As some of you have already seen, we have released a brand new User Manager for RouterOS version 7. It is included in v7.0beta4 extra packages zip file on our downloads page. The package is available for all current architectures excluding SMIPS. Mainly EAP authentication method support and custom RADIUS attribute sending are key features that are not available in the User Manager in RouterOS version 6. A new freshly designed customer portal is also developed specially for the new User Manager.

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers. It supports many different authentication methods including PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP-TLS, EAP-TTLS and EAP-PEAP. In RouterOS, DHCP, Dot1x, Hotspot, IPsec, PPP, Wireless are features that benefit from User Manager the most. Each user can see their account statistics and manage available profiles using WEB interface. Additionally, users are able to buy their own data plans (profiles) using the most popular payment gateway - PayPal, making it a great system for service providers. Customized reports can be generated to ease processing by billing department. User Manager works according to RADIUS standard defined in RFC2865 and RFC3579.

Currently there is no documentation available for the new User Manager so it is up to you to explore the new package. All User Manager related CLI commands are available under "/user-manager" menu. Winbox support will come a little bit later and there won't be a separate administrators portal as in the old User Manager. The customer portal is available at http://x.x.x.x/um

If you have any feedback, feature requests or questions, please leave them below.

Feature request: mirroring of the user database to a secondary server on another router, to be used as fallback in case the primary one crashes, is rebooting, etc.

feature request: administrators portal as in the old User Manager

See first post.

feature request: user password encryption via hash function with salt
feature request: option to allow users change own passwords via user portal

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is: to generate for specific users, or
to generate for all users.
This will create a file gen_printable_vouchers.html.
To access it You either have to download the file to Your device and print that way, or You can access from the via link: <IP>/um/PRIVATE/GENERATED/vouchers/gen_printable_vouchers.html
(Note: For link to work You first need to set username and password : /user-manager/advanced/set web-private-username=<USER> web-private-password=<PASSWORD>)

Is there any way to have more logging or debugging? I only have "rejects" out of this user manager setup.
What is wrong in this setup? Is there a possible short exemple for 802.1x to start from?
Is it the limit, the profile, the authentication method? Should be PEAP and MSCHAP2 for 802.1x , no ?

This is a lab setup, no real user environment. hAP ac2 (ROS 7.0beta4) as user manager (192.168.2.23) and wAP ac (ROS 6.46) as wifi AP (192.168.2.25)

user manager configuration

[admin@MikroTik hAPac2] /user-manager> export verbose
# dec/13/2019 13:21:29 by RouterOS 7.0beta4
# software id = B8YC-C4XL
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxxxxxxxxxx
/user-manager limitation
add download-limit=0B name=tst rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s \
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B \
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=0s
add download-limit=0B name=test rate-limit-burst-rx=0B rate-limit-burst-threshold-rx=0B rate-limit-burst-threshold-tx=0B rate-limit-burst-time-rx=0s \
rate-limit-burst-time-tx=0s rate-limit-burst-tx=0B rate-limit-min-rx=0B rate-limit-min-tx=0B rate-limit-priority=0 rate-limit-rx=0B rate-limit-tx=0B \
reset-counters-interval=disabled reset-counters-start-time="jan/01/1970 00:00:00" transfer-limit=0B upload-limit=0B uptime-limit=16m40s
/user-manager profile
add name=userprof name-for-users=userprof override-shared-users=off price=0 starts-when=assigned validity=unlimited
/user-manager user group
set [ find default-name=default ] attributes="" inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 name=default outer-auths=\
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
set [ find default-name=default-anonymous ] attributes="" inner-auths="" name=default-anonymous outer-auths=eap-ttls,eap-peap
/user-manager user
add attributes="" disabled=no group=default name=bpwl password=bpwl shared-users=1
/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes
/user-manager advanced
set paypal-allow=no paypal-currency=USD paypal-password="" paypal-signature="" paypal-use-sandbox=no paypal-user="" web-private-password="" web-private-username=""
/user-manager profile-limitation
add from-time=0s limitation=test profile=userprof till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
/user-manager router
add address=192.168.2.25 coa-port=3799 disabled=no name=wap shared-secret=mikrotik
/user-manager user-profile
add profile=userprof user=bpwl
[admin@MikroTik hAPac2] /user-manager>



The logging shows:manager,debug <<<<tx Access-reject after 2 request/challenge handshakes.

# Time Buffer Topics Message

169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119
170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119
171 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:42899, id: 120
172 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:42899, id: 120
173 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:41869, id: 121
174 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:41869, id: 121
175 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:35311, id: 122
176 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:35311, id: 122
177 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:57176, id: 123
178 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:57176, id: 123
179 Dec/13/2019 00:31:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:60363, id: 124
180 Dec/13/2019 00:31:44 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:60363, id: 124
181 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49734, id: 125
182 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49734, id: 125
183 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:51911, id: 126
184 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:51911, id: 126
185 Dec/13/2019 00:32:14 memory manager, debug >>> rx Access-Request from [192.168.2.25]:56187, id: 127
186 Dec/13/2019 00:32:14 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:56187, id: 127
187 Dec/13/2019 00:32:44 memory manager, debug >>> rx Access-Request from [192.168.2.25]:36744, id: 128
188 Dec/13/2019 00:32:44 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:36744, id: 128
189 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55070, id: 129
190 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55070, id: 129
191 Dec/13/2019 00:32:45 memory manager, debug >>> rx Access-Request from [192.168.2.25]:54221, id: 130
192 Dec/13/2019 00:32:45 memory manager, debug <<< tx Access-Reject to [192.168.2.25]:54221, id: 130


The requesting wifi seems normal with RADIUS debug logging.


Quick SetWebFigTerminal RouterOS v6.46 (stable)

# Time Buffer Topics Message


506 Dec/13/2019 00:30:55 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
507 Dec/13/2019 00:30:55 memory radius, debug, packet debug: received Access-Reject with id 121 from 192.168.2.23:1812
508 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Signature = 0xc74e9aa1891a0423b0680031b52e63a5
509 Dec/13/2019 00:30:55 memory radius, debug, packet debug: EAP-Message = 0x04020004
510 Dec/13/2019 00:30:55 memory radius, debug, packet debug: Message-Authenticator = 0x406d0b9b63b2573f54e206f1139f1ce5
511 Dec/13/2019 00:30:55 memory radius, debug debug: received reply for 58:c3
512 Dec/13/2019 00:30:55 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
513 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64
514 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c4 code=Access-Request service=wireless called-id=test
515 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c4 to 192.168.2.23:1812
516 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 122 to 192.168.2.23:1812
517 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x3dd925fc93baf700562a0cf27abc6fd4
518 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
519 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
520 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
521 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
522 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
523 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
524 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
525 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x02000009016270776c
526 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x7a2e3e7c4a67cf445a4655b18063ad73
527 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
528 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
529 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 122 from 192.168.2.23:1812
530 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xbac9bd4fa4ff68bf517a95ac5ff23afc
531 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x0101001b1a0100001610486eefc353bc
532 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6b2ecdf458c26fbb026120
533 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
534 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xa49772870be90db17f19d97505f1a863
535 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c4
536 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c5 code=Access-Request service=wireless called-id=test
537 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c5 to 192.168.2.23:1812
538 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 123 to 192.168.2.23:1812
539 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x5ff13abc8302675e71b62c41759dc0fe
540 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
541 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
542 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
543 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
544 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
545 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
546 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
547 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
548 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020100060319
549 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x0201fd3d97e48f7cff4bec8a16a18299
550 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
551 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
552 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Challenge with id 123 from 192.168.2.23:1812
553 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x020a7b6a38e9c131011fdadb4d9e49a1
554 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x010200061920
555 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
556 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb7f791633cf57d3ec49c18fd30624470
557 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c5
558 Dec/13/2019 00:31:44 memory radius, debug debug: new request 58:c6 code=Access-Request service=wireless called-id=test
559 Dec/13/2019 00:31:44 memory radius, debug debug: sending 58:c6 to 192.168.2.23:1812
560 Dec/13/2019 00:31:44 memory radius, debug, packet debug: sending Access-Request with id 124 to 192.168.2.23:1812
561 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0xe3ffe217f2d1fff1d891e45c08228605
562 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Service-Type = 2
563 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Framed-MTU = 1400
564 Dec/13/2019 00:31:44 memory radius, debug, packet debug: User-Name = "bpwl"
565 Dec/13/2019 00:31:44 memory radius, debug, packet debug: State = 0xfd2e0e32cc6a3137c874bf3dd1865924
566 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Id = "wlan5"
567 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Port-Type = 19
568 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Calling-Station-Id = "54-A0-50-96-A9-99"
569 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Called-Station-Id = "test"
570 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x020200d01980000000c616030100c101
571 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0000bd0301b3d0d7ae846d0dbac970c9
572 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 81cba0b50c44a2aa4593d99ee9318b59
573 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 6a5eef810d000054c014c00ac022c021
574 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00390038c00fc0050035c012c008c01c
575 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01b00160013c00dc003000ac013c009
576 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c01fc01e00330032c00ec004002fc011
577 Dec/13/2019 00:31:44 memory radius, debug, packet debug: c007c00cc00200050004001500120009
578 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 0014001100080006000300ff01000040
579 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000b000403000102000a00340032000e
580 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 000d0019000b000c00180009000a0016
581 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00170008000600070014001500040005
582 Dec/13/2019 00:31:44 memory radius, debug, packet debug: 00120013000100020003000f00100011
583 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0xb262b821f948349f54d16ca558b4749d
584 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-Identifier = "MktwAPac"
585 Dec/13/2019 00:31:44 memory radius, debug, packet debug: NAS-IP-Address = 192.168.2.25
586 Dec/13/2019 00:31:44 memory radius, debug, packet debug: received Access-Reject with id 124 from 192.168.2.23:1812
587 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Signature = 0x11b7cd725a0d5086a68c659a3a2ed706
588 Dec/13/2019 00:31:44 memory radius, debug, packet debug: EAP-Message = 0x04020004
589 Dec/13/2019 00:31:44 memory radius, debug, packet debug: Message-Authenticator = 0x5345932c7690016ac6bd851a1cc54aea
590 Dec/13/2019 00:31:44 memory radius, debug debug: received reply for 58:c6
591 Dec/13/2019 00:31:44 memory wireless, info 54:A0:50:96:A9:99@wlan5: disconnected, 802.1x authentication failed
592 Dec/13/2019 00:32:14 memory wireless, info 54:A0:50:96:A9:99@wlan5: connected, signal strength -64

Device is an old Android tablet with PEAP and MSChap2 set for wifi network security,. or even my laptop Windows 10. Both cannot connect.

