Académique Documents
Professionnel Documents
Culture Documents
PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information.
PDF generated at: Tue, 22 Feb 2011 21:49:06 UTC
Manual:User Manager 1
Manual:User Manager
Introduction
• What is User Manager
• Requirements
• Supported browsers
• Demo
• Differences between version 3 and version 4-test
Getting started
• Download
• Install
• Create first subscriber
• First log on User Manager web
Quick start
• User Manager and HotSpot
• User Manager and PPP servers
• User Manager and DHCP
• User Manager and Wireless
• User Manager and RouterOS user
Concepts explained
Common
• Customers
• Users
• Routers
• Sessions
• Payments
• Reports
• Logs
• Customer permission levels
• Character constants
• Active sessions
• Active users
• Customer public ID
Manual:User Manager 2
Reference
Web interface
• Search patterns
• Tables:
• Sorting
• Filtering
• Division in pages
• Multiple object selection
• Operations with selected objects
• Minimization
• Links to detail form
• Detail forms
• Page printing
Customer page
• Setup
• How to find it?
• Sections
• Status
• Routers
• Credits
• Users
• Sessions
• Customers
• Reports
• Logs
Manual:User Manager 3
User page
• Setup
• How to find it?
• Link to user page
• Sections
• Status
• Payments
• Settings
User sign-up
• Setup
• Sign-up steps
• Creating account
• Activating account
• Login
User payments
• Authorize.Net
• PayPal
User Manager/Introduction
What is User Manager
User manager is a management system that can be used for:
• HotSpot users;
• PPP (PPtP/PPPoE) users;
• DHCP users;
• Wireless users;
• RouterOS users.
It is a separate package for RouterOS.
User Manager is a RADIUS [1] server application.
In RouterOS version 4 User Manager test package was introduced, having major functionality and interface changes.
Requirements
• You should have the same version for RouterOS and the User Manager package.
• The MikroTik User Manager works on x86, MIPS and PowerPC processor based routers.
• The router should have at least 32MB RAM and 2MB free HDD space.
Supported browsers
All current generation browsers are supported, including:
• Opera [2] (>= 9.0). Probably works fine also on Opera 8.x
• Mozilla Firefox [3] (>= 1.5). Probably works fine also on Mozilla Firefox 1.0.x
• Microsoft Internet Explorer [4] (>= 6.0).
• Safari [5] (>= 2.0)
Demo
[6]
To see what User Manager can do for you, log into the test system: User Manager Online Demo with the login
and password both being "demo"
Note: Demo user has read-only permissions. Download and install User Manager package on your router to
see all the features
References
[1] http:/ / en. wikipedia. org/ wiki/ RADIUS
[2] http:/ / www. opera. com/ download/
[3] http:/ / www. mozilla. com/ firefox/
[4] http:/ / www. microsoft. com/ windows/ ie/
[5] http:/ / www. apple. com/ safari
[6] http:/ / userman. mt. lv/ userman
Install
Perform the usual router upgrade steps - upload the User Manager package to the router's FTP server and reboot the
router.
If you are using a version prior to 3.0, then the first subscriber must be added using Mikrotik
terminal (console). All the configuration is done under the /tool user-manager menu.
To create a subscriber you should go to /tool user-manager customer menu and execute add command. It will ask
for the username which you will use.
or you can enter this into the command line:
You can use the following command to change the password for the 'admin' user:
After that you can use print command to see what you have added.
References
[1] http:/ / www. mikrotik. com/ download. html
HotSpot configuration
• Set HotSpot to use User Manager for HotSpot server users,
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address. By default this is
127.0.0.1. If using a remotely located Router (perhaps via a VPN) then the IP address entered is the IP address of
that remote Router. The router could be a Radius Server, or another ROS with User Manager installed.
• Note, first local HotSpot database is consulted, then User Manager database.
It means that if you have configuration in '/ ip hotspot user print', users will be able to authenticate in HotSpot using
this data.
Delete users configuration from '/ ip hotspot print' to stop using local HotSpot database for authentication. To move
batch of local HotSpot users to the User Manager database use export and import . Use text editor program to create
appropriate file to import local users to the User Manager database.
User Manager/Hotspot Example 7
'x.x.x.x' is the address of the HotSpot router, 'shared-secret' should match on both User Manager and HotSpot
routers. Adding 'x.x.x.x' as a router allows Radius requests from 'x.x.x.x' to be passed to the Radius Server built into
User Manager. Therefore if you have any remote ROS Hotspots that require access to this Radius Server, then all
their IP addresses must be added to this list.
