User Manager - Mikrotik

User Manager - Mikrotik
PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information.
PDF generated at: Tue, 22 Feb 2011 21:49:06 UTC
Manual:User Manager 1
Manual:User Manager
Introduction
• What is User Manager
• Requirements
• Supported browsers
• Demo
• Differences between version 3 and version 4-test
Getting started
• Download
• Install
• Create first subscriber
• First log on User Manager web
Quick start
• User Manager and HotSpot
• User Manager and PPP servers
• User Manager and DHCP
• User Manager and Wireless
• User Manager and RouterOS user
Concepts explained
Common
• Customers
• Users
• Routers
• Sessions
• Payments
• Reports
• Logs
• Customer permission levels
• Character constants
• Active sessions
• Active users
• Customer public ID
Version 4.x test package specific

• Profiles
• Limitations
• User data templates
• MAC binding
• Languages
• CoA (Radius incoming)
Version 3.x specific

• Subscribers
• Credits
• User prefix
• Time, traffic amount and rate limiting
• Prepaid and unlimited users
• Voucher template
Reference
Web interface
• Search patterns
• Tables:
• Sorting
• Filtering
• Division in pages
• Multiple object selection
• Operations with selected objects
• Minimization
• Links to detail form
• Detail forms
• Page printing
Customer page
• Setup
• How to find it?
• Sections
• Status
• Routers
• Credits
• Users
• Sessions
• Customers
• Reports
• Logs
User page
• Setup
• How to find it?
• Link to user page
• Sections
• Status
• Payments
• Settings
User sign-up
• Setup
• Sign-up steps
• Creating account
• Activating account
• Login
User payments
• Authorize.Net
• PayPal
Questions and answers

• Quick introduction into User Manager setup
• How to separate users among customers?
• How to create a link to user page?
• How to create a link to user sign-up page?
• Visual bugs since upgrade
• Cannot log in User Manager
• Too many active sessions shown
• What does "active sessions" refer to?
• How to make Hotspot and User Manager on the same router?
• How to make MAC authentication in the User Manager?
• How to turn off logging for specific Routers?
• How to create timed Voucher?
• Cannot access User Manager WEB interface
• Incorrect time shown for sessions and credits
• User Manager does not allow to login due to expired uptime
• How to debug PayPal payments
• How to send logs to a remote host, using SysLog
User Manager/Introduction 4
User Manager/Introduction
What is User Manager
User manager is a management system that can be used for:
• HotSpot users;
• PPP (PPtP/PPPoE) users;
• DHCP users;
• Wireless users;
• RouterOS users.
It is a separate package for RouterOS.
User Manager is a RADIUS [1] server application.
In RouterOS version 4 User Manager test package was introduced, having major functionality and interface changes.
Requirements
• You should have the same version for RouterOS and the User Manager package.
• The MikroTik User Manager works on x86, MIPS and PowerPC processor based routers.
• The router should have at least 32MB RAM and 2MB free HDD space.
Supported browsers
All current generation browsers are supported, including:
• Opera [2] (>= 9.0). Probably works fine also on Opera 8.x
• Mozilla Firefox [3] (>= 1.5). Probably works fine also on Mozilla Firefox 1.0.x
• Microsoft Internet Explorer [4] (>= 6.0).
• Safari [5] (>= 2.0)
Demo
[6]
To see what User Manager can do for you, log into the test system: User Manager Online Demo with the login
and password both being "demo"
Note: Demo user has read-only permissions. Download and install User Manager package on your router to
see all the features
Note: This demo uses v3 User Manager

User Manager/Introduction 5
References
[1] http:/ / en. wikipedia. org/ wiki/ RADIUS
[2] http:/ / www. opera. com/ download/
[3] http:/ / www. mozilla. com/ firefox/
[4] http:/ / www. microsoft. com/ windows/ ie/
[5] http:/ / www. apple. com/ safari
[6] http:/ / userman. mt. lv/ userman
User Manager/Getting started

Download
MikroTik User Manager can be downloaded from the MikroTik download page: MikroTik User Manager [1], choose
system and software type and All packages.
Install
Perform the usual router upgrade steps - upload the User Manager package to the router's FTP server and reboot the
router.
Create first subscriber

Note: Starting from version 3.0 a default subscriber with login admin and empty password is created when
User Manager package is installed for the first time. I.e., admin subscriber is created only if the User Manager
package was not installed prior to version 3.0.
If you are using a version prior to 3.0, then the first subscriber must be added using Mikrotik
terminal (console). All the configuration is done under the /tool user-manager menu.
To create a subscriber you should go to /tool user-manager customer menu and execute add command. It will ask
for the username which you will use.
or you can enter this into the command line:
[admin@USER_MAN] tool user-manager customer> add login="admin"

password="PASSWORD" permissions=owner
You can use the following command to change the password for the 'admin' user:
[admin@USER_MAN] tool user-manager customer set admin password=PASSWORD
After that you can use print command to see what you have added.
[admin@USER_MAN] tool user-manager customer> print

Flags: X - disabled
0 subscriber=admin login="admin" password="adminpassword" time-zone= 00:00
permissions=owner parent=admin
User Manager/Getting started 6
Note: Subscriber shown only in version 3
After that you can use the web interface.
Use web interface

To log on customer web interface type the following address in your web browser: http:/ / Router_IP_address/
userman
where "Router_IP_address" must be replaced with IP address of your router.
Use login and password of the subscriber you have created in console.
Note: On RouterOS 4.1, User-manger webinterface is unreachable with an HTTP 404 when attempting to navigate
to http:/ / inside_ip/ userman from behind a Hotspot interface where inside_ip is an non-NAT'd IP address on the
router. Two workarounds: change the 'www' service port from 80 to something other than 80 or 8080, such as port
81. Then use http:/ / inside_ip:81/ userman, or use an IP address hotspot users are NAT'd to (http:/ / outside_ip/
userman) instead.
References
[1] http:/ / www. mikrotik. com/ download. html
User Manager/Hotspot Example

Introduction
To make this setup, you should have running Hotspot server on the router. Let us consider configuration steps for
HotSpot and User Manager routers, in order to use User Manager for HotSpot users.
HotSpot configuration
• Set HotSpot to use User Manager for HotSpot server users,
/ ip hotspot profile set hsprof1 use-radius=yes
• Add radius client to consult User Manager for HotSpot service.
/ radius add service=hotspot address=y.y.y.y secret=123456
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address. By default this is
127.0.0.1. If using a remotely located Router (perhaps via a VPN) then the IP address entered is the IP address of
that remote Router. The router could be a Radius Server, or another ROS with User Manager installed.
• Note, first local HotSpot database is consulted, then User Manager database.
It means that if you have configuration in '/ ip hotspot user print', users will be able to authenticate in HotSpot using
this data.
Delete users configuration from '/ ip hotspot print' to stop using local HotSpot database for authentication. To move
batch of local HotSpot users to the User Manager database use export and import . Use text editor program to create
appropriate file to import local users to the User Manager database.
User Manager/Hotspot Example 7
User Manager configuration

• First, you need to download and install User Manager package [1];
• Create User Manager subscriber (root customer). Note that when using a version 3.0 or newer, a subscriber called
'admin' is created automatically - you can skip the following stage and change 'MikroTik' to 'admin' in subsequent
steps;
/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner
• Add HotSpot router information to router list,

/ tool user-manager router add subscriber=MikroTik ip-address=x.x.x.x shared-secret=123456
'x.x.x.x' is the address of the HotSpot router, 'shared-secret' should match on both User Manager and HotSpot
routers. Adding 'x.x.x.x' as a router allows Radius requests from 'x.x.x.x' to be passed to the Radius Server built into
User Manager. Therefore if you have any remote ROS Hotspots that require access to this Radius Server, then all
their IP addresses must be added to this list.
• Add HotSpot user information, it is equal to 'ip hotspot user' when local HotSpot is used for clients
In version 3:
/ tool user-manager user add name=demo password=demo subscriber=MikroTik
In version 4:
/ tool user-manager user add name=demo password=demo customer=MikroTik
We discuss only basic configuration example, detailed information about 'user' menu configuration.
• You can use User Manager web interface after first subscriber created.
• To make sure, that client is using User Manager for AAA,
/ ip hotspot active print

Flags: R - radius, B - blocked
# USER ADDRESS UPTIME SESSION-TIME-LEFT IDLE-TIMEOUT
0 R 00:01:29:2... 192.168.100.2 1m29s
'R' means that client uses User Manager server for AAA services.
User Manager/PPP Example 8
User Manager/PPP Example

Introduction
User Manager can be used as a remote authentication, authorization and accounting server for PPP clients.
Since 2.9.35 PAP,CHAP, MS-CHAPv1 and MS-CHAPv2 protocols are supported by the User Manager.
Let us consider the following configuration steps for PPP and User Manager routers.
PPP configuration
We consider PPPoE server <-> PPPoE client configuration example, where the PPPoE server uses a remote User
Manager database for PPPoE client authentication, authorization and accounting. Both PPPoE server and PPPoE
client are MikroTik routers, any other PPPoE client might be used instead.
PPP server configuration

• First, add the PPPoE server to the local interface, :
/ interface pppoe-server server add interface=ether1 service-name=MikroTik one-session-per-host=yes disabled=no
• Specify the use of User Manager for PPPoE clients:
/ ppp aaa set use-radius=yes
• Set IP address of the PPPoE server, IP address might not be assigned to the interface of PPPoE server. Moreover
static IP address or DHCP should not be used on the same interfaces as the PPPoE server for security reasons.
/ ppp profile set default local-address=192.168.0.1
• Add radius client to consult User Manager for PPP service.
/ radius add service=ppp address=y.y.y.y secret=123456
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first the local PPP database is consulted, then the User Manager database.
PPP client configuration

• Add PPPoE client to the interface
/ interface pppoe-client add interface=ether1 user=MikroTik password=MikroTik service-name=MikroTik disabled=no

steps;
• Add PPP server information to router list,

In version 3:
User Manager/PPP Example 9
In version 4:
/ tool user-manager router add customer=MikroTik ip-address=x.x.x.x shared-secret=123456
'x.x.x.x' is the address of the PPPoE-server router, 'shared-secret' should match on both User Manager and
PPPoE-server routers.
• Add PPPoE client information,
In version 3:
/ tool user-manager user add username=demo password=demo subscriber=MikroTik ip-address=192.168.0.2
In version 4:
/ tool user-manager user add username=demo password=demo customer=MikroTik ip-address=192.168.0.2
• Let us verify, that PPPoE client is connected and using User Manager for authentication, authorization and
accounting. First we monitor if PPPoE client is connected, then we verify that User Manager was used. The first
command is executed on PPPoE client router, second on PPPoE server:
/ interface pppoe-client monitor pppoe-out1

status: "connected"
uptime: 12h2m29s
idle-time: 12h2m17s
service-name: "MikroTik"
ac-name: "MikroTik"
ac-mac: 00:0C:42:05:54:8F
mtu: 1480
mru: 1480
/ ppp active> print