This same AP setup with the wAP works with a Draytek router and Synology-NAS RADIUS server. But there is poor logging in the Draytek never logging the requesting device, and the Synology NAS is overkill.

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is:

Code: Select all

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>

to generate for specific users, or

Kudos to the mikrotik team for the work done so far on the new user-manager!

is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile? instead of inserting multiple user IDs one by one!!!

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).

Can't wait for long to have the Winbox/Webfig control for the UserManager admin . it should be a top priority!!
because doing stuffs from CLI for not-so-techy user-manager admins who have to generate vouchers from time to time will pose a major challenge

Code: Select all

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>

is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile?

I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find <selection criterion here>]. I don't know how selection criterion would look like (I'm not runnin userman), but I guess usual regular expressions work here a well ...

Code: Select all

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>

is there a command option to generate vouchers for specific group of users sorting either by prefix of the of the user ID or by profile?

I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find <selection criterion here>]. I don't know how selection criterion would look like (I'm not runnin userman), but I guess usual regular expressions work here a well ...

That works!! Thanks

feature request: user's ability to change own password from the users portal as in the old User Manager

@mkx & @jolly - My provided lines were just an example. Standart ROS script functions to find a particular set of data can be used while generating vouchers as @mkx mentioned.

bpwl - User Manager requires a certificate in order to work with EAP and I see that you do not have a certificate specified under UM settings:

/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes

@strods

Thanks a lot. The perfect answer I was looking for.

300 Dec/16/2019 09:41:22 memory certificate, info generated CA certificate: CA
301 Dec/16/2019 09:41:37 memory system, info, account user admin logged out from 192.168.2.21 via telnet
302 Dec/16/2019 09:41:59 memory certificate, info generated certificate 7A594AB680019073:AP:BE:TEWEAD:IT:WVL:Roeselare key-size:2048 key-curve:0 usage:8000000d valid:365 for CA CA
303 Dec/16/2019 09:44:09 memory system, info, account user admin logged in from 192.168.2.21 via telnet
304 Dec/16/2019 09:46:16 memory system, info UMS settings changed by admin
305 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55868, id: 140
306 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55868, id: 140
307 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:39222, id: 141
308 Dec/16/2019 09:48:19 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:39222, id: 141
309 Dec/16/2019 09:48:19 memory manager, debug >>> rx Access-Request from [192.168.2.25]:52030, id: 142
310 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:52030, id: 142
311 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:55534, id: 143
312 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:55534, id: 143
313 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:48873, id: 144
314 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:48873, id: 144
315 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:47916, id: 145
316 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:47916, id: 145
317 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:34664, id: 146
318 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:34664, id: 146
319 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:46874, id: 147
320 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:46874, id: 147
321 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:49471, id: 148
322 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:49471, id: 148
323 Dec/16/2019 09:48:20 memory manager, debug >>> rx Access-Request from [192.168.2.25]:50628, id: 149
324 Dec/16/2019 09:48:20 memory manager, debug <<< tx Access-Accept to [192.168.2.25]:50628, id: 149

Now I would like to see in the unit that runs the user-manager what device was logging into wifi with what user name. (Calling ID and user account). Information is in the RADIUS packet and can be seen at the AP with the RADIUS packet debug logging. Or should I check "accounting" somewhere? I need to know for legal logging, who is doing what on the internet connection. Not all my AP's are Mikrotik yet. Using a login portal for internet access is what we had, and has proven to be problematic with 80 visiting users and 10 AP's and many different devices.

All fine the tests with wireless 802.1x (WPA2 enterprise) and the user-manager as Radius server, until the client is Windows 10 (1903). Windows 10 clients seem not to accept self-signed certificates, even if the CA certificate is added to the trusted base certificates on the client, and checking the server certificate is disabled. Either a public acquired certificate is needed , or a private certificate authority has to be set up. Not that simple building that private certificate authority if there are no servers in the network. (only routers, switches and access points). Using other routers for radius server does work well, but those have a build in certificate, signed by the CA of the vendor. Is there such a thing with Mikrotik? Acquiring a public certificate is quite a job, as you have to have your own domain name (e.g. noip.com), and a public accessable website to enroll and renew the certificate. (e.g. Let's Encrypt)

I followed this https://serverfault.com/questions/98637 ... rtificates and this https://support.microsoft.com/en-us/hel ... th-eap-tls and this https://blogs.msdn.microsoft.com/shreya ... tificates/ and many many other instructions for EAP, certificates and Windows 10 compatibility. But none of them worked. If I use the radius on my Synology NAS storage device then it works fine. (CA is Synology.com) . Start wondering if it is the certificate or the TLS 1.2 incompatibility (Window 10 version 1903?).https://support.microsoft.com/en-us/hel ... nvironment . Can we specify the TLS version of EAP ? It did not work from the Windows side.

Future request :
Ability to to change generation properties ..
Like generate number only or letters only or choose set of set of letter/digits/symbols in addition to previous properties

guess this feature will make a lot of people very happy ( and of course ... no doubt ... me too)
well done
. . . . . .
.
and unlike me, keep your clocks in sync !

@floaty: Super !!!!
Any issues with Windows 10 clients?

indeed ... bootet up another wireshark to free my win10-machine for a test ... seems the setup of the encrypted eap-tunnel fails ...
no accept, no reject ... stuck in challenge
.
so maybe a problem with my server-certificate ...
or:
https://support.microsoft.com/en-ph/hel ... nvironment
.
maybe both
... interesting ...

so ... for starters ... it seems the problem ist NOT related to the certificates I've generated on the chr-v7-radius-um-machine
I've installed these certificates on another radius-machine ...
. .
... and they are on duty on this device without flaws (win10, android, linux) !!
.
I'm little in the dark how to debug "MTIk-v7-UserMan-eap" ... guess the carving of these handles is work in progress ...
. . . . .

just had a little read-along ... again
. .
@bpwl
.
did you check your UserManager-setup without EAP ?? (ntradping or something like that ?)
... it's kinda uncommon to receive an access-reject when the inner tunnel fails to establish ... cross-check couldn't hurt !?
... your user should be able to authenticate without any extensions (plain pap & chap)
.
https://www.novell.com/coolsolutions/tools/14377.html

@floaty: the setup works fine with Android devices. I didn't see the problem at those initial tests. So user/password is OK, connection to radius server is OK (it's wireless and bridged, can't do a Mikrotik sniffer on this 5 GHz connection) . In the beginning I had rejects for windows 10. But after improving the Mikrotik certificate definitions, now i'm stuck in the handshake like you. The CAPI2 logbook in windows didn't learn me enough to understand what's going on. There are so many cases of Windows 10 problems in forums ....
(Fortinet was my favorit @work for many years, don't have it @home)

@floaty: interesting tool that NTradPing test tool. Reveals no errors. Learns me that the shared secret is not checked for user authentication

yeah ... good tool (and as old as methusalix) ...
.
maybe the binary partly crashed ... it is not showing such behaviour on my machine ... wrong shared secret -> access-reject
.
.
btw. repeated my eap-test with new generated certificates keysize 4096 instead of 2048 ... and then also the android client fails
will give it a try with externaly generated certs ... another day

@floaty: searching everywhere ... the sniffer tool on the Mikrotik (not the interface sniffer tool) does allow me to capture the radius communication. Seen no clue so far. Only Wireshark sees fragmented IP in the UDP packet (with certificate information), with packet size 1514 bytes. Framed MTU is at 1400 bytes. Just raw information for me .... https://community.arubanetworks.com/t5/ ... d-p/498619 . Don't know if this brings something.

I guess without the ability to debug the radius server side this is as cushy as nosepicking in a hobos schnozzle.
We better wait for an "upstream statement" ...
Maybe an old windows7-valiant out threre can tell if he's able to connect ...
[ ... also the fortiauthenticator spat out my keysize 4096 certificates ... cipher not supported ]
.

feature request: radius proxy for wifi roaming

feature request: central managed ip pools

At the Moment we have to split our ip pool with public ipv4 over all router where the customer can connect. So we lose a lot of addresses because we need some reserve on every router. One central ip pool on the radius would be great.

Maybe one challenge would be that sometimes userman don't check that a customer is offline and sessions some times still active.

seems that feature isn't so widely implemented (self carved freeradius-installation ... possible ... not exaggerated easy)
and until someone put a gracious eye on your feature-request ... you can evaluate here:
https://www.kaplansoft.com/tekradius/
( ... only when you can live with a windows-box)
Should ... or better: it may be possible to proxify the user-authentication to Mikrotik-userman and only use the dhcp-feature to circumvent your pub-IP-shortage.
A customer of mine is running the tek-radius (as freeware) in front of his MS-SQL-userdb for Portal-Authentication ... a happy man ! ... no complains

Can this new user manager (or the old one) be used in a centralized way for multiple sites?

We currently use HSNM because it gives us a web UI to setup new sites and generate new voucher codes for any site with an administrative overview. Plus change images etc for the hotspot page
But we could very happily get rid of it and just run this directly on the MikroTik if there is a way to centrally manage all the sites. Each site needs its own images/logos and its own voucher codes with different plan speeds, data usage etc

It is possible to define different "customers" (like administrative domains) ... and it's possible to apply different sets of user-profiles (for vouchers, quotas etc.).
Not shure about the logo-customization ...
If you're already using MTik-devices you can download the usermanager package, install it and check yourself if it fits your needs ... no big deal, easily done.