• Add HotSpot user information, it is equal to 'ip hotspot user' when local HotSpot is used for clients
In version 3:
In version 4:
We discuss only basic configuration example, detailed information about 'user' menu configuration.
• You can use User Manager web interface after first subscriber created.
• To make sure, that client is using User Manager for AAA,
'R' means that client uses User Manager server for AAA services.
User Manager/PPP Example 8
PPP configuration
We consider PPPoE server <-> PPPoE client configuration example, where the PPPoE server uses a remote User
Manager database for PPPoE client authentication, authorization and accounting. Both PPPoE server and PPPoE
client are MikroTik routers, any other PPPoE client might be used instead.
• Set IP address of the PPPoE server, IP address might not be assigned to the interface of PPPoE server. Moreover
static IP address or DHCP should not be used on the same interfaces as the PPPoE server for security reasons.
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first the local PPP database is consulted, then the User Manager database.
In version 4:
'x.x.x.x' is the address of the PPPoE-server router, 'shared-secret' should match on both User Manager and
PPPoE-server routers.
• Add PPPoE client information,
In version 3:
/ tool user-manager user add username=demo password=demo subscriber=MikroTik ip-address=192.168.0.2
In version 4:
/ tool user-manager user add username=demo password=demo customer=MikroTik ip-address=192.168.0.2
• Let us verify, that PPPoE client is connected and using User Manager for authentication, authorization and
accounting. First we monitor if PPPoE client is connected, then we verify that User Manager was used. The first
command is executed on PPPoE client router, second on PPPoE server:
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first local router database is consulted, then User Manager database. User will be unable to obtain DHCP
lease, if DHCP router and User Manager server will not contain any information about user's data.
In version 4:
'x.x.x.x' is the address of the DHCP router, 'shared-secret' should match on both User Manager and DHCP routers.
• Add DHCP user information, that client with MAC address 00:01:29:27:81:95 will always receive 192.168.100.2
address. User will receive dynamic address from the DHCP ip pool, if ip-address is not specified.
In version 3:
/ tool user-manager user add add subscriber=MikroTik username="00:01:29:27:81:95" ip-address=192.168.100.2
In version 4:
/ tool user-manager user add add customer=MikroTik username="00:01:29:27:81:95" ip-address=192.168.100.2
We discuss only basic configuration example, detailed information about user menu configuration.
• To make sure, that user is receiving lease from User Manager,
User Manager/DHCP Example 11
'R' means that lease has been received from User Manager server.
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ ip/ dhcp. php
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first local router database is consulted, then User Manager database. Wireless client will be unable to
connect to Access Point, if Access Points router does not contain any entry in the 'interface wireless access-list'
for the particular configuration and User Manager server will not have any information about user's data.
• Make sure you do not have any entry in the 'interface wireless access-list', remove all hosts from 'access-list' to
ensure wireless client MAC authentication only via User Manager,
In version 4:
'x.x.x.x' is the address of the Access Point router, 'shared-secret' must match on both User Manager and Access Point
routers.
• Add wireless client information, client MAC-address that is allowed to establish connection to the Access Point,
In version 3:
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ interface/ wireless. php
RouterOS configuration
• Set RouterOS to use User Manager server for checking login and password information,
• '/user aaa' has 'default-group' option, that define type of the default group. Default is read permissions, if you need
to allow full permissions for users stored in User Manager database
'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address.
• Note, first local router database is consulted, then User Manager database.
User Manager/RouterOS user Example 13
In version 4:
'x.x.x.x' is the address of the RouterOS router, 'shared-secret' must match on both User Manager and RouterOS
routers.
• Add login/password information, that account will be able to access RouterOS. login is MikroTik, password is
MikroTik.
In version 3:
User Manager/Customers
• Customers are service providers. They use web interface to manage users, credits, routers;
• Customers are hierarchically ordered in a tree structure [1] - each can have zero or more sub-customers and
exactly one parent-customer;
• Each customer can have same or weaker permission level than it's parent;
• Each customer has exactly one owner-subscriber.
• Customer with owner permissions is called subscriber. Subscriber's parent is himself;
• Customer data contains:
• Login and password. Used for web interface;
• Parent. Enumerator over customers. Used to keep the hierarchy of customers;
• Permissions. Specifies permission level;
• Public ID. It's an ID used to identify customer. When a user wants to log on the user page or to sign up he/she
needs to specify, which customer to use (because user login names are allowed to be equal among several
subscribers). To keep customer login names in secret (for security reasons) this field is used to identify
customers (subscribers);
• Public host. Only for subscribers. IP address or DNS name [2] specifying public address of this User Manager
router. Payment gateways use this address to send transaction status response. This field has sense only if users
access User Manager site through local IP address (for, example, http://192.168.0.250/user) and another
address is used for public access (for example, http://userman.mt.lv/user).