Flags: R - radius
# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
0 R MikroTik pppoe 00:0C:42:05:54:6E 192.168.0.2 12h1m48s

User Manager/DHCP Example 10
User Manager/DHCP Example

Introduction
To make this setup, you should have running DHCP [1] server on the router. Let's consider configuration steps for
DHCP and User Manager routers, in order to use User Manager for DHCP server users.
DHCP router configuration

• Set DHCP to use User Manager for DHCP server leases,
/ ip dhcp-server set dhcp1 use-radius=yes
• Add radius client to consult User Manager for DHCP service.
/ radius add service=dhcp address=y.y.y.y secret=123456
• Note, first local router database is consulted, then User Manager database. User will be unable to obtain DHCP
lease, if DHCP router and User Manager server will not contain any information about user's data.

steps;
• Add DHCP router information to router list,

In version 3:
In version 4:
'x.x.x.x' is the address of the DHCP router, 'shared-secret' should match on both User Manager and DHCP routers.
• Add DHCP user information, that client with MAC address 00:01:29:27:81:95 will always receive 192.168.100.2
address. User will receive dynamic address from the DHCP ip pool, if ip-address is not specified.
In version 3:
/ tool user-manager user add add subscriber=MikroTik username="00:01:29:27:81:95" ip-address=192.168.100.2
In version 4:
/ tool user-manager user add add customer=MikroTik username="00:01:29:27:81:95" ip-address=192.168.100.2
We discuss only basic configuration example, detailed information about user menu configuration.
• To make sure, that user is receiving lease from User Manager,
User Manager/DHCP Example 11
/ ip dhcp-server lease> print

Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 R 192.168.100.2 00:01:29:27:81:95 dhcp1 bound
'R' means that lease has been received from User Manager server.
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ ip/ dhcp. php
User Manager/Wireless Example

Introduction
We consider the scenario for wireless network, when only clients from User Manager database are able to establish
communications with 'Access Point' router. To make this setup, you must have running Access Point [1]. Let us
consider configuration steps for Access Point and User Manager routers.
Access Point configuration

• Set Access Point to use User Manager for wireless client authentication,
/ interface wireless security-profiles set default radius-mac-authentication=yes
• Add radius client to consult User Manager for wireless service.
/ radius add service=wireless address=y.y.y.y secret=123456
• Note, first local router database is consulted, then User Manager database. Wireless client will be unable to
connect to Access Point, if Access Points router does not contain any entry in the 'interface wireless access-list'
for the particular configuration and User Manager server will not have any information about user's data.
• Make sure you do not have any entry in the 'interface wireless access-list', remove all hosts from 'access-list' to
ensure wireless client MAC authentication only via User Manager,
/ interface wireless access-list remove [find]

steps;
• Add Access Point router information to router list,

In version 3:
User Manager/Wireless Example 12
In version 4:
'x.x.x.x' is the address of the Access Point router, 'shared-secret' must match on both User Manager and Access Point
routers.
• Add wireless client information, client MAC-address that is allowed to establish connection to the Access Point,
In version 3:
/ tool user-manager user add subscriber=MikroTik username="00:01:29:27:81:95"
In version 4: / tool user-manager user add customer=MikroTik username="00:01:29:27:81:95"
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ interface/ wireless. php
User Manager/RouterOS user Example

Introduction
User Manager server might be used as remote storage of RouterOS login and password information. MikroTik router
will consult User Manager for login and password, when you are accessing RouterOS via Winbox or console
session. Let us consider configuration steps.
RouterOS configuration
• Set RouterOS to use User Manager server for checking login and password information,
/ user aaa set use-radius=yes
• '/user aaa' has 'default-group' option, that define type of the default group. Default is read permissions, if you need
to allow full permissions for users stored in User Manager database
/ user aaa set default-group=full
• Add radius client to consult User Manager for login service.
/ radius add service=login address=y.y.y.y secret=123456
• Note, first local router database is consulted, then User Manager database.
User Manager/RouterOS user Example 13

steps;
• Add RouterOS router information to router list,

In version 3:
In version 4:
'x.x.x.x' is the address of the RouterOS router, 'shared-secret' must match on both User Manager and RouterOS
routers.
• Add login/password information, that account will be able to access RouterOS. login is MikroTik, password is
MikroTik.
In version 3:
/ tool user-manager user add subscriber=MikroTik username=MikroTik password=MikroTik
In version 4: / tool user-manager user add customer=MikroTik username=MikroTik password=MikroTik
User Manager/Customers
• Customers are service providers. They use web interface to manage users, credits, routers;
• Customers are hierarchically ordered in a tree structure [1] - each can have zero or more sub-customers and
exactly one parent-customer;
• Each customer can have same or weaker permission level than it's parent;
• Each customer has exactly one owner-subscriber.
• Customer with owner permissions is called subscriber. Subscriber's parent is himself;
• Customer data contains:
• Login and password. Used for web interface;
• Parent. Enumerator over customers. Used to keep the hierarchy of customers;
• Permissions. Specifies permission level;
• Public ID. It's an ID used to identify customer. When a user wants to log on the user page or to sign up he/she
needs to specify, which customer to use (because user login names are allowed to be equal among several
subscribers). To keep customer login names in secret (for security reasons) this field is used to identify
customers (subscribers);
• Public host. Only for subscribers. IP address or DNS name [2] specifying public address of this User Manager
router. Payment gateways use this address to send transaction status response. This field has sense only if users
access User Manager site through local IP address (for, example, http://192.168.0.250/user) and another
address is used for public access (for example, http://userman.mt.lv/user).
• Company, city, country. Informational;
• Email address. Used to send emails (for ex., sign up information) to users;
User Manager/Customers 14
• User prefix. Used to separate users between customers of one subscriber;

• Sign-up allowed. When checked, this customer allows users to use sign-up;
• Sign-up email subject. When a user completes signs up successfully, he/she receives an email with
authorization information, called sign-up email. Subject of this email is configurable.
• Sign-up email body. Text template of sign-up email. Must contain several specific string constants:
• %login% - will be replaced with login name of newly created account;
• %password% - will be replaced with password of newly created account.
• %link% - will be replaced with link to User page. This field can be omitted;
• Authorize.Net fields (only for subscribers and only when using https):
• Allow payments. When checked, users are allowed to use Authorize.Net as payment method for this
subscriber;
• Login ID, Transaction Key, MD5 Value. Authorize.Net merchant attributes. Must match those specified in
Authorize.Net Merchant gateway security settings;
• Title. The name of this payment method shown to users. For example, if one changes title to "Credit Card",
users will see "Pay with Credit Card" instead of "Pay with Authorize.Net". This field can be very useful if
users don't know what Authorize.Net means and get confused;
• Return URL: address to which user is redirected when pressing "Return to User Manager" button after
successful payment. Can be used to redirect user to HotSpot login page;
• Use Test Gateway. When true, payment info will be sent to Authorize.Net test gateway. Can be used for
testing payments without actual money charge;
• PayPal fields (only for subscribers):
• Allow payments. When checked, users are allowed to use PayPal as payment method for this subscriber;
• Business ID (login/email). Business ID of the PayPal account where the money will be sent;
• Secure Response: whether to use https (when true) or http (when false) to receive payment feedback from
PayPal. Additional security mechanism is used to check validity of this feedback information so using http
is not mandatory;
• Accept pending: when true, payments with status "Pending" are accepted as valid. This may be used for
multi-currency payments where manual approvals must be made;
• Return URL: address to which user is redirected when pressing "Return to merchant" button after successful
payment. Can be used to redirect user to HotSpot login page;
• Date format. Used on web pages for data representation. Only allowed formats (listed in drop-down) can be
used. When the value doesn't match any of allowed (it's possible to enter any value from console) formats,
default is used. See date character constants:
• Currency. Used for payments and money-related data representation on the web page;
• Time zone. Specific for each customer. By default equals to 00:00. Session and credit info is stored as GMT
regardless of ROS time zone on the User Manager router. This value specifies the way data is displayed on the
User Manager web pages.
References
[1] http:/ / en. wikipedia. org/ wiki/ Tree_structure
[2] http:/ / en. wikipedia. org/ wiki/ Domain_name
User Manager/Users 15
User Manager/Users
• Users are people who use services provided by customers;
• Each user can have time, traffic and speed limitations;
• Users belong to specific subscriber, not to customer. Customers can create, modify and delete users but the owner
is the subscriber who is also owner of these customers;
• To separate users among customers of one subscriber, user prefix is used.
• User data contains:
• Username and password - used to identify user. Different subscribers can have users with the same username;
• First name, last name, phone, location. Informational;
• Email. Used to send notifications to user (for ex., sign-up email);
• IP address. If not blank, user will get this IP address on successful authorization;
• Pool name. If not blank, user will get IP address from this IP pool on successful authorization;
• Group. Sent to Radius client as Mikrotik-Group attribute. Indicates group (/user group) for RouterOS users and
profile for HotSpot users. See Radius client documentation [1] for further details, search for "Mikrotik-Group".
• Address list. Sent to Radius client as Mikrotik-Address-List attribute. Used only for PPP (not hotspot) -
indicates to which "ip firewall address-list" should the remote address be added.
•
Download limit. Limit of download traffic, in bytes;
•
Upload limit. Limit of upload traffic, in bytes;
•
Transfer limit. Limit of total traffic (download + upload), in bytes;
•
Uptime limit. Limit of total time the user can use services. When left blank, user is limited in time only by
credits. Note that this value only takes effect when a user is logged on. When they log off the clock is stopped.
If you want to limit the time whether or not the user is logged in, you have to use credits.
• Rate limits. Has several parts. For more detailed description see HotSpot User AAA [2], search for "rate-limit".
• User also have read-only counters:
• Uptime used;
• Download used;
• Upload used.
Note: RouterOS users have nothing to do with User Manager user. If you have RouterOS user admin, it doesn't mean
it will also be a customer/subscriber in User Manager.
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ guide/ aaa_radius. php
[2] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ guide/ aaa_hotspot. php
User Manager/Routers 16
User Manager/Routers
User Manager must know with which routers (IP addresses) to communicate. User Manager is like a judge - it
receives questions and must give answers. For example:
HotSpot: "Is user 'nick' allowed to use hotspot?"
User Manager: "Yes, but only 2 hours. And give him IP 192.168.0.40".
If an unknown router asks something, User Manager ignores it.
Router table contains information about known routers which are allowed to ask User Manager questions.
Router data contains:
• Name. Name of the router. Informational, must be unique per subscriber;
• IP address. Address of the router;
• Shared secret. Password used for authentication;
• Log events. Specifies which events must be written to log.
User Manager/Sessions
The term session refers to a period when a user is using customer's services (HotSpot). It has nothing to do with User
Manager web-page sessions.
Fields:
• Username. Session owner;
• NAS Port. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• NAS Port Type. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• Calling Station ID. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• Status. Session status, composition of several facts;
• User IP. User's IP address;
• Host IP. Router's IP address;
• NAS Port ID. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• From Time. Session start time;
• Till Time. Session end time;
• Terminate Cause. Session termination reason;
• Uptime. = EndTime - StartTime;
• Download. Downloaded traffic amount;
• Upload. Uploaded traffic amount.
User Manager/Payments 17
User Manager/Payments
Users can buy credits using payment methods allowed by the subscriber. Subscribers can define accessible payment
methods on the customer page.
Payments hold history of user's transactions.
Attributes:
• Created. Transaction start-time;
• Finished. Transaction end-time;
• Price. Transaction amount (credit price);
• Credit time. Credit prepaid-time bought;
• Status. Current status of transaction. Can be one of the following:
• Started - transaction is in progress;
• Approved - transaction completed successfully;
• Error - transaction failed;
• Timeout - transaction failed (not finished in required time);
• Status description - message describing transaction status;
User Manager/Logs
Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.
It is configurable per router which logs must be written (See: HOWTO).
Log data contains:
• Username. Can differ from those registered in user table;
• User IP;
• Host IP. Router's IP;
• Status;
• Time;
• Description;
• NAS Port;
• NAS Port type;
• NAS Post ID;
• ACCT Session ID;
• Calling station ID.
User Manager/Logs 18
[1]
More information on what these fields mean can be found in Mikrotik RouterOS Radius client documentation ,
Supported RADIUS Attributes.
Sending logs to Syslog