True but my workday does no consist of sitting around twiddling my thumbs wondering what I could do next

I don't mind tinkering with things but time is limited and if its not viable yet i'm happy to just wait and move onto other things. After all V7 is not production ready just yet anyway, but keen to see where its headed

some tinkering-time should be integral part of any workday : )
... so if anyone calls you in for another tubby meeting ... say: sorry, I have something of tremendous importance to tinker !

Windows 10 build 1903 and 1909 both fail to connect to 802.1x (WPA2 enterprise) with the new Radius server on ROS7beta4.
Also the working "other" Radius servers have just a self signed certificate. So it seems not to be the certificate, and not the Windows 10 build 1909 requirements from Microsoft.
I hope next ROS7 beta release will have Radius debug log ... and a fix to allow Windows 10 clients.

yay: one+ for a radius-eap-debugging option
.
... since I found the (or a possible) power-supply for my grand ole 2530p (nice keyboard, btw)
-> ... also windows7 is not able to connect to the MT-CHR7-radius.

Also for my cross-check-radius-server (zeroshell) I had to install the CA and the server-certificate in w7.
Odd thing: even while in the wireless-profile "validate server-certificate" was NOT ticked:
no dialogue to accept the radius-server certificate popped up, when I tried to connect ( I could do that ... once ... in the good old time : )
I had to install the server-cert in addition to the CA-cert. ... maybe the W7 subsystem has also been updated.
.
But the v7 Radius stucked with the Win7-client in the same way.
... maybe a overlain libc in the compiling chain .
. .

... while reviewing ... and talking odds ...
. .
maybe a clock prob I did run into ...

no ... annoying mischief, because the clock is always working against you ...
but also with the exact clocking the win7-client fails.

Feature request: Enable user to login with OTP (like Indian railway stations) or whatsapp, gmail, hotmail, twitter, instagram.

Userman is nice for small ISP's for commertial purpose!. but we need to create every user/ vocher and have to share to customers.and they have to enter username and password manually.

Now small stores, hospitals, clinics, malls, cofee shops will provide a wifi for free to customers, but we need to collect coustmer information like name, mobile, email, address. So with the help of hostspot and giving Free intermnet access by eneablinhg social media login's.
Those data will be usable for brand promotios later. Data is new oil for us

There are already existing solution to do this and found from mikrotik forum "viewtopic.php?t=102208"
https://shop.codekece.com/downloads/dabsah/

So i hope you guys also will look into this and will intigrate social media login in routeros 7

feature request:
sync new users from Microsoft Active Directory or other standard LDAP protocols.(can add users with special profile if they belong to a user group in AD)
profiles with invalid profile limitations to change a user attributive after user used the amount of time/Size specified in one day-week or month. and or after profile limitation. we can connect invalid users/profiles with special ip pool and redirect this users to a http page to view and charge his accounts.
its amazing if we can have same cisco isg feature in mikrotik .

feature request:
custom payment method that can config as Hotel Billing gateway or other gateways that simplify written by users. this can authenticate users passports with billing systeams. that is useful if they can redirect some information (like username-password- phone number) to gateway even to send him his information using some RTF Language that not supported in mikrotik CLI.

Have been waiting for an update for ROS 7.0beta4 for Usermanager ... ability to use Windows clients

But if those license limits will apply for Radius-EAP, then Usermanager gets out of scope. I can understand these are realistic numbers for VPN dialin users, but for local wifi users ????

Not seeing Mikrotik specific attributes in the docs: https://help.mikrotik.com/docs/display/ ... er+Manager

How do we add Vendor Specific attributes?

I'd like to be able to add:
ATTRIBUTE Mikrotik-Wireless-PSK 16 string

Or preferably have all Mikrotik attributes already defined.

UPDATE:

Looks like this might work: Not sure what the type-id refers to; guessed "26". From the docs:
26 Vendor-Specific Access-Accept, Access-Challenge

Anyone know?

Many thanks.

FYI: Just loaded RouterOSv7.0beta5. Still no Windows 802.1x EAP clients according my little wifi test.

Check the "manager" logging topic. It should contain more information in beta5. Have you checked the logs on Windows using Event Viewer?

Hi emils, I book no progress. Log output did not change after ROS 7.0beta5 upgrade.

I'm not able to see the error. Must be something I and others in this forum thread do different from what is expected.

User Manager is RADIUS server implementation in RouterOS which provides centralized user authentication and authorization to a certain service. Having a central user database allows better track of system users and customers.

I have not loaded v7 Bx and will not until v7 RC is out -- but I wanted to THANK YOU for including RADIUS server implementation in RouterOS under user manager. A great addition and will look forward to testing when RC is out.

Typical hotel practice is to add room number to last name for wifi.
If looking for smart phone applications, perhaps generate a code that a user puts into an MT app on the smart phone to access wifi...........
Could be sent via SMS or email to the persons phone number??

Good idea to lay out the requirements clearly.........................
1. Non MT trained person (any hotel or bar staff, can easily/quickly generate a key or code etc, and easy to get to customer (SMS or email to phone/tablet) and easy for customer to access (perhaps a MT app for wifi access - or another tool in the current MT app).
Least obtrusive but reasonably secure.

Really fancy would be to generate bar codes thingys..... QR codes.


PS I have used zyxel hotspot devices before and I like the direction MT is going on this one. You may wish to have a VIP option, where there is no time limit or reduced or no cost options etc..........
Different groups of users I suppose..........(probably already covered?)

function request an API that allows radio manager to be integrated with third-party applications to manage accounting

.
... while v7 is still cooking ... were stuck with our windows-wlan-clients in the meantime ...
and because corona-boreout and freeradius3.0 forming a perfect couple ... we are setting up an EAP-proxy (almost better than sudoku)
. .
I've attached a config- and a debug-dump, so if someone feels the need to setup such a thing for him- / herself , it should hopefully be possible to sing along.
.
freerad-setup in short:
.
1. config client (MTik-UM)
2. setup a realm in proxy.conf
3 activate virtual-server "proxy-inner-tunnel" ... the v-server "inner-tunnel" should be activated by default
4. direct your eap-protocols to v-server "proxy-inner-tunnel" in mods-enabled/eap ... in my example only peap ... , ttls is directed to "inner-tunnel" (just to show what's'what)
5. file "sites-enabled/inner-tunnel" shoul be good as it is
6. direct v-server proxy-inner-tunnel in file "sites-enabled/proxy-inner-tunnel" to your realm from proxy.conf
.
more or less thats it, ... it should be possible to connect with EAP/PEAP(MSCHAPv2) to your SSID
.
Freeradius is a beasty thing. To be honest it took me some hours to figure it out, I did some stuff with v2 a couple of years ago felt not like it helped me much here.
Just saw that v4 is avail ... also with tons of new features and directives
.
In case you got stuck, have a look in the debug-dump ... its a good source to see in which order the server(s) work and how the cfg-files are used and interpreted.
Maybe there will be a follow up, how to use attributes from a foreign dictionary ... point I haven't figured out yet.

.
https://www.dfn.de/fileadmin/3Beratung/ ... Strauf.pdf
.
for v4-afficionados !

.
just discovered a nice radius testing-tool ... no eap-features ... ,but its possible to save predefined setup's, contains coa-requests, server-stress-testing ,monitoring ... tidy
for windows, linux, freebsd ... decent
seems ntradping, my convenient good old geezer, is ready for pension
.
https://www.iea-software.com/products/r ... login4.cfm
. .

.
just for the completeness of the picture:
proxying a request from freeradius-v4 to MTik-UM-v7b5 seems to be a nogo
.
after setting up a new instance for MTik-UM in new radius_rlm of FRv4; FRv4 tries something like a check or hello or something, before the rlm is fully instantiated ... which fails ... dropped ... unsupported
. .
.
but I've been warned ... so it what it is ... anti-corona-boreout-sit-ups
. . .

I have a question who is very important for me, maybe even as Feature Request.

That new User Manager allow me to use it for separate VPNs Radius client's into separate users ?

Currently the VPN service use only ONE ppp\profile and Radius users from Micro$oft NPS are as one group who cannot be separated, they exist as one pool.

I use workaround from long time ago, what I just paste in the best post I can found about that problem, here is a post PPTP VPN with RADIUS and Fixed IP address for PPTP clients.
I use profile on-up/down scripts who grab IP from pools and manage own Firewall\AccessList what is my base of separate one users from other one. This is not perfect method...

Best Regards
Marcin (SiB) Przysowa.

.
you should be able to do this by adding the attribute "Mikrotik-Group" to a user
(haven't figured if and when if, ... how to add a attribute-set to a profile or user-profile ... like a group-feature ? ... I would like that too)
.
Mikrotik-Group - Router local user group name (defines in /user group) for local users; HotSpot default profile for HotSpot users; PPP default profile name for PPP users.
. . .

.
you can also add:
Radius:IETF Framed-Pool
to select the IP-Pool
.
and
Radius:IETF Filter-Id
to define a firewall-chain in MTik-ROS

.
and ...I found the group-feature ... inbetween ... hard to see : )
.
/user-manager/user/group
.
[admin@chr-7-1] /user-manager/user/group> print
Flags: * - default
0 * name="default" default-name="default" outer-auths=pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 attributes=""

1 * name="default-anonymous" default-name="default-anonymous" outer-auths=eap-ttls,eap-peap inner-auths="" attributes=""

2 name="Mygroup" outer-auths="" inner-auths="" attributes=Mikrotik-Group:Testgroup,Mikrotik-Wireless-PSK:bananas
.

How many Users can the new Manager handle?

100?
500?
1000?
2000?

THX

How many Users can the new Manager handle?