• Company, city, country. Informational;
• Email address. Used to send emails (for ex., sign up information) to users;
User Manager/Customers 14
References
[1] http:/ / en. wikipedia. org/ wiki/ Tree_structure
[2] http:/ / en. wikipedia. org/ wiki/ Domain_name
User Manager/Users 15
User Manager/Users
• Users are people who use services provided by customers;
• Each user can have time, traffic and speed limitations;
• Users belong to specific subscriber, not to customer. Customers can create, modify and delete users but the owner
is the subscriber who is also owner of these customers;
• To separate users among customers of one subscriber, user prefix is used.
• User data contains:
• Username and password - used to identify user. Different subscribers can have users with the same username;
• First name, last name, phone, location. Informational;
• Email. Used to send notifications to user (for ex., sign-up email);
• IP address. If not blank, user will get this IP address on successful authorization;
• Pool name. If not blank, user will get IP address from this IP pool on successful authorization;
• Group. Sent to Radius client as Mikrotik-Group attribute. Indicates group (/user group) for RouterOS users and
profile for HotSpot users. See Radius client documentation [1] for further details, search for "Mikrotik-Group".
• Address list. Sent to Radius client as Mikrotik-Address-List attribute. Used only for PPP (not hotspot) -
indicates to which "ip firewall address-list" should the remote address be added.
•
Download limit. Limit of download traffic, in bytes;
•
Upload limit. Limit of upload traffic, in bytes;
•
Transfer limit. Limit of total traffic (download + upload), in bytes;
•
Uptime limit. Limit of total time the user can use services. When left blank, user is limited in time only by
credits. Note that this value only takes effect when a user is logged on. When they log off the clock is stopped.
If you want to limit the time whether or not the user is logged in, you have to use credits.
• Rate limits. Has several parts. For more detailed description see HotSpot User AAA [2], search for "rate-limit".
• User also have read-only counters:
• Uptime used;
• Download used;
• Upload used.
Note: RouterOS users have nothing to do with User Manager user. If you have RouterOS user admin, it doesn't mean
it will also be a customer/subscriber in User Manager.
References
[1] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ guide/ aaa_radius. php
[2] http:/ / www. mikrotik. com/ testdocs/ ros/ 2. 9/ guide/ aaa_hotspot. php
User Manager/Routers 16
User Manager/Routers
User Manager must know with which routers (IP addresses) to communicate. User Manager is like a judge - it
receives questions and must give answers. For example:
HotSpot: "Is user 'nick' allowed to use hotspot?"
User Manager: "Yes, but only 2 hours. And give him IP 192.168.0.40".
If an unknown router asks something, User Manager ignores it.
Router table contains information about known routers which are allowed to ask User Manager questions.
Router data contains:
• Name. Name of the router. Informational, must be unique per subscriber;
• IP address. Address of the router;
• Shared secret. Password used for authentication;
• Log events. Specifies which events must be written to log.
User Manager/Sessions
The term session refers to a period when a user is using customer's services (HotSpot). It has nothing to do with User
Manager web-page sessions.
Fields:
• Username. Session owner;
• NAS Port. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• NAS Port Type. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• Calling Station ID. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• Status. Session status, composition of several facts;
• User IP. User's IP address;
• Host IP. Router's IP address;
• NAS Port ID. See: RADIUS Client documentation [1] (Supported Radius Attributes);
• From Time. Session start time;
• Till Time. Session end time;
• Terminate Cause. Session termination reason;
• Uptime. = EndTime - StartTime;
• Download. Downloaded traffic amount;
• Upload. Uploaded traffic amount.
User Manager/Payments 17
User Manager/Payments
Users can buy credits using payment methods allowed by the subscriber. Subscribers can define accessible payment
methods on the customer page.
Payments hold history of user's transactions.
Attributes:
• Created. Transaction start-time;
• Finished. Transaction end-time;
• Price. Transaction amount (credit price);
• Credit time. Credit prepaid-time bought;
• Status. Current status of transaction. Can be one of the following:
• Started - transaction is in progress;
• Approved - transaction completed successfully;
• Error - transaction failed;
• Timeout - transaction failed (not finished in required time);
• Status description - message describing transaction status;
User Manager/Logs
Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.
It is configurable per router which logs must be written (See: HOWTO).