Starting from version 3.24, support for sending logs to SysLog is added. To enable it:
1) Configure per router, which requests to log: accounting/authorization failure/success (See: HOWTO);
2) On the router configure log writing:
/system logging add topics=manager,account action=remote

/system logging action set remote target=remote remote=1.2.3.4:514
, where 1.2.3.4 and 514 is IP address and UDP port of the remote host, which will receive the logs.
3) Configure your remote host to listen on port 514 (any other port can be used, but it MUSt be UDP port and MUST
match the one entered in router's system logging action);
4) Test, if logs are successfully received at the remote host:
4.1) Generate some logs by logging in and out using HotSpot/PPP users;
4.2) Check the Log page. The logs must appear here. Logs are sent to syslog only if they are logged in the User
Manager database;
4.3) Check, if logs are received remotely. If you are running Linux, nc [2] can be used:
nc -l -u -p 514
, where 514 is the UDP port used. Could be, that root permissions are required to run listening on a UDP port.
Another alternative is Wireshark [3] - a multi platform tool for network packet "sniffing". Start a new session and
enter
udp port 514
in the filter field. You should see incoming logs appearing.

User Manager/Logs 19
Syslog message format

The logs are in the following format:
<user-ip>,<username>,<log-type>,<message>
, where:
• user-ip - IP of user (NOT the routers IP!): four number in the range 0-255, separated by commas. 0.0.0.0 means
"empty address";
• username - username of the user or MAC address, when MAC-authentication used;
• log type: string describing type of the log. Takes one of the following values: "auth ok", "auth fail", "acct ok",
"acct fail". Fail means - the user was not successful to authorize or the accounting log was malicious. To track
user session activity, only logs having "auth ok" and "acct ok" must be taken in account.
• message - contains message, describing error, in case of failure. can be empty. SysLog messages are limited in
size, therefore it could happend, that the end of the message has been cut off.
References
[1] http:/ / www. mikrotik. com/ docs/ ros/ 2. 9/ guide/ aaa_radius
[2] http:/ / netcat. sourceforge. net/
[3] http:/ / www. wireshark. org/
User Manager/Permissions
This table lists customer permissions:
Read-only Read-write Full Owner
View
Routers + + + +
Credits + + + +
Users + + + +
Sessions + + + +
Customers + +
Reports + + + +
Logs + + + +
Add
Routers + + +
Credits + + +
Users + + +
Customers +
Edit
Routers + + +
Credits + +
Users + + +
Customers +
User Manager/Permissions 20
Remove
Routers + +
Credits + +
Users + +
Customers +
Sessions + +
Logs + +
Specific actions
Reset user counters + +
Reset router counters + + +
Remove last user credit + + +
Close active sessions + + +
User Manager/Character constants

Time constants
Time constants can be divided in parts. Each part consists of integer followed by one of the following characters:
• w - week (equals 7 days)
• d - day (equals 24 hours)
• h - hour (equals 60 minutes)
• m - minute (equals 60 seconds)
• s - second
Examples:
• 4w2d - 30 days (4 weeks and 2 days).
• 30d - 30 days. Equals 4w2d
• 3h - 3 hours
• 2d2h - 50 hours (2 days and 2 hours). Equals 50h
• 2w30m - 2 weeks and 30 minutes. Equals 20190m.
Date constants
In date constant following characters will be replaced with proper values:
• %Y - four digit year representation
• %b - verbal (short) month representation
• %m - two digit month representation
• %d - two digit day-of-the-month representation
Examples (representing October 5, 2006):
• %d/%m/%Y - 05/10/2006
• %Y-%b-%d - 2006-Oct-05
User Manager/Character constants 21
Voucher template constants

The following constants of voucher template will be replaced with actual user attribute values:
• %u_username% - Username (login);
• %u_password% - Password;
• %u_fname% - First name;
• %u_lname% - Last name;
• %u_phone% - Phone number;
• %u_locat% - Location;
• %u_email% - Email address;
• %u_ip% - IP address;
• %u_pool% - Pool name;
• %u_group% - Group;
• %u_limit_download_f% - Nicely formatted download limit (introduced in v3.1);
• %u_limit_upload_f% - Nicely formatted upload limit (introduced in v3.1);
• %u_limit_transfer_f% - Nicely formatted transfer limit (introduced in v3.1);
• %u_limit_download% - Download limit (in bytes);
• %u_limit_upload% - Upload limit (in bytes);
• %u_limit_uptime% - Uptime limit (in bytes);
• %u_used_download% - Used download;
• %u_used_upload% - Used upload;
• %u_used_uptime% - Used uptime;
• %u_prep_time% - Prepaid time - time constant or the word unlimited;
• %u_tot_price% - Total price, including currency
User Manager/Active sessions 22
User Manager/Active sessions

When a session is started it's state is set to active. It can become inactive in one of the following ways:
• User Manager receives accounting-stop message;
• Customer closes session manually in the web interface. The option "Close" is available for the active-session
table, on the status page;
• An active session is closed when the same router asks to start a new session with the same accounting-session-id.
If the router hasn't sent accounting-stop message the session may remain active even if it should have closed much
sooner. Such sessions can be closed manually.
User Manager/Public ID
Each subscriber already has an unique field - login. But for security reasons another field - Public ID is used. Note:
In earlier versions (until version 2.9.31) login is used to identify subscriber.
Each customer has a Public ID. It can be configured in the customer section. But there is no need to specify public
ID for each customer. Because the subscriber search procedure occurs as follows:
• Search for a customer with specified public ID. If no customer found, the default (first) subscriber is used.
Otherwise proceed to the next step;
• Search for a subscriber (owner) of the customer just found. Every customer has its subscriber, so this procedure
always finds the result.
So only one customer per subscriber must have a public ID defined. Usually the subscriber itself has a public ID and
all the other customers can live without it.
Public ID for customers is significant in user sign-up process to use different user prefix and sign-up-credit for
different customers.
Only subscribers have permissions to edit customers. That means, subscriber must configure public IDs for all
sub-customers.
User Manager/MAC binding 23
User Manager/MAC binding

Applies to RouterOS: v4.x test package
Description
MAC binding is a feature, when users MAC address is not specified beforehand, but is fixed (bound) when the user
connects for the first time. Further the user is allowed to use only this MAC address.
In User Manager MAC address can be re-bound also for users with previously fixed one. In this case MAC address
is re-fixed at next user logon.
Binding MAC address in the Web interface

To bind MAC address, check the box "Bind on first use" for Caller ID field from the Constraints group in User
Detail form:
To specify a particular MAC address, un-check this box and type in the MAC address manually.
Binding MAC address in console

To bind MAC address in console, just change users caller-id to "bind":
/tool user-manager add customer=admin name=user1 caller-id=bind
how to make your mac faster [1]
References
[1] http:/ / www. mac-how. net
User Manager/Languages 24
User Manager/Languages
In RouterOS v4, User Manager supports multiple languages.
Create your own translations

1. Download language file template [1], containing English translations
2. Open it with poEdit. Language files are plain-text and can also be edited with any text editor if poEdit [2] is not
available. Please, use UTF-8 encoding for non-standard characters.
3. Translate the file
4. Set the language: in poEdit [2]: Catalog > Settings > Language, in text editor, change the line containing
"X-Poedit-Language: English\n"
5. Save it as .lng file. File name is not important (.lng extension is required), but it is recommended to contain
translation language information, for example de_DE.lng for German translation)
6. Upload the file to router, using ftp
7. If you are logged in to User Manager web, log out and log in again.
8. In the web page there will be language select box on the menu. Select desired language.
Multiple languages can be stored on router at the same time, desired language is chosen in customer web page.
Every customer can choose its own language to use.
User translations
Currently no ready-to-use translations are available here. But, if you made one, please post it here: choose "Upload
file" from menu on the left side of this wiki, upload the file and then post a direct link to it here.
Spanish translation http:/ / wiki. mikrotik. com/ images/ b/ be/ Sp_SP_def. txt author: Jose Salazar, Spain. Change
txt extension for lng and upload it via FTP to Router.
Portuguese-BR translation http:/ / wiki. mikrotik. com/ images/ 2/ 2c/ Pt_BR. lng. txt author: Antonio Junior, Brazil.
Change extension for lng and upload it via FTP to Router.
Italian translation http:/ / wiki. mikrotik. com/ images/ 2/ 23/ It_IT_def. txt author: Renato Bernardi, Italy. Change
txt extension for lng and upload it via FTP to Router.
References
[1] http:/ / wiki. mikrotik. com/ images/ 5/ 59/ En_EN_def. txt
[2] http:/ / www. poedit. net/
User Manager/Search patterns 25
User Manager/Search patterns