100?
500?
1000?
2000?

THX

Don't think it would handle up to 2000

Out of interest, can the new User Manager be used to authenticate other routers in a network or is it just for local access?
i.e just as a radius server for other NAS devices to authenticate against.
Thanks

Typical for WPA2-Enterprise or WPA2-EAP the radius server is not local. The 802.11x check is local, but the radius server is central. Works well for wifi in RouterOS v7 with User Manager v7, except for Windows clients, that did not work, and there has been no update mentioned in the change logs since. So the Windows problem is supposed to still be there.

I used the radius on the Synology NAS with success for RouterOS, but did not try the reverse, as I need windows client access. And some worry about the number of concurrent users whith a L4/L5 ROS license.

How many Users can the new Manager handle?

100?
500?
1000?
2000?

THX
@normis what do you think? how many?

thx

There could be a fixed limit determined by licensing, and of course there is a "load limit" but that depends more on the number of logon/logoff actions than on the actual number of users.
So it would be more difficult to predict, because it depends on the behavior of your users. And on the type of auth you are using it for.
(i.e. a PPPoE connection would likely be much easier on the user manager than a WPA2-EAP WiFi connection on APs inside a company)

feature request:
sync new users from Microsoft Active Directory or other standard LDAP protocols.(can add users with special profile if they belong to a user group in AD)

Is synchronization with Active Directory supported nowadays?

request for: add-batch-users , add feature "Pwd same as login" or username&password same.

now only
caller-id --
disabled --
group --
number-of-users --
password-characters --
password-length --
profile --
shared-users --
username-characters --
username-length --
username-prefix --

thanks

.
?[(ROSv7b4 & 802.1x) & (windows-802.1x-client)] -> 'in statu quo res erant ante bellum' [pre-ROSv7b4]

Please read the start post of the topic!
Originally user manager was mainly intended to authenticate users on a WiFi network using permanent accounts, temporary tickets, etc.
But now it is made into a versatile RADIUS server. That should also be able to do other things.

WEB UI. I read the original post, but here's my show-stopping issue with it. I need CSRs to be able to actually manage and help customers when they call in and I will not give them winbox or a CLI to do this. It's very important to have a web ui to administer the system.

Is the idea that I use the API to control this and write my own fronted? What's the overall goal here?

You should be able to do it via API.
Of course when you want something that is available today (and has been available for years) you can always use freeradius on a Linux box, even a Raspberry Pi.

You should be able to do it via API.
Of course when you want something that is available today (and has been available for years) you can always use freeradius on a Linux box, even a Raspberry Pi.

The big benefit to running this on routeros is that it reduces the number of components in a system. Sure, run a second box and freeradius etc etc, but that's another component likely mounted to a wall somewhere that already has 15 devices haphazardly bolted up there. Another component to fail.

Sure, but then you need indefinite patience. Sometimes one just wants something that is available today :-)

feature request: OpenVPN comp-lzo

ability to enter a user password in hashed format is a must have in 2021. one must be able to use scripts to push user passwords, and then i cannot have them stored in clear text.

Does WPA2-Enterprise work with the new UM and radius for windows 10 WiFi clients in 7.1beta6?

Best regards
@bpwl
@floaty

I have stopped testing Usermanager in ROS7 for EAP. With the L4 license of 20 active sessions (or even the L5 license of 50 active sessions), this Radius server is not a practical solution in a network with 30 (L4) AP. Radius is not implemented with one instance per AP, but is central to a user community. And counting on the fact that most members of the community have 3 wifi connected devices ... . Usermanager V7 would be an expensive Radius-EAP implementation! WIfi connection based on WPA2/EAP is just using Radius for being authenticated. Is this counted as an "Active Session", or only if accounting is used ????

Please can you give us step by step or tutorial for Radius server (802.1X) on Routeros7 ?

https://wiki.mikrotik.com/wiki/Manual:User_Manager
https://help.mikrotik.com/docs/display/ ... terOS+user

https://wiki.mikrotik.com/wiki/Manual:User_Manager
https://help.mikrotik.com/docs/display/ ... terOS+user

I'm not talking about user manager. I'm talking about how to use Radius server for EAP

RADIUS server side -> Usermanager=Radius server

On the RADIUS client side (=AP) fill in the security profile (WPA2/EAP, Ciphers AES, EAP methods = passthrough, TLS Mode=don't verify, TLS Certificate= none)
Under RADIUS define the connection to the RADIUS server : Tick 'Wireless', Correct 'called ID' from profile or void, IP 'Address' server, 'Secret')

On Android device: for user based wifi WPA2/EAP authentication
EAP-method = PEAP
Phase 2-verification = MSCHAPV2
CA-certificaat = Not verified
Identity = “RADIUS user username”
Anonymous identity= <unused entry>
Password = “RADIUS user password”

Tank for reply . May i know what configuration i should do in RADIUS server -> Usermanager side ?
What about Radius and dot1X tab? https://ibb.co/tbDC0Mr
On the RADIUS client side (=AP) I use Nanostation M2
https://ibb.co/qgSz3rT

My Mikrotik setup:
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing table
add fib name=""
/user-manager user
add group=default-anonymous name=t22 password=1234
/ipv6 settings
set disable-ipv6=yes
/ip dhcp-client
add disabled=no interface=ether3
/ip hotspot user
add name=test password=test
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.254 routing-table=\
main suppress-hw-offload=no
/radius
add address=192.168.1.76 protocol=radsec secret=12345678 service=dot1x
/system clock
set time-zone-name=
/system package update
set channel=development
/user-manager
set enabled=yes
/user-manager router
add address=192.168.1.76 name=m2 shared-secret=mysecret

From my 18 months old example (I have no free MT at the moment to load ROS7) viewtopic.php?p=864696#p764980 , that misses the certificate to be working. viewtopic.php?p=864696#p765296

With just one user , named bpwl. This is the Usermanager part. (Tabs RADIUS and DOT1X are for the AP (eg your M2 nano) where you authenticate using RADIUS.)
In this ROS7 Usermanager, the IP of the allowed or served AP is added as "user-manager router". The shared secret must be the same as on the AP (in the RADIUS tab for MT)
Usermanager (server), and AP can be the same device. AP settings (RADIUS tab) are already given for MT viewtopic.php?p=864696#p864650

-------------------------- copied from dec 2019 ----------------------------------
This is a lab setup, no real user environment. hAP ac2 (ROS 7.0beta4) as user manager (192.168.2.23) and wAP ac (ROS 6.46) as wifi AP (192.168.2.25)

user manager configuration



/user-manager profile
add name=userprof name-for-users=userprof override-shared-users=off price=0 starts-when=assigned validity=unlimited

/user-manager user group
set [ find default-name=default ] attributes="" inner-auths=ttls-pap,ttls-chap,ttls-mschap1,ttls-mschap2,peap-mschap2 name=default outer-auths=\
pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2
set [ find default-name=default-anonymous ] attributes="" inner-auths="" name=default-anonymous outer-auths=eap-ttls,eap-peap

/user-manager user
add attributes="" disabled=no group=default name=bpwl password=bpwl shared-users=1

/user-manager
set accounting-port=1813 authentication-port=1812 certificate=none enabled=yes

/user-manager profile-limitation
add from-time=0s limitation=test profile=userprof till-time=23h59m59s weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday

/user-manager router
add address=192.168.2.25 coa-port=3799 disabled=no name=wap shared-secret=mikrotik

/user-manager user-profile
add profile=userprof user=bpwl

Wow hard to believe BPWL that MT is too cheap to send you samples of new MT equipment to test for WIFI. You are truly an outstanding contributor to these forums!

Txs @anav.

:-) ... we need to be smart with MT ... :-) https://twitter.com/MarcelVervaeck/stat ... 6682123266

Luv it!

Does WPA2-Enterprise work with the new UM and radius for windows 10 WiFi clients in 7.1beta6?

Best regards
@bpwl
@floaty

Maybe maybe ....the Windows 10 problem is related to the special requirements for the certificates, as explained in the openSource FreeRadius
https://wiki.freeradius.org/guide/certi ... patibility

Trying to use a downloaded daloRadius+FreeRAdius virtual machine right now ... everything works fine, with all clients .... except Windows10 .... .
(Is this yet a new TLS 1.2 problem? https://support.microsoft.com/en-us/top ... a6b80fa955 )

Well in 2021 it's likely to be TLS 1.3 as new challenge.

request = batch user add
password same as username

Does WPA2-Enterprise work with the new UM and radius for windows 10 WiFi clients in 7.1beta6?

Best regards
@bpwl
@floaty

Maybe maybe ....the Windows 10 problem is related to the special requirements for the certificates, as explained in the openSource FreeRadius
https://wiki.freeradius.org/guide/certi ... patibility

Trying to use a downloaded daloRadius+FreeRAdius virtual machine right now ... everything works fine, with all clients .... except Windows10 .... .
(Is this yet a new TLS 1.2 problem? https://support.microsoft.com/en-us/top ... a6b80fa955 )

Well in 2021 it's likely to be TLS 1.3 as new challenge.

@bpwl have you got it tested with ipsec vpn and the new user manager in Ros 7 by any chance, I just cannot get it to work? thank you

viewtopic.php?f=1&t=177802&p=874498#p874498

@bpwl have you got it tested with ipsec vpn and the new user manager in Ros 7 by any chance, I just cannot get it to work? thank you

No, only tested WPA2/Enterprise in wifi.