Log data contains:
• Username. Can differ from those registered in user table;
• User IP;
• Host IP. Router's IP;
• Status;
• Time;
• Description;
• NAS Port;
• NAS Port type;
• NAS Post ID;
• ACCT Session ID;
• Calling station ID.
User Manager/Logs 18
[1]
More information on what these fields mean can be found in Mikrotik RouterOS Radius client documentation ,
Supported RADIUS Attributes.
, where 1.2.3.4 and 514 is IP address and UDP port of the remote host, which will receive the logs.
3) Configure your remote host to listen on port 514 (any other port can be used, but it MUSt be UDP port and MUST
match the one entered in router's system logging action);
4) Test, if logs are successfully received at the remote host:
4.1) Generate some logs by logging in and out using HotSpot/PPP users;
4.2) Check the Log page. The logs must appear here. Logs are sent to syslog only if they are logged in the User
Manager database;
4.3) Check, if logs are received remotely. If you are running Linux, nc [2] can be used:
nc -l -u -p 514
, where 514 is the UDP port used. Could be, that root permissions are required to run listening on a UDP port.
Another alternative is Wireshark [3] - a multi platform tool for network packet "sniffing". Start a new session and
enter
<user-ip>,<username>,<log-type>,<message>
, where:
• user-ip - IP of user (NOT the routers IP!): four number in the range 0-255, separated by commas. 0.0.0.0 means
"empty address";
• username - username of the user or MAC address, when MAC-authentication used;
• log type: string describing type of the log. Takes one of the following values: "auth ok", "auth fail", "acct ok",
"acct fail". Fail means - the user was not successful to authorize or the accounting log was malicious. To track
user session activity, only logs having "auth ok" and "acct ok" must be taken in account.
• message - contains message, describing error, in case of failure. can be empty. SysLog messages are limited in
size, therefore it could happend, that the end of the message has been cut off.
References
[1] http:/ / www. mikrotik. com/ docs/ ros/ 2. 9/ guide/ aaa_radius
[2] http:/ / netcat. sourceforge. net/
[3] http:/ / www. wireshark. org/
User Manager/Permissions
This table lists customer permissions:
View
Routers + + + +
Credits + + + +
Users + + + +
Sessions + + + +
Customers + +
Reports + + + +
Logs + + + +
Add
Routers + + +
Credits + + +
Users + + +
Customers +
Edit
Routers + + +
Credits + +
Users + + +
Customers +
User Manager/Permissions 20
Remove
Routers + +
Credits + +
Users + +
Customers +
Sessions + +
Logs + +
Specific actions
Date constants
In date constant following characters will be replaced with proper values:
• %Y - four digit year representation
• %b - verbal (short) month representation
• %m - two digit month representation
• %d - two digit day-of-the-month representation
Examples (representing October 5, 2006):
• %d/%m/%Y - 05/10/2006
• %Y-%b-%d - 2006-Oct-05
User Manager/Character constants 21
User Manager/Public ID
Each subscriber already has an unique field - login. But for security reasons another field - Public ID is used. Note:
In earlier versions (until version 2.9.31) login is used to identify subscriber.
Each customer has a Public ID. It can be configured in the customer section. But there is no need to specify public
ID for each customer. Because the subscriber search procedure occurs as follows:
• Search for a customer with specified public ID. If no customer found, the default (first) subscriber is used.
Otherwise proceed to the next step;
• Search for a subscriber (owner) of the customer just found. Every customer has its subscriber, so this procedure
always finds the result.
So only one customer per subscriber must have a public ID defined. Usually the subscriber itself has a public ID and
all the other customers can live without it.
Public ID for customers is significant in user sign-up process to use different user prefix and sign-up-credit for
different customers.
Only subscribers have permissions to edit customers. That means, subscriber must configure public IDs for all
sub-customers.
User Manager/MAC binding 23
Description
MAC binding is a feature, when users MAC address is not specified beforehand, but is fixed (bound) when the user
connects for the first time. Further the user is allowed to use only this MAC address.
In User Manager MAC address can be re-bound also for users with previously fixed one. In this case MAC address
is re-fixed at next user logon.
To specify a particular MAC address, un-check this box and type in the MAC address manually.
References
[1] http:/ / www. mac-how. net
User Manager/Languages 24
User Manager/Languages
In RouterOS v4, User Manager supports multiple languages.
User translations
Currently no ready-to-use translations are available here. But, if you made one, please post it here: choose "Upload
file" from menu on the left side of this wiki, upload the file and then post a direct link to it here.