Tables can be searched (filtered) by one field. This field is specific for each kind of table. For example, users are
filtered by username, routers - by name.
Filter pattern:
• is case-insensitive [1].
• matches a part of the value. (abc matches abc, abcde, 123abc, 123abcde). Pattern "abc" is actually used as
"%abc%" (See below for explanation of character %);
• Special characters can be used:
• % - matches any sequence of zero or more characters;
• _ - matches any single character;
• \ - escape character. Use it before '%', '_' and '\' literals to match them as regular characters.
Examples
• "spot" matches hotspot, hotSpot, HotSpot, HotSpots, HOTSPOT, ...
• "r%m" matches rm, arm, armor, ram, rome, aroma, Mikrotik manager ...
References
[1] http:/ / en. wikipedia. org/ wiki/ Case_insensitive
User Manager/Tables
Tables are used to display a list of objects: users, routers, credits, sessions, customers or logs.
In one table are displayed only objects of one type. Each type of objects has specific fields to display.
If the object contains many parameters, not all of them are displayed in the table. To see all parameters the object
detail form can be used.
Tables have several options:
• Sorting;
• Filtering (Search);
• Division in pages;
• Multiple object selection;
• Operations with selected objects;
• Minimization;
• Links to detail form.
User Manager/Tables 26
Sorting
Sorting can be done by almost all fields. But there are some "non-sortable" fields, mostly because they are calculated
fields.
Sorting can be ascending (1, 2, 3, ...) or descending (5, 4, 3, ...).
There are triangular sort buttons for each column - on sides of column's title (at the top). Ascending sort - on the left,
descending - on the right:
Sorting decreases data reading performance - sorted data reads take more time than non-sorted reads. However
sorting affects only reads in the current table, tables are independent to each other.
Filtering
Each table can be filtered only by one field:
• Users, sessions, logs: by username;
• Routers, credits: by name;
• Customers: by login.
Some tables cannot be filtered (for example, specific user's sessions).
Enter pattern in the search form at the bottom of the table and press search. To cancel filtering, clear value of the
search form and press search:
Division in pages
A table can contain plenty of records. It could be a very long operation to display them all. Therefor records are
divided in pages and only one page, called active page, at a time is displayed.
Record count per page is changeable on the top-right corner:
The active page can be changed using the link on the upper-left corner:
• Links with numbers go to respective page.

• Links with arrows go to previous and next page.
• There are also links to first and last page, but they are only displayed when needed (when it is possible to go to
the last/first page with number-links, first/last page links will not be displayed).
A total number of records (not pages) is displayed in parenthesis right after page-links:
Multiple object selection

Tables have checkboxes for each object on the right side of row:
Each object can be selected and actions can be performed on selected objects.
On the top of all checkboxes is the select-all checbox which toggles selection of all objects in the current page:
A title displaying selected object count is located at the bottom of a table:
The total count of selected objects and selected objects in the active page is displayed.
There is also a button which unchecks all selected objects in other (inactive) pages (affects only this table). This
button is very useful if you select some objects and then change sorting criteria for the table - selected objects get
scattered between many pages but you can still uncheck them all by one click.
Operations with selected objects

Different operations can be performed on selected objects.
Web-interface users can have different allowed operations depending on their permissions.
Operations are performed only with users in the active page. The reason is security. It is very easy to select some
objects, then change the page and forget the selected objects in other pages. Some operations (like remove) are very
dangerous in such situations. That's why all operations work only with selected objects in the active page.
All allowed operations (except adding, which is available in main menu on the left) can be found at the bottom of a
table in a form of popout toolbar. Each table can have different allowed operations:
Minimization
Tables can be minimized with a click on the minimize button on the top-right corner:
Minimized tables are not shown in printable page.

Links to detail form

Almost every table has links to object detail form, because not all the information can be displayed in the table.
Some tables have even links to two different detail forms, for example, session table has links to user and session
detail forms.
Detail form Links are displayed as usual html-links, underlined:
User Manager/Customer page 31
User Manager/Customer page

Setup
There are no special setup actions for web interface. The only requirement - at least one subscriber must be defined.
See first subscriber setup guide.
How to find?
Type the following address in your web browser: http://Router_IP_address/userman
where "Router_IP_address" must be replaced with IP address of your router.
Sections
Here are described customer page sections. Use menu on the left side to navigate:
Status
This page has several components:
• User search;
• Active user listing;
• Active session listing;
• User batch-add form.
User search
Type in the search pattern and press the button "Search". Results will be displayed in a new table.
Active users
Active user count displayed here. To see a full list of active users, click on "Show":
Active sessions
Active sessions count displayed here. To see a full list of active sessions, click on "Show":
User batch-add form

Batch of users can be added here:
Fields:
• Number of users. How many users to add;
• Login starts with. Displays user prefix;
• Rate limits. hidden by default. Check the box on the right to show rate limit field group;
• Uptime limit;
• Prepaid. Credit that will be assigned to users. Unlimited users can also be created by selecting unlimited as a
value.
• Generate CSV [1] file. When checked a CSV-file [1] will be generated containing just created user data;
• Generate vouchers. When checked printable vouchers for just created users will be generated.
Routers
View routers
Table displaying routers:
All router's attributes are shown here.

Click on name opens router detail/edit form.
Add router
Opens router add form. The same form is used to edit routers:
Fields:
• Name. Router's name. Must be unique per subscriber;
• IP Address. Address of the router;
• Shared secret. Password used for authentication;
• Log events. Specifies which events must be written to log.
Credits
View credits
Table displaying credits:
All credit's attributes are shown here.

Click on name opens credit detail/edit form.
Add credit
Opens credit add form. The same form is used to edit credits:
Fields:
• Name. Credit's name. Must be unique per subscriber;
• Time. How long this credit is valid when started;
• Full price. The price of this as the first credit for a user. When the checkbox at the right is empty, full price is
unavailable - this credit can not be used as a base credit;
• Extended price. The price of this as extended credit for a user (user already has credits before this on). When the
checkbox at the right is empty, extended price is unavailable - this credit can not be used as an extended credit;
Users
View users
Table displaying users:
Only part of user's attributes are shown here. To see all details of specific user, open user detail form by clicking on
username in the table.
User detail form

Detail form with user data:
Contains all user fields.

There are groups of fields (for example, private information, rate limits). These fields are hidden by default and are
accessible by checking the box on the right:
If the user has credits assigned the total prepaid time is shown at the bottom. To see credit details click on the plus
sign ("+") under Prepaid time:
New credits can also be assigned (if permitted) to user. At the bottom is a select-box called "Extend" (called "Add
time" when user has no credits yet). The price depends on what kind of credit this is for a user - first or extended.
Price is shown in braces:
.
To assign credit to the user, choose the desired credit and click Save.
Options (buttons at the bottom):
• Save - saves edited information, assigns credit, if one selected;
• View report - opens single user report.
• Remove last credit - removes last credit that's not started yet;
• Show sessions - opens window with all sessions this user has;
Add user
Detail form for filling in information about the new user. Very similar to user detail form. This form does not have
read-only counters and other user statistics:
Add batch of users

The User batch-add form will be opened.
Sessions
View sessions
Table displaying sessions:
Only part of session's attributes are shown here. To see all details of specific session, open session detail form by
clicking on ID in the table.
To see details of session user click on the username in the table.
Session detail form

Detail form with session data:
Contains all session fields.
Customers
View customers
Table displaying customers:
Only part of customer's attributes are shown here. To see all details of specific customer, open customer detail form
by clicking on login in the table.
Customer detail form

Detail form with customer data:
Contains all customer fields.

There are groups of fields (for example, private information, user options). These fields are hidden by default and are
accessible by checking the box on the right:
There are fields which are accessible only for subscribers: Public Host and Authorize.Net fields. These fields are not
shown for customers who are not subscribers:
There are sensitive-data fields (Authorize.Net) which are visible only when using secure connection (https):
There are sensitive-data fields (Authorize.Net) whose values are not shown. Whether the field has value specified or
not is visible by the title standing before it: if the title says "Set ...", this field has no value set; the title saying
"Change ..." means that this field has some value:
In the example above Login ID and Transaction Key fields have values (titles are "Change ...") while MD5 Value
field has no value specified (title is "Set ...").
Add customer
Detail form for filling in information about the new customer. Very similar to customer detail form. This form does
not have subscriber fields since subscribers cannot be added here:
Reports
This section refers to user time and traffic reports.
Reports generated here can be printed directly.
Configurable options:
• Users - which users to show: prepaid, unlimited or all;
• Type - time (contains prepaid time, extend time and price) or amount (contains upload and download amount)
report;
• Period - total (whole history) or with specific time boundaries;
See user time and traffic reports for further detail.
Sample report:
Logs
View logs
Table displaying logs:
Only part of log's attributes are shown here. To see all details of specific log, open log detail form by clicking on ID
in the table.
Log detail form

Detail form with log data:
Contains all log fields.
References
[1] http:/ / en. wikipedia. org/ wiki/ Comma-separated_values
User Manager/User page 44
User Manager/User page

How to find?
User page can be found at address: http://Router_IP_address/user?subs=publicID , where
• "Router_IP_address" must be replaced with IP address of your router where the User Manager is running (don't
mix it with the HotSpot router, if User Manager and HotSpot are running on different routers);
• publicID must be replaced with public ID of the subscriber who is the owner of this user;
• If there is only one subscriber on this router the part "?subs=..." can be skipped, i.e., then the address http://
Router_IP_address/user can be used.
What is Public ID and how to change it?