Learned some things recently:
- Userman (version 6) can be used as backup accounting for wifi Radius (eap/peap/mschapv2) connected users, authenticated via another Radius server (e.g. that has no accounting)
- Now the user limit becomes clear: the simultaneous number of sessions is in the accounting part (19 sessions for License 4), and is not very practical except for just one household only
- FreeRADIUS 2 (OVA image of DALORadius) does not support WIN10 clients with eap/peap/mschapv2
- FreeRADIUS 3 (self installed on a Raspberry Pi, and managed via DALORadius) gives no problems

PS: releasenotes 7.1beta4 says: winbox - updated User Manager, OSPF and BGP menus;
Is there an interface for User Manager in winbox? Didn't see it, not even in 7.1rc1. Looked over it?

it's there, install the the npk-file from extra package & use winbox 3.29 .. 802.1x status for windows-clients: unchanged
.

user manager question...
how can i generate multiple vouchers in html?
i have created 10 users and if i select with ctrl+a when i right click and generate only 1 is created.

it's there, install the the npk-file from extra package & use winbox 3.29 .. 802.1x status for windows-clients: unchanged

OK. Wonderfull. Txs.


User Manager V7 with the WinBox gui works very comfortable !!! Works fine as Radius server for wifi EAP/PEAP/MSCHAPv2, for all devices tested, all but Window clients.

Learned out of FreeRadius docs that the server certificate must have the "TLS Web Server Authentication" option set for Windows clients However the Certification generation in ROS does not have that X509v3 extension in the list. How to get it in the certificate? It seems to be needed for windows clients.

This should be added in the server cert : (copied from https://github.com/FreeRADIUS/freeradiu ... extensions )

extendedKeyUsage = 1.3.6.1.5.5.7.3.1
crlDistributionPoints = URI:http://www.example.com/example_ca.crl

Can it be done in ROS, or should we use a webserver or OpenSSL code, or just make & take it from etc/FreeRadius/certs ???

Well , I did the experiment, and created the certificates with the FreeRadius 3.0 scripts.
Imported them in ROS System Certification, as PEM files and modified the Setting in User Manager session settings to use the server cert.
Same results: Android works, Windows10 fails.

The only key-usage parameter for the server certificate retained after the import is "tls-server". No trace of the "TLS Web Server Authentication" .
TLS-server. Which is actually the one we need ! (seen in the export CRT file)

olympic !!!
... nobody can say that we NOT did our morning sport : )
.
there are MS-extensions which needs to be annouced in the related server-certificates ( ... and also the client-certs when involved)
... but there also code-extensions needed to involved inside the server-side sources, when you compile the freeradius to interpret these stuff ( and we talk freeradius in ? ... ~94% of ALL the cases !? )
So I guess these MS-extensions are not compiled in yet ... and hence we discuss the topic a while now ... it's not ... "forgotten" !
Next reason comes to mind ... ... licensing ... ... in what ever constellation a shyster could think ¯\_(ツ)_/¯
.
So let's wait ... there's a lot of fluid ... beer ... coffee ... water under the bridge.
( btw: ... 7.1rc is <= 1MBit/s only ¯\_(ツ)_/¯ )
.
Made a little config for an 802.1x-proxy a while ago ... if anybody falls in love with the new MTik-Usermanager and has Bill's stuff involved ... boot up a container !

.
would be interesting, if anybody tried the MTik-rad-server stuff with MS-Clients in an IPSec-Dial-In-scenario with eap-authentication ...
... not 100% positive, but that should also require the MS-extension inside the radius-server.
.
Yeah ... ... maybe yesterday grilled someone a fresh Dodo on his lawn too ?!

Is there any workaround to access accept non-existent users into some special group (and this way into specific vlan), rather than access reject them?
I want to move some of my installations to non-mikrotik access points, but save the existing approach of single SSID with mac-based vlan tagging.
And the only problem is with "guest vlan", for which mac-addresses are unknown.

is there plan to support wireguard authentication?

Well , I did the experiment, and created the certificates with the FreeRadius 3.0 scripts.
Imported them in ROS System Certification, as PEM files and modified the Setting in User Manager session settings to use the server cert.
Same results: Android works, Windows10 fails.

The only key-usage parameter for the server certificate retained after the import is "tls-server". No trace of the "TLS Web Server Authentication" .
TLS-server. Which is actually the one we need ! (seen in the export CRT file)

Klembord-2.jpg

Code: Select all

[admin@MikroTik] > /certificate print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted 
 0 KL A  T name="certCA" digest-algorithm=sha256 key-type=rsa country="BE" state="BE" locality="BE" organization="IT" unit="IT" common-name=""CA certificate"" key-size=2048 
           subject-alt-name=email:x@radius.com days-valid=3650 trusted=yes key-usage=digital-signature,key-encipherment,key-cert-sign serial-number="6E88885BABE37DA3" 
           fingerprint="af83423ca92d460d497372e98fec3f6f879a3a72efadec1878b11f0728fd3980" akid="" skid=9dec5aa8aed0c5e83c3068d41d87dad820a53819 
           invalid-before=aug/24/2021 16:11:31 invalid-after=aug/22/2031 16:11:31 expires-after=521w1d19h27m15s 

 1 K   I T name="certServer" digest-algorithm=sha256 key-type=rsa country="BE" state="BE" locality="BE" organization="IT" unit="IT" common-name=""Server cert"" 
           key-size=2048 subject-alt-name=email:x@radius.com days-valid=365 trusted=yes key-usage=digital-signature,content-commitment,key-encipherment,tls-server 
           ca=certCA serial-number="6154EA9192EC3FEC" fingerprint="5c2a6ea6b80351c9f048d3ff3ca034bf50019436323d4002cf3d6c447d287123" 
           akid=9dec5aa8aed0c5e83c3068d41d87dad820a53819 skid=ab88601c211543cb13d5a7a166b585f76a8d93ce invalid-before=aug/24/2021 16:13:18 
           invalid-after=aug/24/2022 16:13:18 expires-after=51w6d19h29m2s 

 2  L    T name="freeradius_ca" issuer=C=FR,ST=Radius,L=Somewhere,O=Example Inc.,emailAddress=admin@example.org,CN=Example Certificate Authority digest-algorithm=sha256 
           key-type=rsa country="FR" state="Radius" locality="Somewhere" organization="Example Inc." common-name="Example Certificate Authority" key-size=2048 
           subject-alt-name="" days-valid=60 trusted=yes serial-number="48D506B5C0702BC1AD2928E1FA06BF361D7F2ECB" 
           fingerprint="0c4d10a2799ceb0f7eacaacafa1328649f2ff5794167d9cbd9c43f8d9a528192" akid=dfed13bbebd2e75e01cce11b2853f72d9aa66d16 
           skid=dfed13bbebd2e75e01cce11b2853f72d9aa66d16 invalid-before=aug/25/2021 18:54:58 invalid-after=oct/24/2021 18:54:58 expires-after=8w3d22h10m42s 

 3 KL    T name="freeradius_server" issuer=C=FR,ST=Radius,L=Somewhere,O=Example Inc.,emailAddress=admin@example.org,CN=Example Certificate Authority digest-algorithm=sha256 
           key-type=rsa country="FR" state="Radius" organization="Example Inc." common-name="Example Server Certificate" key-size=2048 subject-alt-name="" days-valid=60 
           trusted=yes key-usage=tls-server serial-number="01" fingerprint="11c03bcf3ed302c9264cb83e79c364acbab82e561b092dd9d0521aa586791172" akid="" skid="" 
           invalid-before=aug/25/2021 18:57:35 invalid-after=oct/24/2021 18:57:35 expires-after=8w3d22h13m19s 

@bpwl I am very appreciated what you have done. I have also tried to connect Windows 10 clients (Wired and Wireless) to User Manager in RouterOS 7 but no luck.
@bpwl Have you made it work already? Did you find some tricks to workaround or stopped to proceed?
I got the same result as yours. With User Manager acting as RADIUS Server, I can connect EAP WPA2 Wi-Fi via android phones but not with Windows 10 clients in both wired and wireless connections. Hopefully MikroTik supports see this post and able to tell us what happens in it.

Well I'm getting impatient, because I need this for the new season May next year. We dropped the Hotspot/Portal login last year , because many APPs did not respond well to this forced portal login, because the pop-up did not always appear and the HTTPS checks detected us as a man-in-the-middle attack with the made-up certificates. (And the new administrative MAC addresses make the MAC cookie even less useful). By using RADIUS authentication at the wifi association we lose the connection between the Radius login and the Portal user login and limits.

Those limits now have to come from RADIUS accounting.
I am still looking for a RADIUS-SSO and an automatic link to the hotspot user. (Fortinet solution). It is not possible AFAIK.

By using this Usermanager RADIUS Accounting setup I have learned that the "user session limit" versus ROS license is a showstopper. There are hundreds of connected devices (sessions) in even a small setup with 15 families. So Userman-7 can be out of reach because of that limit. A ROS license level 6 is expensive for just RADIUS for 20 named users.

So I started with FreeRADIUS and DALORadius
Well that's the path I'm following .... just now learned to load Docker on Raspberry Pi and on Odroid N2+ .... and who knows ... FreeRadius3 might end up as Docker image on ROS7, because I like the many Ethernet ports and ROS accessiblility and many features and tools like remote management (MAC server, ROMON, .....) on that hardware.

That EAP/PEAP/MSChapv2 is a rather difficult thing to debug. The client devices are a bunch of different BYOD every week. There is no local support, and they cannot contact me.

With User Manager acting as RADIUS Server, I can connect EAP WPA2 Wi-Fi via android phones but not with Windows 10 clients in both wired and wireless connections. Hopefully MikroTik supports see this post and able to tell us what happens in it.

I advise you to read about this problem outside of the scope of User Manager. E.g. Freeradius can do this and when you read the documentation and forums
you can see that it is a real can of worms and you need to do everything exactly as Windows expects, or else it will not work.
(e.g. the certificate parameters are very important)

That EAP/PEAP/MSChapv2 is a rather difficult thing to debug. The client devices are a bunch of different BYOD every week. There is no local support, and they cannot contact me.

