RADIUS Client Configuration
RADIUS Client Configuration
Section titled “RADIUS Client Configuration”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: add a RADIUS server and enable it for your service.
# Add RADIUS server/radius add address=10.0.0.100 secret=YourSharedSecret service=ppp
# Enable RADIUS for PPP authentication/ppp aaa set use-radius=yes accounting=yesVerify with:
/radius monitor 0Look for accepts incrementing when users authenticate.
Overview
Section titled “Overview”What this does: RADIUS (Remote Authentication Dial-In User Service) Client enables MikroTik to authenticate users against an external RADIUS server instead of local user database. This centralizes user management across multiple routers and services.
When to use this:
- ISP environments with many PPPoE/HotSpot subscribers
- Enterprise networks requiring centralized authentication
- Wireless 802.1X/WPA-Enterprise deployments
- Multiple routers needing shared user database
- Integration with existing directory services (AD, LDAP via RADIUS)
Prerequisites:
- A RADIUS server (FreeRADIUS, Microsoft NPS, User Manager, etc.)
- Network connectivity to RADIUS server (UDP 1812/1813)
- Shared secret configured on both router and RADIUS server
- User accounts configured on RADIUS server
Configuration Steps
Section titled “Configuration Steps”Step 1: Add RADIUS Server
Section titled “Step 1: Add RADIUS Server”Configure the router to communicate with your RADIUS server:
/radius add address=10.0.0.100 secret=YourSharedSecret service=pppReplace:
10.0.0.100with your RADIUS server IPYourSharedSecretwith the shared secret configured on your RADIUS serverpppwith the service(s) you need:ppp,hotspot,wireless,login,dhcp,dot1x,ipsec
Step 2: Enable RADIUS for Your Service
Section titled “Step 2: Enable RADIUS for Your Service”RADIUS must be explicitly enabled for each service that should use it.
For PPP/PPPoE:
/ppp aaa set use-radius=yes accounting=yesFor HotSpot:
/ip hotspot profile set default use-radius=yes accounting=yesFor Router Login:
/user aaa set use-radius=yesFor DHCP:
/ip dhcp-server set dhcp1 use-radius=yesStep 3: Verify Configuration
Section titled “Step 3: Verify Configuration”Monitor RADIUS communication:
/radius monitor 0Expected output during authentication:
pending: 0 requests: 15 accepts: 12 rejects: 3 resends: 0 timeouts: 0 bad-replies: 0 last-request-rtt: 5msKey indicators:
acceptsincrementing = successful authenticationsrejectsincrementing = authentication denied (check credentials)bad-repliesincrementing = shared secret mismatchtimeoutsincrementing = server unreachable
Step 4: Configure Firewall (If Needed)
Section titled “Step 4: Configure Firewall (If Needed)”If your router has a restrictive firewall, allow RADIUS traffic:
/ip firewall filter add chain=input protocol=udp dst-port=1812-1813 \ src-address=10.0.0.100 action=accept place-before=0Common Scenarios
Section titled “Common Scenarios”Scenario: Multiple RADIUS Servers (Failover)
Section titled “Scenario: Multiple RADIUS Servers (Failover)”Configure backup servers in priority order:
/radius add address=10.0.0.100 secret=Secret1 service=ppp timeout=500ms/radius add address=10.0.0.101 secret=Secret2 service=ppp timeout=500msServers are tried in list order. Reduce timeout for faster failover.
Scenario: RADIUS for Wireless 802.1X
Section titled “Scenario: RADIUS for Wireless 802.1X”For WPA2/WPA3-Enterprise authentication:
# Add RADIUS server for wireless/radius add address=10.0.0.100 secret=YourSecret service=wireless
# Configure enterprise security profile/interface wifi security add name=enterprise-security \ authentication-types=wpa2-eap encryption=ccmp
/interface wifi aaa add name=radius-aaa
/interface wifi configuration add name=enterprise-config \ ssid=CorpNetwork security=enterprise-security aaa=radius-aaaScenario: RADIUS for Wired 802.1X (Dot1X)
Section titled “Scenario: RADIUS for Wired 802.1X (Dot1X)”For port-based authentication on Ethernet:
# Add RADIUS server for dot1x/radius add address=10.0.0.100 secret=YourSecret service=dot1x
# Enable dot1x on interface/interface dot1x server add interface=ether2 auth-types=dot1xScenario: Accept Disconnect-Messages (CoA)
Section titled “Scenario: Accept Disconnect-Messages (CoA)”Allow RADIUS server to terminate sessions remotely:
# Enable incoming Disconnect-Messages/radius incoming set accept=yes port=1700
# Allow in firewall/ip firewall filter add chain=input protocol=udp dst-port=1700 \ src-address=10.0.0.100 action=accept place-before=0Scenario: RadSec (RADIUS over TLS)
Section titled “Scenario: RadSec (RADIUS over TLS)”For encrypted RADIUS communication:
# Import certificate/certificate import file-name=radius-client.p12 passphrase=certpass
# Add RadSec server/radius add address=10.0.0.100 secret=radsec protocol=radsec \ certificate=radius-client.p12_0 service=ppp,hotspotNote: With RadSec, the shared secret is forced to “radsec” per RFC 6614.