See: Subscriber public ID.
Link to user page

Links and buttons to user page can be used in other web pages. There are several things configurable:
• router IP address;
• subscriber's public ID;
• caption on the link/button.
Textual link
To get a textual link to user page, replace this template with your own values:
<a href="http://%hostname%/user?subs=%subid%">%caption%</a>
• %hostname% - router's hostname or IP address;

• %subid% - subscriber's public ID;
• %caption% - caption of the link that will be show to user.
Example: To get a link to userman.mt.lv router's demo subscriber user page, use the following link:
<a href="http://userman.mt.lv/user?subs=demo">This is an example link to Mikrotik User Manager demo User page</a>
And it looks like this: This is an example link to Mikrotik User Manager demo User page [1]
Link button
To get a button, which leads to user page, replace this template with your own values:
<button onclick="document.location='http://%hostname%/user?subs=%subid%'">%caption%</button>
Example: To get a button-link to userman.mt.lv router's demo subscriber user page, use the following link:
<button onclick="document.location='http://userman.mt.lv/user?subs=demo'">Check</button>
The visual representation cannot be shown here because of the wiki security so you have to pretend how it looks like.
The same button-link is used in HotSpot page templates. By default it looks like this:


<button onclick="document.location='http://$(hostname)/user?subs='">status</button>
$(hostname) here is replaced with the hostname of the HotSpot router (so the default link works only if HotSpot and
User Manager are running on the same router). And "subs=" means that first subscriber will be used (works fine
when there's only one subscriber on the router). Hostname and subscriber id can be replaced with desired values.
Sections
This par of a document describes sections available in user page. For navigation use the menu on the left side:
Status
Here the user can see account's status:
• Summary;
• Credits;
• Sessions.
Sample screenshot:
This information is also formatted for printing. See print preview in the browser (Usually under File > Print preview
in the browser's toolbar). Credits and sessions are formed in tables. These tables can be "minimized" - the button on
the upper right corner of the table. A minimized table will not be printed (see print preview).
Summary
Here the user can see:
• Prepaid time - duration of all the credits bought (See: time constants). Or the word unlimited (See prepaid and
unlimited users);
• Total price - how much all the credits cost;
• Uptime limit - the maximum allowed duration of user's sessions;
• Uptime used - current duration of user's sessions;
• Download used
• Upload used
Credits
Table with all credits this user has bought. No data for unlimited users.
Sample screenshot:
If there are credits that are not started yet (see: credits), start-time and end-time fields contain values "awaiting
login".
Sessions
Table with all user's sessions.
Sample screenshot:
Payments
Here the user can view payment history and buy a new credit. This section is only available if the subscriber has
allowed any payments.
View payments
Table with all user salles de poker [2] payments.
Sample screenshot:
To see all details of specific payment, open payment detail form by clicking on ID in the table.
Payment detail form

Detail form with payment data:
Contains all payment fields.
Buy credit
A new credit can be bought here using payment methods which are allowed by the subscriber.
There are a number of restrictions for this sub-section to be accessible:
• Secure connection (https [3]) must be used to access the site. Otherwise a notification with a link to secure page
will be shown;
• At least one payment method must be allowed by the subscriber;
• Subscriber must have configured all required payment attributes;
Sample screenshot:
Here user can see his/her current balance and choose a credit to buy. After click on the "Buy" button user will be
redirected to payment gateway where he/she will have to enter required data to process payment.
Important - payment data (such as credit card number and expiry date) is sent directly from user's computer to
payment gateway and is not captured by User Manager. User Manager processes only response about the payment
result from the payment gateway. This response does not contain any sensitive user's data.
When the payment is successful, the selected credit is added to user's account.
Settings
In this section user can configure his/her parameters:
• Private information (informational, not used by User Manager):
• First name;
• Last name;
• Phone;
• Location.
• Email - used to send emails to user. Must be unique.
If values provided in "New password" and "Retype new password" fields, the password will be changed.
Sample screenshot:
References
[1] http:/ / userman. mt. lv/ user?subs=demo
[2] http:/ / www. pokerenfrancais. eu/ salles-de-poker
[3] http:/ / en. wikipedia. org/ wiki/ Https
User Manager/User sign up 50
User Manager/User sign up

Usually user accounts are created by customers. But users can also sign-up by filling in the sign-up form. This
feature is available since version 2.9.31.
Setup
User sign-up can be enabled per customer. I.e., some customers can allow it while others don't.
Sign-up is disabled by default. To enable it several requirements must be met:
• Note: All the attributes mentioned above can be configured in customer section of the customer web-page;
• Customer, who wants to allow sign-up, must have public ID. Since Only subscribers have permissions to edit
customers, this public ID must be assigned by the subscriber. In other words - subscriber must configure public
IDs for its customers.
• Subscriber must have at least one credit with full price specified;
• In the case when users access sign-up page from a local address which is not accessible from outside (global
Internet) subscriber must have public host address configured. This address is needed by PayPal, payment
response will be sent to this it;
• The customer has to enable sign-up by checking the "Signup allowed" box in Signup options section;
• The subscriber must have at least one payment method enabled and configured;
• The customer should have email address specified. Email will be send to users who sign up (if the user specifies
his/her email address) using this as the from-address;
• SMTP-server should be specified. It can be done via console, under tool email, command "set
server=xxx.xxx.xxx.xxx". This SMTP server will be used to send email reminding user's account data. Users can
however log on to the HotSpot after a successful payment without receiving this email;
• Signup email subject and body can be personalized. There are defaults defined, but one can customize them.
However there are constant strings (will be replaced by actual values) that must be present within the message
body. See sign-up email body field definition.
Sign-up steps
User sign-up can divided in following steps:
• Subscriber configures required parameters (described above);
• User creates an account:
• User opens sign-up page URL in the browser;
• User fills in the sign-up form;
• User chooses credit;
• User chooses payment method;
• An inactive account is created for the user;
• User activates the account (executes payment):
• User is redirected to Payment Gateway;
• The payment is being processed;
• Payment gateway sends response (was the payment successful or not) to User Manager router;
• The account gets activated (if the payment was successful);
• User can start using services. Status check and setting change can be done in the user web-page.
May seem a little confusing, but all these steps are simple and can be done in several minutes.
Creating account
User opens http:/ / routerIP/ user?signup=publicID, where routerIP must be replaced with the IP address of the User
Manager router and publicID must be replaced with subscribers public id.
Sign-up form will be shown:
Input fields:
• email. Email address for user account. must be unique per subscriber. Account data will be sent to this address if
one specified;
• login. Desired username. If user prefix is defined, it is shown at the left and cannot be changed. So the prefix is
already predefined (may be empty), the remaining part of username can be chosen. IT must be at least 3
characters long. Example: if the prefix is "cu" (shown on the left) and "test" is entered as the remaining part, the
username will be "cutest";
• password. Self explanatory;
• confirm password. Password once again to reduce possibility to mistype it;
• time. The initial credit for the user account;
• pay with. Payment method selector.
After the "sign up" button is pressed, authorization data is show to the user. He/She must remember this data as it
will be required to log in later:
If the "Cancel" button is pressed, user is returned to sign-up form.

If the "Pay with ..." button is pressed, an inactive account is being created and the user is redirected to payment
gateway.
Activating account
On a successful payment, the account is activated and the user is returned to User Manager/User page where he/she
can check the status of the account.
If the email address was specified in sign-up form, an email with authorization information is sent to it. The text is
customizable in customer web-page. By default it looks like this:
Your authorization data:
login: userLogin
password: userPassword
To check your status and buy extented time go to address http://userman.mt.lv/user?subs=demo.
here:
• userLogin is the username (login);
• userPassword is the password.
• http://userman.mt.lv/'' is the hostname of the User Manager router;
Login
After successful account activation user is able to start using services (Hotspot). Status and settings are available in
user web-page.
User Manager/User payments

Supported payment methods
[1] [2]
Authorize.Net (since version 2.9.40 or 3.0beta5) and PayPal (since version 2.9.41 or 3.0beta6) payments are
supported.
Authorize.Net
Authorize.Net requirements
To allow Authorize.Net payments for users the following requirements must be met:
• User Manager v3.0 (or v2.9.x, >= 2.9.40) package installed on the router. See: Getting started;
• User Manager subscriber created (See: Getting started);
• Subscriber must have merchant account in Authorize.Net [3] gateway;
• Web server on the router must be configured to support secure SSL connections (See HTTPS connection
enabling);
• HotSpot router should contain entries in 'walled-garden to User Manager router and Authorize.net webpage,
/ ip hotspot walled-garden ip add dst-address=x.x.x.x action=accept
where x.x.x.x is address of User-Manager server,

/ ip hotspot walled-garden add dst-host=:^secure\\.authorize\\.net dst-port=443 action=allow
These entry is used to allow access to Authorize.net

User Manager/User payments 53
Authorize.Net setup
Authorize.Net merchant account configuration
Relay URL
Relay URL list must either be empty or contain URL to the User Manager router. For example, if you are using
userman.mt.lv as User Manager router, then Relay URL list must contain URL https:/ / userman. mt. lv/ (works with
and without trailing slash). Relay URL list can be configured in Authorize.Net [3] merchant gateway under Account
> Settings > Response/Receipt URLs
API Login ID
[3]
API Login ID is shown in Authorize.Net merchant gateway under Account > Settings > API Login ID and
Transaction Key.
Transaction Key
Transaction Key can be obtained in Authorize.Net [3] merchant gateway under Account > Settings > API Login ID
and Transaction Key > Create New Transaction Key.
MD5-Hash value
MD5-Hash value can be set in Authorize.Net [3] merchant gateway under Account > Settings > MD5-Hash.
WARNING!: Standard MD5 hash values are 32 characters long, however, the Authorize.net MD5-Hash input fields
only allow 20 characters. Best chance of success if you paste your md5sum into the Authorize.net input field, then
copy it back out to paste into User Manager configuration. By re-copying from the Authorize.net input field, you are
selecting only the 20 characters that the field length allows.
Payment Form
Payment Form configuration can be found in Authorize.Net [3] merchant gateway under Account > Settings >
Payment Form. The look of this form is customizable here. While the only required fields for processing transaction
are credit card number and expiration date, another fields are allowed to be shown in the form. Form customization
is up to merchant.
Authorize.Net subscriber configuration

Subscriber attribute values can be edited using customer detail form in customer page.
Subscriber Authorize.Net attributes

Subscribers have a set of specific Authorize.Net attributes which must be configured properly to allow Authorize.Net
payments:
• Only subscribers have Authorize.Net attributes, other customers don't;
• Attribute values can be changed only in customer web page, not in console. There is only possibility to change
values, not to see them. As these attributes contain sensitive data, their values are encrypted on the router;
• Customer web page must be opened using secure SSL connection (https) to change attribute values;
All the attributes can be found in Authorize.Net attribute group:
1. "Allow Payments" must be checked to allow this payment method;