We use this on our company WiFi but so far only for WiFi authentication for company-supplied clients, which are mostly Samsung Phones and Windows laptops.
I have no issues with the operation (I use Freeradius 3 with the properly generated certificates from the latest version), but what still bothers me is the difficulty of configuring the phones.
A normal WPA2-PSK WiFi connection can be setup using a QR code, but for WPA2-EAP it is all so complicated. First connect on WPA2-PSK guest network to download the CA certificate, install it on the phone from a menu item deeply hidden in the settings menu, then connect to the WPA2-EAP SSID and enter username, password, select the certificate, enter the domain name, connect. Then remember to "forget" the guest network.
I can't understand why there is no easier way to do this, for which I can e.g. make an intranet page that shows the proper QR code(s) to the logged-in user (on a PC) to provision their device, as we did before when using WPA2-PSK.

Many universities use "CAT - the Configuration Assistant Tool for Enterprise Wi-Fi networks such as eduroam" to deploy wireless profiles (including certificates) for mobile phones to endusers.
see https://github.com/GEANT/CAT
You can provide installers for windows 10 clients and people can chose from several apps on android/ios.

Many universities use "CAT - the Configuration Assistant Tool for Enterprise Wi-Fi networks such as eduroam" to deploy wireless profiles (including certificates) for mobile phones to endusers.
see https://github.com/GEANT/CAT

In general that's it's not new, the MDM (Mobile Device Management) do that stuff. When company have got many SIM cards then even ISP/MNO give that app to manage. We use that to create a VPN profiles at users corp phones. GPS is always on even if user thinks it's off and we can help with loss phones that way. This is differ market and I think MikroTik not be interested to create own a VPN Client for Phones/Mac/Linux etc...

Ok thank you (Buster2) for that info! I have been looking for this in many places but never received an answer as helpful as this!
I will see if we can use that system (enterprise-wifi.net) in our organization.

Hi,

I'm new here and still learning.

From what I read this version does not have an admin page? How do we add profiles and users for PPPOE?

Ok thank you (Buster2) for that info! I have been looking for this in many places but never received an answer as helpful as this!
I will see if we can use that system (enterprise-wifi.net) in our organization.

Unfortunately there is no response at all from enterprise-wifi.net admins, apparently a dead project.

With User Manager acting as RADIUS Server, I can connect EAP WPA2 Wi-Fi via android phones but not with Windows 10 clients in both wired and wireless connections. Hopefully MikroTik supports see this post and able to tell us what happens in it.

I advise you to read about this problem outside of the scope of User Manager. E.g. Freeradius can do this and when you read the documentation and forums
you can see that it is a real can of worms and you need to do everything exactly as Windows expects, or else it will not work.
(e.g. the certificate parameters are very important)

Yet another overview of EAP certificate requirements: https://wiki.geant.org/display/H2eduroa ... iderations

And I agree with the can of worms ... just found another worm , old Android devices do not function with the newer OpenSSL lib on the server, they answer with what FreeRadius sees as TLSv1.3
The workaround for this is on the net, in "ubuntu-20-04-how-to-set-lower-ssl-security-level". I used that lower SSL security setting in the frauhotelmann/daloradius-docker container.
This again shows that for Usermanager a very extensive logging is necessary for debugging.

And I agree with the can of worms ... just found another worm , old Android devices do not function with the newer OpenSSL lib on the server, they answer with what FreeRadius sees as TLSv1.3

Today I heard about a new issue (the reverse of that one) where after an update an Android phone will no longer accept a cert with MD5 signature.
We made local certs with very long lifetime back in the days when MD5 was default, but now we will still need to replace them.
(this happens with an OpenVPN service rather than WiFi authentication but it is the same thing and will probably affect both of them)

viewtopic.php?p=887577#p887577

Windows PEAP logon failure has been adressed V7.1rc5 !
Not tested yet ...


EDIT: no success. Tablet OK, Windows PC .... "cannot connect to this network"

Hello,
I've installed and enabled user-manager, in advanced settings I’ve put web-private-password and web-private-username but http://myrouter/um/user/ still complains about “Wrong username and/or password”, is there anything else that should I do?

In prevoius (ROS 6) user manager we had http://<router>/user for network users, and http://<router>/userman for admin users (owner, customers).
The "owner or customer" username could not be used for the network user login link.

This 'could be' the same setup here. But besides http://<router>/um/user there seems not to be an 'userman' equivalent.
Here with usermanager 7 we have the GUI in Webfig and Winbox.

Don't know what the "private user" is used for.
See also @emils first post: "Winbox support will come a little bit later and there won't be a separate administrators portal as in the old User Manager"

The v7 usermanager cannot be managed via the webpage, it is managed from the router admin interface (cmdline/webfig/winbox).

Uhm I think that there is some misunderstanding about it and missing documentation doesn't help as well..

The first topic says:

A new freshly designed customer portal is also developed specially for the new User Manager.

and

The customer portal is available at http://x.x.x.x/um

So web portal is still available, otherwise why /um replies with a login screen? Or it should be used only by the end user to see his account details (ie remaining traffic, time etc..)?

Yeah, customer portal. But no admin interface, as it was before.

viewtopic.php?p=887577#p887577

Windows PEAP logon failure has been adressed V7.1rc5 !
Not tested yet ...


EDIT: no success. Tablet OK, Windows PC .... "cannot connect to this network"

Klembord-2.jpg

In internal testing, our issues with Windows 10 PEAP clients were resolved. You can gain more insights as to the cause of the connection failure by capturing network traffic to port 1812 on the device running User Manager and then dissecting the EAP messages in Wiresshark.

One possible issue is that the default RADIUS client timeout on the Access Point is too short. You may want to increase it if you haven't already.

Thanks for the suggestion of using Packet Sniffer and Wireshark.

I have done the test with the Windows PC and an Android Tablet

I see no difference in the packets, as far as I can decode things. (Wireshark does a great job).

Windows 10 just hangs , and then about 1 minute later the time-out is mentioned in the log. (Timeout set at the RADIUS client is 600ms)
145 seconds later in the file : The tablet seems to generate exactly the same packets , and the tablet connects.

Just hanging is described in FreeRadius documentation as a typical Windows problem.
The certificate used is the one from the working FreeRadius implementation (as described before in this thread)

Capture file added.

Still the certificate??? I do not have the possibility to change the client devices, it's all BYOD by non-tech people, so the method used is "passthrough/dont verify certificate"

Just for extending the documentation, I include here the sniffer output when connecting to Freeradius 3 with the same Windows10 and succeeding.
Using frauhotelmann/daloradius-docker container on Raspberry Pi 4.
Sniffer is taken at the wAP ac RADIUS client device.
.
So far only seen one difference: FreeRadius using TLSv1.2 , Usermanager using TLSv1 . related or not ?
.

Forcing TLSv1.2 on the PC didn't help.
Made new capture. TlsVersion is now TlsV1.2 as with FreeRadius , still no succes.
.
https://support.microsoft.com/en-us/top ... a6b80fa955
.
.
Was the MS mentioned patch applied to all but UserManager
.
Actually UserManager is sending an "ACCEPT" packet, similar as to the Tablet, but this packet content seems not to be one Windows is expecting
Is AVP "User-Name" mandatory for Windows ???

Same problem. Windows not ok. Android and MacOS no problem. 7.1rc5 no change.

Windows 10 just hangs , and then about 1 minute later the time-out is mentioned in the log. (Timeout set at the RADIUS client is 600ms)
145 seconds later in the file : The tablet seems to generate exactly the same packets , and the tablet connects.

Thank you for the packet captures.
In the User Manager <-> Windows example, the difference in packet timestamps between Windows' first Access-Request and User Manager's Access-Accept is 650ms.
Meanwhile for the User Manager <-> Android tablet connection later in the file, the difference in time between first Access-Request and the Access-Accept is 584ms.
This makes me think that the 600ms RADIUS client timeout value is still too low.

In my testing (setup example published here) I used a timeout value of 1s.

Txs for the advice. However I'm getting further and further away from a working setup.

Gradually increased the timeout up to 4000ms, but nothing helped.
However now I see only 6 handshakes (12 packets) with each attempt, not the usual 10. No idea why the communication now stops there.
Maybe the certificate ? We moved from summer-time to winter-time ???? User profile limits kicking in?? (non existing everything was unlimited), also created new fresh users to test. Nothing helped.
No error messages.

I destroyed my Raspberry Docker environment by some Portainer upgrade or phpAdmin installation. But I have an even more stable Docker installation of Freeradius on my Odroid N2+.

IP addresses in sniffer file: (2.38 Raspberry= broken, 2.42 Daloradius docker on Odroid, 2.25 de wAP ac as Radius client, 2.100 ROS7.1rc5 CHR VM on Synology with Usermanager)
See ZIP file.

Current situation:
With Usermanager: Tablet works, Windows fails
With Freeradius: Tablet and Windows work.

PS: (When swapping RADIUS servers, the Usermanager didn't like to receive accounting information due to the Freeradius authentication, and sent kill commands for that session.)

Also created and selected the certificates as published example, on the server only: no change

Sorry, what blew up the Windows environment? The previously mentioned TLSv1.2 registration editing, that was undone, and never helped?

EDIT: kept digging ... Windows complex logbooks give : "Authentication for the EAP method 25 type failed. The following error occurred: 0x30A."
What is 0x30A? No idea, but smells like certificates.
Revisited the certificate process. Something must have gone wrong with the copy/paste of the full example in 'New Terminal'.
Some things are not familiar to me, like I never used keysize 'secp384r1' before.
Done again, line by line ... and BINGO .... that certificate "userman-cert" does work for Windows 10 , and for the tablet.
The FreeRADIUS copied certificate does not work for Windows 10 with Usermanager v5.

THANK YOU !

Now time to analyze that certificate (My "free-radius" certificate I used had become invalid since 24/oct/2021. Now added the "invalid after" column in Winbox table)

viewtopic.php?p=887577#p887577

Windows PEAP logon failure has been adressed V7.1rc5 !
Not tested yet ...


