In the Radius Client is a checkbox for wireless authentication.
I would have thought that from reading the manual the wireless registration would make a radius request
to authenticate the client radio (NOT MAC hotspot user authentication).

I would like to register the MACS on the user manager instead of the wireless ACL and have default authenticate turned off.

I have tryed this and it does not work.
Is this something that can be implimented in the future?

Or could I be doing something wrong?

Bump....

Anyone?

I made this kind of setup some times ago, but with FreeRadius on a Linux machine, and it goes very well.
I think it's the same thing with User Manager, which is a local radius on RouterOS.
Use MAC address as username.

Enable MAC radius authentication, default authenticate to OFF, create e new entry on radius section pointing on localhost, configure user manager and give your user entries as:

Thanks mipland.

I did figure it out.
In the wireless security profile, under the radius tab.
mac authenticate setting must be checked, and of course under radius it must be configured to talk to the user-manager enabled router.

Works Great!

When I receive new radios I configure the radio macs in user manager, then when I deploy to the customer, it does not matter which AP I setup the Radio, I simply have to Create the User in the user-manager.

This way all Authentication is centralized, which will be a great thing when I start playing with the Roaming and WDS etc.

Way Kewl !!!

I like this setup, however is there a way to implement a way to disallow a client radio from user manager, after that client radio has already authenticated. I would like it to be an easy place for my technicians to turn off customers who are past-due. If I disable the user, then I still have to go to the AP to remove someones connection. Then they are not able to re-auth. Anyone have an idea on how to streamline this from the user manager. I want to be able to turn off a customer directly from User-man.

You can always turn off the ethernet port on the client's radio, assuming you are using a RouterBoard solution for CPE's. Just make sure you don't have the IP address on the ethernet interface you disable, or you'll have to roll a truck anyways.

Lol, been doing that for customers we have on the motorola canopy cpe, disabling the client in the Access list for the mikrotik, also if u happen to accidently have the ip on the ethernet port and disable that, then mac-telnet can become a thing of beauty. I was thinking there might be someway to have at least the mtk AP's check the user-mgr on regular intervals to see if the authenticated cpe's still have authentication.

I don't know if the wireless registration table supports DM: http://wiki.mikrotik.com/wiki/Manual:RA ... rom_RADIUS

Might be worth a try. Also don't know if UM supports sending DMs. Other RADIUS servers do.