2. Login ID, Transaction Key and MD5 Value must have same values as set in Authorize.Net merchant gateway.
3. Title is optional. It specifies the text shown to users as the name of this payment method. Default title is
"Authorize.Net", but it can be changed to something more used to users, for example "Credit Card". The value of
this field does not affect the payment process it is only user interface element.
4. Return URL (optional, added in version 3.24): address to which user is redirected when pressing "Return to User
Manager" button after successful payment. Can be used to redirect user to HotSpot login page;
5. Use Test Gateway (optional): when checked, payment information is sent to test gateway of Authorize.Net and
no real money is charged. This mode can be used to test Authorize.Net payments before User Manager
deployment.
Other subscriber requirements

• Subscriber must have at least one credit with price other than zero. Credit price will be used as transaction amount
for the payment;
• Correct currency must be specified for subscriber. If USD is accepted by Authorize.Net merchant, currency
attribute can be left unchanged for subscriber:
• If users access User Manager page through a local IP address, public host attribute must be specified. It must
contain a public address of User Manager router which is acceptable as Relay URL for Authorize.Net gateway
(See: Authorize.Net Merchant account configuration). Domain name or IP address can be used. Only the address
must be specified, not URL (for example, userman.mt.lv, not https://userman.mt.lv/and not https://userman.
mt.lv/userman):
Authorize.Net usage
• User can buy credits in User Manager page. First he/she has to log on the page. See: User page.
• Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://
router_IP/user (https instead of http).
• Payment section is available on main menu only if subscriber has allowed any payment method.
• To buy credit user chooses "Buy credit" from "Payments" section:
• If https connection is not used for web session, a message with error and link to https site will be opened:
• In this form user chooses credit he/she wishes to buy;
• Current balance is also shown:

• User chooses Authorize.Net as payment method:
• When the credit is chosen, "Buy" button must be pressed to start payment transaction:
• User is redirected to Authorize.Net gateway payment form, which should look similar to following:
• The actual look of this form can be configured in Authorize.Net merchant gateway
• User fills in credit card number and expiry date. Other fields are optional:
• User submits the form::
• The data is transmitted directly to Authorize.Net gateway via secure connection. Neither credit card number nor
expiry date is submitted to User Manager router.
• Authorize.Net gateway processes the data and sends response to specified User Manager router. This response
contains only data required to identify payment in User Manager and detect result status of transaction - was it
successful or not. It does not contain any information about the user - credit card number, expiry date or other
sensitive data.
• User Manager processes the response and updates payment record status;
• If the transaction was successful requested credit is added to user's account;
• A message describing payment result is shown to user:
• Click on the button redirects the user back to User Manager page:
• User is returned to payment section displaying table with payment history:

PayPal
PayPal requirements
To allow PayPal payments for users the following requirements must be met:
• User Manager v3.0 (>= 3.0beta6) or v2.9.x (>= 2.9.41) package installed on the router. See: Getting started;
• User Manager subscriber created (See: Getting started);
• Subscriber must have merchant PayPal [4] account;
• Web server on the router must be configured to support secure SSL connections (See HTTPS connection
enabling);
• HotSpot router should contain entries in 'walled-garden to User Manager router and Paypal webpage,
/ ip hotspot walled-garden ip add dst-address=x.x.x.x action=accept
where x.x.x.x is address of User-Manager server;

• version v2.9
/ ip hotspot walled-garden add dst-host=:^www\\.paypal\\.com\$ dst-port=443 action=allow
/ ip hotspot walled-garden add dst-host=:^content\\.paypalobjects\\.com\$ dst-port=443 action=allow
/ ip hotspot walled-garden add dst-host=*.akamaiedge.net action=allow
/ ip hotspot walled-garden add dst-host=paypal.112.2O7.net action=allow
• version v3
/ ip hotspot walled-garden add dst-host=":^www\\.paypal\\.com\$" dst-port=443 action=allow
/ ip hotspot walled-garden add dst-host=":^content\\.paypalobjects\\.com\$" dst-port=443 action=allow
/ ip hotspot walled-garden add dst-host=*.akamaiedge.net action=allow
/ ip hotspot walled-garden add dst-host=paypal.112.2O7.net
These four entries are required to allow reliable access to the Paypal system.
PayPal setup
PayPal merchant account configuration

Basically there is no specific PayPal account configuration that must be done. The only requirement is to have
PayPal account which is allowed to receive money.
Warning! User Manager accepts payment as successful only when it receives status "Completed" from PayPal
gateway. If the status is "Pending" and some manual operations must be done by merchant (or the merchant has not
verified the account) to accept payment, the credit will be transfered to User Manager user account only when the
payment will be accepted.
Note: Since version 2.9.45 and 3.0beta11 it is possible to also accept payments with "Pending" status, except for
those with pending reason "unilateral".
PayPal subscriber configuration

Subscriber attribute values can be edited using customer detail form in customer page.
Subscriber PayPal attributes

The only PayPal attribute subscribers have is business login. It is the login (usually an email address) merchants use
to log on their account. Only subscribers have this business login, other customers don't;
Since versions 2.9.45 and 3.0beta11 there are also options that refer to PayPal payment processing: "Secure
Response" and "Accept Pending".
Field "Return URL" added in version 3.11.
All the attributes can be found in PayPal attribute group:
1. "Allow Payments" must be checked to allow this payment method;

2. Login (email) must be the PayPal merchant account login.
3. Secure response. When checked, PayPal will send response via HTTPS. Otherwise response will be send via
HTTP;
4. Accept pending. When checked, User Manager will also add credit to user if the payment status is "Pending",
except for payments with pending reason "unilateral".
Other subscriber requirements

• Subscriber must have at least one credit with price other than zero. Credit price will be used as transaction amount
for the payment;
• Correct currency must be specified for subscriber. If USD is accepted by PayPal merchant, currency attribute can
be left unchanged for subscriber:
• If users access User Manager page through a local IP address, public host attribute must be specified. It must
contain a public address of User Manager router which is acceptable as response URL for PayPal gateway
(PayPal will send payment result to this address). Domain name or IP address can be used. Only the address must
be specified, not complete URL (for example, userman.mt.lv, not https://userman.mt.lv/and not https://
userman.mt.lv/userman):
PayPal usage
• User can buy credits in User Manager page. First he/she has to log on the page. See: User page.
• Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://
router_IP/user (https instead of http).
• Payment section is available on main menu only if subscriber has allowed any payment method.
• To buy credit user chooses "Buy credit" from "Payments" section:
• If https connection is not used for web session, a message with error and link to https site will be opened:
• In this form user chooses credit he/she wishes to buy;

• Current balance is also shown:
• User chooses PayPal as payment method:

• When the credit is chosen, "Buy" button must be pressed to start payment transaction:
• User is redirected to PayPal gateway payment form, which should look similar to following (PayPal web site can
change, these screen shots may differ from actual page):
• User logs on to the account. Payment is now displayed with the Pay button:
• When user presses Pay button, PayPal starts to process data. On successful payment result page is displayed:
• This page contains button "Return to merchant" pressing which returns user to User Manager payment history
page:
• User Manager receives data from PayPal indicating Payment status.

• On a successful payment the appropriate credit is added to user.
PayPal chargeback
When a payment changes status from "Approved" to "Aborted" (For example, "Reversed") User Manager tries to
remove credit bought for this money. This is however possible only if the two following requirements are met:
• The credit is not started yet;
• The credit is last for current user, i.e., no other credit is bought after this one.
PayPal payment process description

• The payment data is transmitted directly to PayPal gateway. All operation with money and accounts is processed
by PayPal. User Manager knows nothing about it.
• PayPal gateway processes the data and after that sends response to specified User Manager router. It may take
time, usually not more than one minute. That means that payment may have status "Started" for a few seconds,
the status is updated only when PayPal sends response to User Manager;
• If the option "Secure response" is enabled, secure connection (https) is established between PayPal and User
Manager;
• When experiencing problems with HTTPS response from PayPal, "Secure response" may be disabled. Then no
certificate will be needed on User Manager router to receive PayPal response;
• Again - PayPal response contains only data required to identify payment in User Manager and detect result status
of transaction - was it successful or not. It does not contain any information about the user - credit card number,
expiry date or other sensitive data;
• User Manager sends request to PayPal to verify that this payment response comes from PayPal and not from a
hacker. Because of this verification it is not necessary to receive response from PayPal via https - if a
Man-In-The-Middle [5] catches data and sends wrong response to User Manager, the verification fails;
• Response verification requires SSL certificate of root certification authority [6] who has signed PayPal certificate.
This root CA certificate is imported automatically and can bee seen in certificate section on the router (console or
Winbox);
• User Manager processes the response and updates payment record status;
• If the transaction was successful requested credit is added to user's account;
The payment processing is shown in the following picture:
Related activities
HTTPS connection enabling
Creating certificate
Trusted SSL Certificate can be bought from trusted authorities, for example, VeriSign [7]. An unsigned certificate
can be generated by hand, using OpenSSL on a Linux box. To do it issue following commands in the shell:
openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Two important things:

1. Enter the same pass phrase always when asked for "Enter pass phrase for server.key" (Should be 4 times);
2. Enter your server's domain name, when asked for "Common Name (eg, YOUR name) []". This is important,
because otherwise some browsers may refuse your certificate. For example, if the User Manager server's address
is http://userman.mt.lv/userman, then "userman.mt.lv" must be specified as Common Name for the certificate.
After doing this three files will be created:
1. server.crt - Certificate, must be uploaded to router;
2. server.key - Private key, must be uploaded to router;
3. server.csr - Signature request, can/should be deleted;
Upload server.crt and server.key to the router and import them, using the same pass phrase again when asked.
server.crt must be imported before server.key.
Importing certificate
Certificate file can be then uploaded to the router and imported with command
/certificate import file-name=...
The command should return
certificates-imported: 1
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
If it doesn't, could happen that the file contains private key and certificate sections in incorrect order. In this situation
the output should be
files-imported: 1
Just repeat the same command
/certificate import file-name=...
once again and the output should be this time
files-imported: 1
Now certificate is imported correctly and ready for use;
Enabling WWW SSL

