimal dictionary, which is enough to support all features of MikroTik RouterOS. It is designed for FreeRADIUS, but may also be used with many other UNIX RADIUS servers (eg. XTRadius).

Note that it may conflict with the default configuration files of RADIUS server, which have references to the Attributes, absent in this dictionary. Please correct the configuration files, not the dictionary, as no other Attributes are supported by MikroTik RouterOS.

There is also dictionary.mikrotik that can be included in an existing dictionary to support MikroTik vendor-specific Attributes.


Depending on authentication methods (NOTE: HotSpot uses CHAP by default and may use also PAP if unencrypted passwords are enabled, it can not use MSCHAP):


NOTE: if Framed-IP-Address or Framed-Pool is specified it overrides remote-address in default configuration

Note that the received attributes override the default ones (set in the default profile), but if an attribute is not received from RADIUS server, the default one is to be used.

Rate-Limit takes precedence over all other ways to specify data rate for the client. Ascend data rate attributes are considered second; and WISPr attributes takes the last precedence.

Here are some Rate-Limit examples:


The accounting request carries the same attributes as Access Request, plus these ones:

Stop and Interim-Update Accounting-Request

Additionally to the accounting start request, the following messages will contain the following attributes:

Stop Accounting-Request

These packets will, additionally to the Interim Update packets, have:

Change of Authorization

RADIUS disconnect and Change of Authorization (according to RFC3576) are supported as well. These attributes may be changed by a CoA request from the RADIUS server:

Note that it is not possible to change IP address, pool or routes that way - for such changes a user must be disconnected first.

Attribute Numeric Values
Name VendorID Value RFC where it is defined
Acct-Authentic 45 RFC2866
Acct-Delay-Time 41 RFC2866
Acct-Input-Gigawords 52 RFC2869
Acct-Input-Octets 42 RFC2866
Acct-Input-Packets 47 RFC2866
Acct-Interim-Interval 85 RFC2869
Acct-Output-Gigawords 53 RFC2869
Acct-Output-Octets 43 RFC2866
Acct-Output-Packets 48 RFC2866
Acct-Session-Id 44 RFC2866
Acct-Session-Time 46 RFC2866
Acct-Status-Type 40 RFC2866
Acct-Terminate-Cause 49 RFC2866
Ascend-Client-Gateway 529 132
Ascend-Data-Rate 529 197
Ascend-Xmit-Rate 529 255
Called-Station-Id 30 RFC2865
Calling-Station-Id 31 RFC2865
CHAP-Challenge 60 RFC2866
CHAP-Password 3 RFC2865
Class 25 RFC2865
Filter-Id 11 RFC2865
Framed-IP-Address 8 RFC2865
Framed-IP-Netmask 9 RFC2865
Framed-Pool 88 RFC2869
Framed-Protocol 7 RFC2865
Framed-Route 22 RFC2865
Idle-Timeout 28 RFC2865
Mikrotik-Advertise-Interval 14988 13
Mikrotik-Advertise-URL 14988 12
Mikrotik-Group 14988 3
Mikrotik-Host-IP 14988 10
Mikrotik-Mark-Id 14988 11
Mikrotik-Rate-Limit 14988 8
Mikrotik-Realm 14988 9
Mikrotik-Recv-Limit 14988 1
Mikrotik-Recv-Limit-Gigawords 14988 14
Mikrotik-Wireless-Enc-Algo 14988 6
Mikrotik-Wireless-Enc-Key 14988 7
Mikrotik-Wireless-Forward 14988 4
Mikrotik-Wireless-Skip-Dot1x 14988 5
Mikrotik-Xmit-Limit 14988 2
Mikrotik-Xmit-Limit-Gigawords 14988 15
MS-CHAP-Challenge 311 11 RFC2548
MS-CHAP-Domain 311 10 RFC2548
MS-CHAP-Response 311 1 RFC2548
MS-CHAP2-Response 311 25 RFC2548
MS-CHAP2-Success 311 26 RFC2548
MS-MPPE-Encryption-Policy 311 7 RFC2548
MS-MPPE-Encryption-Types 311 8 RFC2548
MS-MPPE-Recv-Key 311 17 RFC2548
MS-MPPE-Send-Key 311 16 RFC2548
NAS-Identifier 32 RFC2865
NAS-Port 5 RFC2865
NAS-IP-Address 4 RFC2865
NAS-Port-Id 87 RFC2869
NAS-Port-Type 61 RFC2865
Port-Limit 62 RFC2865
Service-Type 6 RFC2865
Session-Timeout 27 RFC2865
User-Name 1 RFC2865
User-Password 2 RFC2865
WISPr-Bandwidth-Max-Down 14122 8 wi-fi.org
WISPr-Bandwidth-Max-Up 14122 7 wi-fi.org
WISPr-Bandwidth-Min-Down 14122 6 wi-fi.org
WISPr-Bandwidth-Min-Up 14122 5 wi-fi.org
WISPr-Location-Id 14122 1 wi-fi.org
WISPr-Location-Name 14122 2 wi-fi.org
WISPr-Logoff-URL 14122 3 wi-fi.org
WISPr-Redirection-URL 14122 4 wi-fi.org
WISPr-Session-Terminate-Time 14122 9 wi-fi.org