Scenario: Using MikroTik User Manager as RADIUS Server
Section titled “Scenario: Using MikroTik User Manager as RADIUS Server”If using RouterOS User Manager as your RADIUS server:
# On the router acting as RADIUS client/radius add address=192.168.1.1 secret=testing123 service=hotspot
# Allow loopback if User Manager is on same router/ip firewall filter add chain=input src-address=127.0.0.1 action=acceptScenario: RADIUS with Specific Source Address
Section titled “Scenario: RADIUS with Specific Source Address”When router has multiple IPs and RADIUS server filters by source:
/radius set 0 src-address=192.168.1.1Verification
Section titled “Verification”Confirm your RADIUS client configuration is working:
Check 1: Verify RADIUS Server Entry
Section titled “Check 1: Verify RADIUS Server Entry”/radius printExpected: Server listed with correct address and service.
Check 2: Monitor Statistics
Section titled “Check 2: Monitor Statistics”/radius monitor 0Expected: accepts count increases with successful logins.
Check 3: Check for Errors
Section titled “Check 3: Check for Errors”/radius monitor 0Watch for:
bad-replies > 0= shared secret mismatchtimeouts > 0= server unreachablerejects= authentication denied
Check 4: Test Authentication
Section titled “Check 4: Test Authentication”Attempt a login with a RADIUS user and verify:
# For PPP, check active sessions/ppp active print
# For HotSpot, check active users/ip hotspot active printTroubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
bad-replies incrementing | Shared secret mismatch | Verify secret matches on both router and RADIUS server exactly |
timeouts incrementing | Server unreachable | Check network connectivity, firewall rules for UDP 1812/1813 |
rejects incrementing | Invalid credentials | Verify username/password on RADIUS server |
| RADIUS not queried at all | Service not enabled | Enable RADIUS for specific service (/ppp aaa, /ip hotspot profile, etc.) |
| RADIUS not queried at all | Local user exists | Local users are checked first; remove local user to use RADIUS |
| SSH works but Winbox fails (or vice versa) | Different auth protocols | SSH uses PAP, Winbox uses CHAP - enable both on RADIUS server |
| RadSec fails after 7.15 upgrade | Message-Authenticator changes | Set require-message-auth=no or downgrade to 7.14.3 |
| ”RADIUS server not responding” | Firewall blocking | Add rules for UDP 1812/1813 from RADIUS server IP |
| CoA/Disconnect not working | Incoming not enabled | Set /radius incoming set accept=yes and allow port 1700 |
Debug: Test RADIUS Server Connectivity
Section titled “Debug: Test RADIUS Server Connectivity”# Verify network path/tool ping 10.0.0.100 count=3
# Check if ports are open (from router perspective)# Note: RADIUS won't respond to arbitrary packets, but this confirms routingDebug: Check Bad Replies
Section titled “Debug: Check Bad Replies”/radius monitor 0# If bad-replies keeps incrementing:# 1. Verify shared secret character-by-character# 2. Check for trailing spaces or special characters# 3. For RadSec, ensure server uses "radsec" as shared secretCommon Mistakes
- Don’t forget to enable RADIUS per service - Adding a RADIUS server isn’t enough; each service needs
use-radius=yes - Local users take precedence - If a local user exists, RADIUS is never queried for that username
- Shared secrets must match exactly - Including case and special characters
- RadSec requires “radsec” as secret on server - RouterOS enforces this per RFC 6614
- Firewall rules needed for User Manager on same router - Allow loopback (127.0.0.1) traffic
RADIUS Monitor Fields Reference
Section titled “RADIUS Monitor Fields Reference”| Field | Description |
|---|---|
pending | Active requests awaiting response |
requests | Total requests sent |
accepts | Successful authentications (Access-Accept received) |
rejects | Denied authentications (Access-Reject received) |
resends | Retry attempts after timeout |
timeouts | Requests that never received response |
bad-replies | Responses with invalid signature (wrong secret) |
last-request-rtt | Round-trip time of most recent request |
Related Topics
Section titled “Related Topics”Authentication Use Cases
Section titled “Authentication Use Cases”- L2TP VPN Server - RADIUS for VPN authentication
- PPPoE Server - RADIUS for PPPoE subscriber management
- Hotspot - RADIUS for captive portal authentication
- CAPsMAN - RADIUS for enterprise WiFi (WPA2/WPA3-Enterprise)
Related Topics
Section titled “Related Topics”- User Management - local user accounts (alternative to RADIUS)
- 802.1X - port-based network access control with RADIUS
- IP Pool - address pools assigned via RADIUS
Security
Section titled “Security”- Firewall Basics - protect RADIUS ports (1812, 1813)
Reference
Section titled “Reference”- MikroTik RADIUS Documentation
- Version changes:
- v7.15: Message-Authenticator validation changes
- v7.0: RadSec support added
Key Properties Reference
Section titled “Key Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
address | IP | 0.0.0.0 | RADIUS server address |
secret | string | "" | Shared secret for authentication |
service | enum | "" | Services: ppp, login, hotspot, wireless, dhcp, ipsec, dot1x |
authentication-port | integer | 1812 | Authentication port |
accounting-port | integer | 1813 | Accounting port |
timeout | time | 1100ms | Request timeout before retry |
protocol | udp/radsec | udp | Communication protocol |
certificate | string | - | Certificate for RadSec |
src-address | IP | 0.0.0.0 | Source IP for RADIUS packets |
disabled | yes/no | no | Enable/disable this entry |
Service-Specific RADIUS Enablement
Section titled “Service-Specific RADIUS Enablement”| Service | Enable Command |
|---|---|
| PPP/PPPoE | /ppp aaa set use-radius=yes |
| HotSpot | /ip hotspot profile set [find] use-radius=yes |
| Router Login | /user aaa set use-radius=yes |
| DHCP | /ip dhcp-server set [find] use-radius=yes |
| Wireless | Configure WPA-EAP security profile |
| Dot1X | /interface dot1x server add interface=ethX |