SSL connections for WWW server can be enabled with command
/ip service set www-ssl disabled=no certificate=cert1
where cert1 must be replaced by a correct certificate name (from /certificate section)
Troubleshooting
1. Authorize.net requires that time time on the server be within 15 minutes of UTC or you will get a failed
transaction, use NTP client.
2. Your user manager must be accessible from the internet on port 443, make sure you have DNS setup properly or
use the IP address for all of your references. Don't forget to open your firewall for port 443 and use NAT to get to
your user manager if behind a firewall.
3. You must put the URL of your UserManager instance in your Authorize.net control panel. For example: Response
Reason Code: 14
Response Reason Text: The Referrer or Relay Response URL is invalid.
Notes: Applicable only to SIM and WebLink APIs. The Relay Response or Referrer URL does not match the
merchant?s configured value(s) or is absent.
To add a valid Response/Receipt URL, please follow these steps:

1: Login to your Merchant Interface at https://account.authorize.net.
2: Click Settings in the main left side menu.
3: Click Response/Receipt URLs.
4: Click Add URL.
5: Enter your Response URL.
6: Click Submit.
4. When inputting the above URL, use only the base URL, not /userman or it won't work.
References
[1] http:/ / authorize. net/
[2] https:/ / www. paypal. com/
[3] https:/ / authorize. net
[4] https:/ / www. paypal. com
[5] http:/ / en. wikipedia. org/ wiki/ Man_in_the_middle
[6] http:/ / en. wikipedia. org/ wiki/ Certification_authority
[7] http:/ / www. verisign. com
Centralized Authentication for Hotspot user

Generally we are using external Radius servers for user authentication as MikroTik is not Radius server. But here in
this example we use the MikroTik User Manager which works as a Radius server and does authentication and
control of your Hotspot users.
Requirements
Central location: MikroTik OS with User Manager (suggested License is L6 [1]).
Hotspot: Mikrotik Routerboard with at least a L4 License
Network 192.168.1.0/24
Centralized Authentication for Hotspot user 69
R1-Hotspot Master
WAN IP- <Connected to Internet>
LAN IP – 192.168.1.1/24
R2-Hotspot IT Dept
WAN IP – 192.168.1.2/24
LAN IP – 10.10.10.1/24
R3-Hotspot Account Dept.

WAN IP – 192.168.1.3/24
LAN IP – 20.20.20.1/24
R4- Hotspot Purchase Dept

WAN IP – 192.168.1.4/24
LAN IP – 30.30.30.1/24
R5- Hotspot Sales Dept.

WAN IP – 192.168.1.5/24
LAN IP – 40.40.40.1/24
We assume that all the setup is ready and the hotspot is configured on R2, R3, R4, and R5 with local authentication.
First, we will configure R2, R3, R4 & R5 to use MikroTik user manager as a Radius server.
/ip hotspot profile

use-radius=yes
Centralized Authentication for Hotspot user 70
/radius add
service=hotspot address=192.168.1.1 secret=123456
This configuration will apply to all the Hotspot router.
Now, we will configure R1-Hotspot Master.
/tool user-manager customer add

subscriber=mikrotik login="mikrotik" password="ashish" time-zone=+05:30
permissions=owner parent=mikrotik
/tool user-manager router add

subscriber=mikrotik name="R2" ip-address=192.168.1.2 shared-secret="123456"
and finally add the user on R1
/tool user-manager user add

username=ashish password=ashishpatel subscriber=mikrotik
The user name and password will work for all the remote hotspot router…a user can login from any department of
the company with same ID and password and we can have all the user data centrally.
Now you can log into the User Manager web interface on the address http:/ / 192. 168. 1. 1/ userman and start setting
up your user accounts.
NEED the Solution..??? - Pl Contact.
ASHISH PATEL - anpatel@eitl.elecon.com - +91 2692 227275 - +91 99098 90908.
More information in the User Manager section.
References
[1] http:/ / www. mikrotik. com/ pricelist. php?sect=1#product10
User Manager/QA/How to make MAC authentication 71
User Manager/QA/How to make MAC

authentication
Let's consider configuration scenario, when we need HotSpot users MAC authentication trough User Manager.
HotSpot MAC authentication method allows to authenticate clients as soon as they appear in the hosts list, using
client's MAC address as username. We assume that User Manager already provides AAA for HotSpot router.
Configuration required on HotSpot server router:
/ip hotspot profile set hsprof1 login-by=mac use-radius=yes
Command enables MAC authentication for the particular profile and forces to use RADIUS for AAA. Note, first
local HotSpot database is consulted, then User Manager database.
User Manager configuration (for each mac-address):
/too user-manager user add username=XX:XX:XX:XX:XX:XX subscriber=MikroTik
We add user information belonging to the particular subscriber, it allows HotSpot user with MAC-address
XX:XX:XX:XX:XX:XX to authenticate in HotSpot without prompting login/password.
User Manager/QA/How to turn off logging for

specific Routers
In the customer web-page, router section choose the router you want to edit. Open it's detail form by clicking on
router's name in the table. Here you can check which events of the router must be logged:
User Manager/QA/How to create timed Voucher 72
User Manager/QA/How to create timed Voucher

Applies to RouterOS: v3.x
1. Create credit;
2. Create users accounts with desired credits;
3. Open user table in customer web-page;
4. Check users for which you want to print vouchers;
5. Chose action Generate > print page (at the bottom of the table);
6. Formatted information will be shown on the page. It is ready for printing.
7. Choose File > Print in your web-browser.
Steps 2-5 can be replaced by:

1. Open User-batch-add form (Users > batch add, or form in status page) in customer web-page;
2. configure, how many users to create, which credits to use;
3. checkbox show printpage must be checked;
4. csv file can also be generated with newly created user data, but it is optional;
5. generate users;
Article Sources and Contributors 73
Article Sources and Contributors

Manual:User Manager Source: http://wiki.mikrotik.com/index.php?oldid=19155 Contributors: Akangage, Bhhenry, Binhtanngo2003, Cmit, Comnetisp, Eep, Girts, Hellbound, Janisk,
Levipatick, Marisb, Nest, Normis, Polokus, Rtkrh10, SergejsB, Uldis
User Manager/Introduction Source: http://wiki.mikrotik.com/index.php?oldid=15583 Contributors: EotThj, Girts, Jandrade28, Janisk, Ni3ls, Normis, SergejsB, WcjZrv
User Manager/Getting started Source: http://wiki.mikrotik.com/index.php?oldid=15586 Contributors: Ctech4285, Fewi, Girts, HarvSki, Janisk, MwdNx0, Normis, Vitell, Xhimimavraj,
Xm0Vlj
User Manager/Hotspot Example Source: http://wiki.mikrotik.com/index.php?oldid=17669 Contributors: Girts, Nest, Normis, SergejsB, Vitell
User Manager/PPP Example Source: http://wiki.mikrotik.com/index.php?oldid=15590 Contributors: Bney, Cmit, Girts, SergejsB
User Manager/DHCP Example Source: http://wiki.mikrotik.com/index.php?oldid=15592 Contributors: Girts, SergejsB
User Manager/Wireless Example Source: http://wiki.mikrotik.com/index.php?oldid=15595 Contributors: Girts, MarkSorensen, SergejsB
User Manager/RouterOS user Example Source: http://wiki.mikrotik.com/index.php?oldid=15596 Contributors: Girts, SergejsB
User Manager/Customers Source: http://wiki.mikrotik.com/index.php?oldid=12156 Contributors: Girts, Mw0Jme, Normis
User Manager/Users Source: http://wiki.mikrotik.com/index.php?oldid=10912 Contributors: Girts, Vitell
User Manager/Routers Source: http://wiki.mikrotik.com/index.php?oldid=3511 Contributors: Girts, SergejsB
User Manager/Sessions Source: http://wiki.mikrotik.com/index.php?oldid=3875 Contributors: Girts
User Manager/Payments Source: http://wiki.mikrotik.com/index.php?oldid=3857 Contributors: Girts
User Manager/Logs Source: http://wiki.mikrotik.com/index.php?oldid=12383 Contributors: Girts
User Manager/Permissions Source: http://wiki.mikrotik.com/index.php?oldid=3837 Contributors: Girts
User Manager/Character constants Source: http://wiki.mikrotik.com/index.php?oldid=12153 Contributors: Girts, Linkwave
User Manager/Active sessions Source: http://wiki.mikrotik.com/index.php?oldid=17499 Contributors: Girts, Nest
User Manager/Public ID Source: http://wiki.mikrotik.com/index.php?oldid=5237 Contributors: Girts, Normis, NzvKqo, Vw3Bfw, Yo8Zyo
User Manager/MAC binding Source: http://wiki.mikrotik.com/index.php?oldid=19530 Contributors: Girts, Myrrhman
User Manager/Languages Source: http://wiki.mikrotik.com/index.php?oldid=20409 Contributors: Anjunior, Girts, Josemari, Medianet, Normis, SergejsB
User Manager/Search patterns Source: http://wiki.mikrotik.com/index.php?oldid=15556 Contributors: Girts
User Manager/Tables Source: http://wiki.mikrotik.com/index.php?oldid=5254 Contributors: Girts, Lv0Egm, Normis
User Manager/Customer page Source: http://wiki.mikrotik.com/index.php?oldid=12984 Contributors: Girts, Infoservi, Normis, WpyOj4, Xhimimavraj
User Manager/User page Source: http://wiki.mikrotik.com/index.php?oldid=20401 Contributors: Ahmed allam, Girts, Mala, MollyRodriguez, Prence iraq, SergejsB
User Manager/User sign up Source: http://wiki.mikrotik.com/index.php?oldid=4567 Contributors: Girts, SergejsB
User Manager/User payments Source: http://wiki.mikrotik.com/index.php?oldid=14296 Contributors: Girts, Nest, Normis, Sdischer, SergejsB, Stutteringp0et, WruAqo
Centralized Authentication for Hotspot user Source: http://wiki.mikrotik.com/index.php?oldid=10129 Contributors: Ashish, Normis
User Manager/QA/How to make MAC authentication Source: http://wiki.mikrotik.com/index.php?oldid=5229 Contributors: Girts, LvsJl6, Normis, RurA4z, SergejsB, ZmzGwx
User Manager/QA/How to turn off logging for specific Routers Source: http://wiki.mikrotik.com/index.php?oldid=3473 Contributors: Girts
User Manager/QA/How to create timed Voucher Source: http://wiki.mikrotik.com/index.php?oldid=15632 Contributors: Girts, Normis
Image Sources, Licenses and Contributors 74
Image Sources, Licenses and Contributors