EDIT: no success. Tablet OK, Windows PC .... "cannot connect to this network"

Klembord-2.jpg

In internal testing, our issues with Windows 10 PEAP clients were resolved. You can gain more insights as to the cause of the connection failure by capturing network traffic to port 1812 on the device running User Manager and then dissecting the EAP messages in Wiresshark.

One possible issue is that the default RADIUS client timeout on the Access Point is too short. You may want to increase it if you haven't already.

Thank you. I tried to test it again on my windows 10 laptop (PEAP-MSCHAPv2). It works with the User Manager based on RouterOS v.7!
Also it works with self-signed certificates that was generated by any MikroTik devices and then imported to the device running User Manager.

However I have not found how to set the condition for anonymous identity on User Manager like I set on the Connection Request Policy on NPS (Network Policy Server).
It would be nice that MikroTik supports add this on the next revision of RouterOS v.7. Thanks.

Additionally (my observation), I tried to use a MikroTik device as a wireless supplicant in Wireless LAN with WPA2 EAP (PEAP). I can set the TLS mode only "dont verify certificate". I know that it means for EAP-TLS but I would like the wireless supplicant verify the CA certificate (root certificate) like it works in Dot1X (client). Unlike the wireless supplicant, the Dot1X-based client with PEAP in wired LAN need the CA certificate (without the CA certificate, it does not work) however the laptop computer with its wired connection has an option to go ahead without the CA certificate.

Thanks again for implementing the User Manager to support IEEE 802.1X.

Hello everyone

Just joined this forum and wanted to share my simple trial with enterprise WiFi EAP success using the new UM:
Nothing special here, just one RB working as AP, Radius Client and UM (RADIUS Sever I guess)
Tested on Mobile: iPhone X and Samsung A02
Windows 10 Laptop
MAC Auth and Accounting is also included in this setup

UM: Wireless Sec Prof: In this setup, need to add two users in UM for each device, one with username/password and the other is username=MAC without apssword.
I hope this can help some people utilizing the new UM with enterprise WiFi security.
Please note that I dont have any knowledge about security and my role here is just a normal implementer.
Thanks

Hello, any one knows what is the performance limit of the new UM?

7.1rc6 Mac Authentication is working fine for me with a ZyXEL XGS1930 Switch however there are no Sessions showing also in the users section I am not showing any Uptime.

Anyone else had any issues?

7.1rc6 Mac Authentication is working fine for me with a ZyXEL XGS1930 Switch however there are no Sessions showing also in the users section I am not showing any Uptime.

Anyone else had any issues?

Been toying with um on 7.1rc6 and I'm seeing similar issues. No accounting, no data.
Hosts does show uptime but not user.

Makes it a bit difficult to track if it does what it is supposed to do with hotspot (which ultimately is what I'm trying to setup for another environment).
Going to set up a test environment with map and maplite to play a bit more with it.

7.1rc6 Mac Authentication is working fine for me with a ZyXEL XGS1930 Switch however there are no Sessions showing also in the users section I am not showing any Uptime.

Anyone else had any issues?

Been toying with um on 7.1rc6 and I'm seeing similar issues. No accounting, no data.
Hosts does show uptime but not user.

Not all connections provide session data. It is possible to have it with Wireless or PPPoE connections, but I don't think it is possible with MAC authentication on switches. The Switch just asks for permission to admit a certain MAC, and that's it.

Session data mostly comes from Radius accounting, in my experiments.

RouterOS even allows a backup accounting server. (Is what I do today, sending the accounting also to Usermanager, as the MT Radius licence is too limited in # of sessions.)
(And PEAP/EAP not available in ROS 6, and accounting not available on the main (Draytek) router)

Hotspot authenticated via userman still show error "Radius server not responding" Is it bugs or I missed something?

You enabled it on 2 places ?
Hotspot server radius
And User Manager incoming

Out of the top of my head...

You enabled it on 2 places ?
Hotspot server radius
And User Manager incoming

Out of the top of my head...

Correction:
User manager settings - set to enabled
Radius - Incoming - set to accept
And Hotspot - Server Profiles - Use Radius

So it's 3 places you need to visit.

and so many more things to check ...

- is the AP/Hotspot IP address in the User Manager "router" list ?
- RADIUS server IP in the Radius setting? Shared Secret OK ?
- using port UDP/1812? IP path/route OK? Port accessible? (Firewall settings)
- reverse IP route RADIUS->Hotspot OK?

Does RADIUS server respond on NTRadPing or other radius tester?
viewtopic.php?p=887237#p887237

In UM 6 there was customer to setup timezone, but now I couldnt find customers in any submenu in the new UM so the time difference issue is here now.
Any one solved this issue or we should wait for another upgrade ?

Hello,
I am new to User Manager, I have a new Mikrotik router with RouterOS 7.1 offical stable support.
I can not find any documentation regarding the user manager, how to enable it, and start using it.
As far as I understand, it can also bi RADIUS server (for external network devices, like cisco switches, unifi wireless etc) ?
I also can not find how to run configuration, since https://wiki.mikrotik.com/wiki/Manual:User_Manager
is saying it should be under /tool , but it is not
I have only one package - routeros 7.1 version.
Please advise link, or reference, how to Start using, setup, and documentation for this great feature.
Thank you

Documentation for RouterOS v7 is here: https://help.mikrotik.com/docs/
Specifically for User Manager it is here: https://help.mikrotik.com/docs/display/ ... management

Documentation for RouterOS v7 is here: https://help.mikrotik.com/docs/
Specifically for User Manager it is here: https://help.mikrotik.com/docs/display/ ... management

Documentation is wrong because correct path using cli is /user-manager.
Not /tool user-manager

[xyz@Map2nD] > /user-manager/
[xyz@Map2nD] /user-manager> /tool user-manager
bad command name user-manager (line 1 column 7)
[xyz@Map2nD] /user-manager>

Same in Winbox.
Direct submenu User Manager. Nothing under tools.

Documentation is still about the old User Manager.
This one is a better example: https://help.mikrotik.com/docs/display/ ... Manager+v5

Documentation is still about the old User Manager.

Ok I have complained about the lack of version-awareness in the help system before
I had found that docs but while I clicked around a bit to find a neat anchor to post here, I apparently wandered off to the old docs again.

The help system really should be organized in such a way that it is clear what is for v6 and what is for v7... v6 will be around for some time, I suppose.

The help system really should be organized in such a way that it is clear what is for v6 and what is for v7... v6 will be around for some time, I suppose.

Absolutely true !
And there is an even older document system still going around ... https://wiki.mikrotik.com/wiki/Main_Page
Doesn't make it easy to find the required info.

I get it? At the reception of a hotel, do I have to instruct the employees to use the winbox?
I don't think they will like it. And what good is the user to log into an account ... I also need to explain how to authenticate. Ops...Manual for end user
Sorry

Hallo
feature request Generate voucher from all the add batch voucher that was just added
sorry for my english
Thanks

My client using hAP-AC3 connected via pppoe to RB4011 (pppoe server), all with v7.1 stable, using RADIUS.
Before upgrading to v7, at ROSv6 usermanager, Limitation Transfer Limit works. I can set an user to disconnect after reaching Transfer Limitation value and works fine.
I upgrade my RB4011 and at v7 UserManager I set Limitations 'Transfer Limit', but the client/user do not disconnect with that limitation. All section I think I set it right, since it seems familiar form to fill like ROSv6 Usermanager. The only new one I see is 'UserProfiles' that I've been fill with right profile and status 'running active'.
Then I read about Attributes things and try set it via UserManagers>Users and fill in "Attributes Mikrotik-Total-Limit" with how many Bytes. Now this methode can limit my pppoe or hotspot user to exactly value of Transfer-Limit Limitations.
Is this how usermanager for routeros v7 works now or maybe I miss some setting? For temporary that attributes help but to apply for like hotspot user really something.

Note : I found workaround just to simplify it, by make attributes Transfer-Limit entry at 'UserGroups' then later apply at 'Users', rather than fill in at each users attributes form.
So for now I re-write all limitation and fill the info into UserManager 'UserGroups' setting.

feature request :

1. administration web portal http://mikrotk-ip-addr/userman
2. create batch user : user = password
3. create batch user only digit (no alphabetic)

thanks

Hello guys. Can someone please direct me to documentation for migrating my user database to the new manager?

ANOTHER FEATURE REQUEST
can User Manager be used to create DPSK/DPSK based VLAN assignments, so that users can manage their own BYOD devices which are not EAP capable?
So an access list could look like as shown below but PPSKs are managed by the respective user itself.

Hey folks,

just wanted to let you know that I have written up a light howto on setting up EAP-TLS and EAP-PEAP wireless auth via CAPsMAN using RouterOS 6 and RouterOS 7 with UM 5.
https://github.com/multiduplikator/mikrotik_EAP

It is far from perfect, I know, but maybe it will come in handy for someone.

Happy to improve this, if you have comments...

Cheers,
multiduplikator

Thank you @multiduplikator !

I have a request: please add optional circuit ID and remote ID fields for user accounts, without needing to specify MAC address or any other options
We really need DHCP option 82 functionality to authenticate guests by port/location, not by voucher code which is pointless in our case

Use cases are to activate by entire room/sector, not per device. I.e. guest checks into room 85. Guest doesn't have to do anything except go into room and join the wifi, 'all' devices that are connecting to the wireless access point in that room should immediately be granted internet access and share the assigned user profile (that includes smart TV's, chromecast, etc etc, these devices can't utilize voucher codes anyway)

https://help.mikrotik.com/docs/display/ ... r-Database

Hello guys. Can someone please direct me to documentation for migrating my user database to the new manager?

As a new Mikrotik user with a RB5009 you have no idea how happy I was with your howto
Now migrated from a little freeradius server to user-manager on my RB5009, with EAP-TLS and EAP-PEAP.
Sadly I am still using my "old" Unifi AP's
Keep up the good work! Thank you @multiduplikator

Hey folks,

just wanted to let you know that I have written up a light howto on setting up EAP-TLS and EAP-PEAP wireless auth via CAPsMAN using RouterOS 6 and RouterOS 7 with UM 5.
https://github.com/multiduplikator/mikrotik_EAP

It is far from perfect, I know, but maybe it will come in handy for someone.