Image:Icon-note.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-note.png License: unknown Contributors: Marisb, Route
Image: UserManLogDetails.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManLogDetails.png License: unknown Contributors: Girts
Image:Version.png Source: http://wiki.mikrotik.com/index.php?title=File:Version.png License: unknown Contributors: Normis
Image:UserMan4MACBind.png Source: http://wiki.mikrotik.com/index.php?title=File:UserMan4MACBind.png License: unknown Contributors: Girts
Image:UserManSorting.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSorting.png License: unknown Contributors: Girts
Image:UserManSearch.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSearch.png License: unknown Contributors: Girts
Image:UserManPerPage.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPerPage.png License: unknown Contributors: Girts
Image:UserManPageSel.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPageSel.png License: unknown Contributors: Girts
Image:UserManTotal.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManTotal.png License: unknown Contributors: Girts
Image:UserManCheckboxes.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCheckboxes.png License: unknown Contributors: Girts
Image:UserManSelectAll.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSelectAll.png License: unknown Contributors: Girts
Image:UserManSelCount.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSelCount.png License: unknown Contributors: Girts
Image:UserManOptions.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManOptions.png License: unknown Contributors: Girts
Image:UserManTableMinimize.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManTableMinimize.png License: unknown Contributors: Girts
Image:UserManTableLinks.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManTableLinks.png License: unknown Contributors: Girts
Image:UserManTableMultiLinks.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManTableMultiLinks.png License: unknown Contributors: Girts
Image:UserManCustMenu.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustMenu.png License: unknown Contributors: Binhtanngo2003, Girts
Image:UserManSearchUsers.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSearchUsers.png License: unknown Contributors: Girts
Image: UserManActiveUsers.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManActiveUsers.png License: unknown Contributors: Girts
Image: UserManActiveSessions.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManActiveSessions.png License: unknown Contributors: Girts
Image: UserManBatchAdd.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManBatchAdd.png License: unknown Contributors: Girts
Image: UserManRouters.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManRouters.png License: unknown Contributors: Girts
Image: UserManRouterAdd.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManRouterAdd.png License: unknown Contributors: Girts
Image: UserManCredits.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCredits.png License: unknown Contributors: Girts
Image: UserManCreditAdd.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCreditAdd.png License: unknown Contributors: Girts
Image: UserManUsers.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUsers.png License: unknown Contributors: Girts
Image: UserManEditUser.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManEditUser.png License: unknown Contributors: Girts
Image: UserManUserPrivInfo.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserPrivInfo.png License: unknown Contributors: Girts
Image: UserManUserCredDet.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserCredDet.png License: unknown Contributors: Girts
Image: UserManUserExtend.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserExtend.png License: unknown Contributors: Girts
Image: UserManUserAdd.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserAdd.png License: unknown Contributors: Girts
Image: UserManSessions.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSessions.png License: unknown Contributors: Girts
Image: UserManEditSession.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManEditSession.png License: unknown Contributors: Girts
Image: UserManCustomers.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustomers.png License: unknown Contributors: Girts
Image: UserManEditCustomer.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManEditCustomer.png License: unknown Contributors: Girts
Image: UserManCustPrivInfo.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustPrivInfo.png License: unknown Contributors: Girts
Image: UserManCustSubsFields.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustSubsFields.png License: unknown Contributors: Girts
Image: UserManCustUseHttps.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustUseHttps.png License: unknown Contributors: Girts
Image: UserManCustSensitiveFieldTitles.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustSensitiveFieldTitles.png License: unknown Contributors: Girts
Image: UserManCustomerAdd.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustomerAdd.png License: unknown Contributors: Girts
Image: UserManReport.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManReport.png License: unknown Contributors: Girts
Image: UserManLogs.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManLogs.png License: unknown Contributors: Girts
Image:UserManUserMenu.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserMenu.png License: unknown Contributors: Girts
Image:UserManUserStatus.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserStatus.png License: unknown Contributors: Girts
Image:UserManUserCredits.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserCredits.png License: unknown Contributors: Girts
Image:UserManUserSessions.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserSessions.png License: unknown Contributors: Girts
Image:UserManUserPayments.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserPayments.png License: unknown Contributors: Girts
Image:UserManPaymentDetail.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPaymentDetail.png License: unknown Contributors: Girts
Image:UserManBuyCredit.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManBuyCredit.png License: unknown Contributors: Girts
Image:UserManUserSettings.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserSettings.png License: unknown Contributors: Girts
Image:UserManSignupForm.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSignupForm.png License: unknown Contributors: Girts
Image: UserManSignupConfirm.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManSignupConfirm.png License: unknown Contributors: Girts
Image: UserManCustAuthNet.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustAuthNet.png License: unknown Contributors: Girts
Image: UserManCustCurrency.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustCurrency.png License: unknown Contributors: Girts
Image: UserManCustPublicHost.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustPublicHost.png License: unknown Contributors: Girts
Image: UserManUserBuyCredit.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserBuyCredit.png License: unknown Contributors: Girts
Image: UserManHttpsWarning.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManHttpsWarning.png License: unknown Contributors: Girts
Image: UserManUserBuyCreditCredit.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserBuyCreditCredit.png License: unknown Contributors: Girts
Image: UserManUserBuyCreditBalance.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserBuyCreditBalance.png License: unknown Contributors: Girts
Image: UserManUserBuyCreditMethodAuthnet.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserBuyCreditMethodAuthnet.png License: unknown Contributors:
Girts
Image: UserManUserBuyCreditButton.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserBuyCreditButton.png License: unknown Contributors: Girts
Image: UserManAuthNetPaymentForm.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManAuthNetPaymentForm.png License: unknown Contributors: Girts
Image: UserManAuthNetFormFilled.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManAuthNetFormFilled.png License: unknown Contributors: Girts
Image: UserManAuthNetFormSubmit.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManAuthNetFormSubmit.png License: unknown Contributors: Girts
Image: UserManPaymentSuccess.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPaymentSuccess.png License: unknown Contributors: Girts
Image: UserManPaymentReturnButton.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPaymentReturnButton.png License: unknown Contributors: Girts
Image: UserManUserPayments.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserPayments.png License: unknown Contributors: Girts
Image: UserManCustPayPal.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManCustPayPal.png License: unknown Contributors: Girts
Image Sources, Licenses and Contributors 75
Image: UserManUserBuyCreditMethodPayPal.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserBuyCreditMethodPayPal.png License: unknown Contributors: Girts

Image: UserManUserBuyCreditButtonPP.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManUserBuyCreditButtonPP.png License: unknown Contributors: Girts
Image: UserManPayPalPaymentForm.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPayPalPaymentForm.png License: unknown Contributors: Girts
Image: UserManPayPalFormLogged.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPayPalFormLogged.png License: unknown Contributors: Girts
Image: UserManPayPalSuccess.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPayPalSuccess.png License: unknown Contributors: Girts
Image: UserManPayPalPaymentProcess.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManPayPalPaymentProcess.png License: unknown Contributors: Girts
Image:usermanager.jpg Source: http://wiki.mikrotik.com/index.php?title=File:Usermanager.jpg License: unknown Contributors: Ashish
Image: UserManLogsOff.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManLogsOff.png License: unknown Contributors: Girts
Image: UserManGenPrintPage.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManGenPrintPage.png License: unknown Contributors: Girts
Image: UserManBatchAddUsers.png Source: http://wiki.mikrotik.com/index.php?title=File:UserManBatchAddUsers.png License: unknown Contributors: Girts

User Manager - Mikrotik

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

User Manager - Mikrotik

Transféré par

Droits d'auteur :

Formats disponibles

User Manager - Mikrotik

Version 4.x test package specific

Version 3.x specific

Questions and answers

Note: This demo uses v3 User Manager

User Manager/Getting started

Create first subscriber

[admin@USER_MAN] tool user-manager customer> add login="admin"

[admin@USER_MAN] tool user-manager customer set admin password=PASSWORD

[admin@USER_MAN] tool user-manager customer> print

Note: Subscriber shown only in version 3

After that you can use the web interface.

Use web interface

User Manager/Hotspot Example

/ ip hotspot profile set hsprof1 use-radius=yes

• Add radius client to consult User Manager for HotSpot service.

/ radius add service=hotspot address=y.y.y.y secret=123456

User Manager configuration

/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner

• Add HotSpot router information to router list,

/ tool user-manager user add name=demo password=demo subscriber=MikroTik

/ tool user-manager user add name=demo password=demo customer=MikroTik

/ ip hotspot active print

User Manager/PPP Example

PPP server configuration

• Specify the use of User Manager for PPPoE clients:

/ ppp aaa set use-radius=yes

/ ppp profile set default local-address=192.168.0.1

• Add radius client to consult User Manager for PPP service.

/ radius add service=ppp address=y.y.y.y secret=123456

PPP client configuration

User Manager configuration

/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner

• Add PPP server information to router list,

/ tool user-manager router add customer=MikroTik ip-address=x.x.x.x shared-secret=123456

/ interface pppoe-client monitor pppoe-out1

/ ppp active> print

0 R MikroTik pppoe 00:0C:42:05:54:6E 192.168.0.2 12h1m48s

User Manager/DHCP Example

DHCP router configuration

/ ip dhcp-server set dhcp1 use-radius=yes

• Add radius client to consult User Manager for DHCP service.

/ radius add service=dhcp address=y.y.y.y secret=123456

User Manager configuration

/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner

• Add DHCP router information to router list,

/ tool user-manager router add customer=MikroTik ip-address=x.x.x.x shared-secret=123456

/ ip dhcp-server lease> print

User Manager/Wireless Example

Access Point configuration

/ interface wireless security-profiles set default radius-mac-authentication=yes

• Add radius client to consult User Manager for wireless service.

/ radius add service=wireless address=y.y.y.y secret=123456

/ interface wireless access-list remove [find]

User Manager configuration

/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner

• Add Access Point router information to router list,

/ tool user-manager router add customer=MikroTik ip-address=x.x.x.x shared-secret=123456

/ tool user-manager user add subscriber=MikroTik username="00:01:29:27:81:95"

In version 4: / tool user-manager user add customer=MikroTik username="00:01:29:27:81:95"

User Manager/RouterOS user Example

/ user aaa set use-radius=yes

/ user aaa set default-group=full