Happy to improve this, if you have comments...

Cheers,
multiduplikator

Sadly I am still using my "old" Unifi AP's

Old Unifi APs are much better than current MikroTik offerings!
With new Unifi APs I am not sure, I have not studied them in detail but I think they can only operate from a cloud service these days.
(we host our Unifi controller on a local VM)

I also have a Unifi controller on-prem, quite happy with the AP's, but also bought an Aruba Instant because I was running into some issues when everybody was working at home in Corona lockdown time.
In the near future I will buy an Mikrotik AP, in my work as a EMM IT Designer I work with a lot of different mobile devices, and I want to try out different Wi-Fi security levels across multiple brands.

Sadly I am still using my "old" Unifi AP's

Old Unifi APs are much better than current MikroTik offerings!
With new Unifi APs I am not sure, I have not studied them in detail but I think they can only operate from a cloud service these days.
(we host our Unifi controller on a local VM)

The point is that all the competing manufacturers are YEARS ahead of MikroTik w.r.t. enterprise WiFi. Wave2, 802.11k/r/v, etc.

The point is that all the competing manufacturers are YEARS ahead of MikroTik w.r.t. enterprise WiFi. Wave2, 802.11k/r/v, etc.

it's really hard to be 'years' behind in WiFi considering standards. If you use a hAP ac3 or audience with the wave2 drivers it's great, just as good as any comparably spec'd WiFi5 radio. I think routeros 6's very old kernel was a major hurdle to that and then the 16MB of flash on a lot of wave2 capable hardware keeps us from good wifi performance on today's cAPs and hAP ac2. routeros7's modern kernel sweeps away the 'old' WiFi limitations with modern drivers and kernel.

Crossing fingers that the next newsletter has some new 60Ghz and WiFi6 gear...

In this thread but also in other parts of the forum people are asking for disabling old ciphers and/or deprecated or legacy TLS versions, but I can not find a answer.
I am using user-manager as a replacement for my freeradius server, in Freeradius I can enforce a minimal version with "tls_min_version = "1.2"
When using user-manager I can use TLSv1.0 and 1.1
Is there a way in user-manager to enforce minimal TLSv1.2 version when using EAP-TLS or PEAP-MSCHAPv2 ?

Has anyone managed to put a time limit on vouchers?

Has anyone managed to put a time limit on vouchers?

Time limit?
"Validity" at User-Manager>Profiles works for me.
But "Session Limit" at User-Manager>Limitation not works.

CMIIW

UPDATE : Session Limit for UserManager>Limititation works since 7.6 (kinda forget exactly at what version). Sorry forget to update this.

Is there plans for the new UM to have sign up?

Someone knows in which format are the .umb database backups / exports ?
Are they encrypted ? With which key ?

As they contain sensitive information, would be good to know, before exporting them out of the MikroTik device...
@emils ?

Many thanks !

Hi, I've just upgraded my router from 6.49.5 to 7.2 and added user-manager. On the previous version I realise I can no longer setup the os7 version using http, as the router now has the additional option for User Manager in Winbox. I've gone through the configuration by comparing the old setup to whats shown inside the new User Manager TAB and have been able to transition the following - Router, Profiles, Limitations, and Profile Limitations. However, I'm unable to see where I can setup the old tabs for - Customer (where I can specify Public ID, Public host, Signup allowed, and Format for GBP); Also for Settings (where I can specify Payment Gateway, Business ID email, secure response, and return URL); Also where I can enter the Signup Body that was under settings on the previous version. Please could you advise where these changes can be applied?

Thanks in advance

Hi Guys, any one knows how to setup the userman/radius to make success with the disconnection of the Wireless devices when the wireless clients are authenticated by their MAC address, I know hat is old issue , but i can not find any post where the problem were resolved. Im Using ROs / 7.2 with capsman. Im receiving a error code 406 when system tries to disconnect the wireless device



Thanks in advanced.

Does anyone have any idea what else can be used within the "printable_vouchers.html" template besides $(username) and $(password) ?
Say, plan/profile name, validity, shared users, etc ?

I can't find anything about this @ the docs..

New UM Question/Problem:
You can click "Add Batch Users" in the UM Users tab and give multiple users a profile.
BUT - If I try and click the + to add one user in the UM, I can't add a profile.
Did Mikrotik forget to add the profile select button?
I'm missing something....

Anyone know a script for changing the profile of my one new user?

Some bad news on User Menager V5, and some very good news.

Testing ROS 7.3.1 + User MAN on a 16MB storage device (Omnitik AC in this case) + a USB stick for extra DB and accounting storage , ended up with Netinstall.
viewtopic.php?t=186567#p940143

But maybe it is "ROS 7.3.1 + USB" that makes the problem at reboot, and not the User Man package.

The very good news is that except for the reboot lockdown the User Manager WPA2-Enterprise: EAP/MSCHApv2 works very well.
And the "attributes" can be used to add a comment in the "Registration Table", that remains there as long as you stay connected in Wifi.
Other ROS devices can pick up that information, to implement a DIY RSSO (Radius Single Signon).
Less delay than Radius accounting for knowing the signon status.
And without Radius Accounting, the 20 (or 50) session license limit for level 4 (level 5) will not be triggered, no ?

Has anyone managed to put a time limit on vouchers?

Time limit?
"Validity" at User-Manager>Profiles works for me.
But "Session Limit" at User-Manager>Limitation not works.

CMIIW

I tested UM5 and working fine , add certificate at session setting menu.. limit time for 1 mnt,,

@jollyCan you please share full code on how to sort vouchers based on time created, profiles to avoid printed old and new vouchers. Every time i generate new vouchers, can’t know the vouchers printed belong to which profile, the printed vouchers hard copy only shows user/password

Hi,

Thanks for the work with the user manager. Is there any reason why the administrators portal is removed? Or will this be part of webfig/winbox?

Right now, i miss the nice possibility to generate and print vouchers from the web interface.

Since UserManager now contains also RADIUS server features it was better in long-term to move UserManager controls into Winbox/Webfig (Still Work In Progress, no ETA available).
As for vouchers - the command Youre looking for is:

Code: Select all

/user-manager/user/generate-voucher voucher-template=printable_vouchers.html numbers=<insert user IDs here from /user-manager/user/print>

to generate for specific users, or

Code: Select all

/user-manager/user/generate-voucher [f] voucher-template=printable_vouchers.html

to generate for all users.
This will create a file gen_printable_vouchers.html.
To access it You either have to download the file to Your device and print that way, or You can access from the via link: <IP>/um/PRIVATE/GENERATED/vouchers/gen_printable_vouchers.html
(Note: For link to work You first need to set username and password : /user-manager/advanced/set web-private-username=<USER> web-private-password=<PASSWORD>)

@jolly Can you please provide full script on how to use it with group?

I guess the standard way of selecting some entries should work here as well? In the command above replace <insert user IDs here from /user-manager/user/print> with construct [ find <selection criterion here>]. I don't know how selection criterion would look like (I'm not runnin userman), but I guess usual regular expressions work here a well ...

That works!! Thanks

how to add private information like in usermanager routerOS v6 at usermanager routeros v7?

In my opinion, UserManager version 7 is a failed project from the very beginning.
The simplest structures of the previous version, which were very easy, are defined in the most difficult and complicated state.
I don't want anyone to have access to router settings, only access to UserManager / but there is this problem in version 7.

I offer my condolences for the failed project of version 7, along with many problems in all parts, especially UserManager

I think it's not failed but actualy not finished product.
Just be patient. For me, I start using since v7.1 and so far its ok, since I just need simple setting like hotspot and pppoe management, which all setting I need works.
And since v7.4 they fix how a pppoe user can dial from an Openwrt router, authorized with ROS7 UserManager (this is no problem for ROS6 UserManager, but a problem when I switch at ROS7.1) viewtopic.php?p=947498#p947498
This a great improvement and I believe more feature to come.

hello,
I think the new version is very bad and I can't work with the menu like before
Please go back to the previous version and develop it

Hello,

when using UM-v7, i miss the feature different users for each customer repectively.
this feature very usefull for the institution like hotel where they have FO and BO depts.
Internal users created by BO and guests created by FO, each customer can not 'see' the users created by other customer.

is it possible to add this kind of feature for UM-v7 ?

thank you

P

Hello,

on UMv7, i found one thing that never happened on previous version of UMv6 (v2-v6)

when we setup one profile with share-user=2, than the third user will not be able to login on UMv6 untill one of existing connection logout / disconnect.
but on UMv7, the connection of the third user will kick-off one of (older) the existing active connection with the same username.
the user who has been kicked than will try to login again and this login will kick-off another existing active connection, and so on.
i did open a ticket for this problem but according to support that this is the new behaviour for UMv7 and will not be changed.

i hope MT will reconsider about this new behaviour of UMv7

Actually, in many scenarios this is the desired behavior. When sessions are left "hanging" you do not want to get locked out, you want to re-login and clear the old session.
Maybe it should be configurable how it works.

feature request: Administrator portal or customers menu as the old one.
We have customers that manage their own hotspot and create vouchers to their clients, so they manage just the users of their hotspots, the new usermanger without the adminstrator portal can't do it, so I can't create a customer to manage their own hostspot, because of that we can't upgrade to v7 but we would like it.

feature request: Administrator portal or customers menu as the old one.

Second last paragraph on the very first post:

there won't be a separate administrators portal as in the old User Manager.

I think ability to manage users without giving permission to RoS will be very useful. My uscase - I need to setup EAP in small network, so I won't install separate server for it. And new user-manager works fine as I see, but managing users will be taken care of by another worker, and he should not have access to router configuration (especially changing it). So unfortunatly currently new user-manager usless for me and I think not for only me.