Spanish translation http:/ / wiki. mikrotik. com/ images/ b/ be/ Sp_SP_def. txt author: Jose Salazar, Spain. Change
txt extension for lng and upload it via FTP to Router.
Portuguese-BR translation http:/ / wiki. mikrotik. com/ images/ 2/ 2c/ Pt_BR. lng. txt author: Antonio Junior, Brazil.
Change extension for lng and upload it via FTP to Router.
Italian translation http:/ / wiki. mikrotik. com/ images/ 2/ 23/ It_IT_def. txt author: Renato Bernardi, Italy. Change
txt extension for lng and upload it via FTP to Router.
References
[1] http:/ / wiki. mikrotik. com/ images/ 5/ 59/ En_EN_def. txt
[2] http:/ / www. poedit. net/
User Manager/Search patterns 25
Examples
• "spot" matches hotspot, hotSpot, HotSpot, HotSpots, HOTSPOT, ...
• "r%m" matches rm, arm, armor, ram, rome, aroma, Mikrotik manager ...
References
[1] http:/ / en. wikipedia. org/ wiki/ Case_insensitive
User Manager/Tables
Tables are used to display a list of objects: users, routers, credits, sessions, customers or logs.
In one table are displayed only objects of one type. Each type of objects has specific fields to display.
If the object contains many parameters, not all of them are displayed in the table. To see all parameters the object
detail form can be used.
Tables have several options:
• Sorting;
• Filtering (Search);
• Division in pages;
• Multiple object selection;
• Operations with selected objects;
• Minimization;
• Links to detail form.
User Manager/Tables 26
Sorting
Sorting can be done by almost all fields. But there are some "non-sortable" fields, mostly because they are calculated
fields.
Sorting can be ascending (1, 2, 3, ...) or descending (5, 4, 3, ...).
There are triangular sort buttons for each column - on sides of column's title (at the top). Ascending sort - on the left,
descending - on the right:
Sorting decreases data reading performance - sorted data reads take more time than non-sorted reads. However
sorting affects only reads in the current table, tables are independent to each other.
Filtering
Each table can be filtered only by one field:
• Users, sessions, logs: by username;
• Routers, credits: by name;
• Customers: by login.
Some tables cannot be filtered (for example, specific user's sessions).
Enter pattern in the search form at the bottom of the table and press search. To cancel filtering, clear value of the
search form and press search:
User Manager/Tables 27
Division in pages
A table can contain plenty of records. It could be a very long operation to display them all. Therefor records are
divided in pages and only one page, called active page, at a time is displayed.
Record count per page is changeable on the top-right corner:
The active page can be changed using the link on the upper-left corner:
Each object can be selected and actions can be performed on selected objects.
On the top of all checkboxes is the select-all checbox which toggles selection of all objects in the current page:
The total count of selected objects and selected objects in the active page is displayed.
There is also a button which unchecks all selected objects in other (inactive) pages (affects only this table). This
button is very useful if you select some objects and then change sorting criteria for the table - selected objects get
scattered between many pages but you can still uncheck them all by one click.
User Manager/Tables 29
Minimization
Tables can be minimized with a click on the minimize button on the top-right corner:
How to find?
Type the following address in your web browser: http://Router_IP_address/userman
where "Router_IP_address" must be replaced with IP address of your router.
Sections
Here are described customer page sections. Use menu on the left side to navigate:
Status
This page has several components:
• User search;
• Active user listing;
• Active session listing;
• User batch-add form.
User search
Type in the search pattern and press the button "Search". Results will be displayed in a new table.
Active users
Active user count displayed here. To see a full list of active users, click on "Show":
User Manager/Customer page 32
Active sessions
Active sessions count displayed here. To see a full list of active sessions, click on "Show":
Fields:
• Number of users. How many users to add;
• Login starts with. Displays user prefix;
• Rate limits. hidden by default. Check the box on the right to show rate limit field group;
• Uptime limit;
• Prepaid. Credit that will be assigned to users. Unlimited users can also be created by selecting unlimited as a
value.
• Generate CSV [1] file. When checked a CSV-file [1] will be generated containing just created user data;
• Generate vouchers. When checked printable vouchers for just created users will be generated.
Routers
View routers
Table displaying routers:
User Manager/Customer page 33
Add router
Opens router add form. The same form is used to edit routers:
Fields:
• Name. Router's name. Must be unique per subscriber;
• IP Address. Address of the router;
• Shared secret. Password used for authentication;
• Log events. Specifies which events must be written to log.
Credits
View credits
Table displaying credits:
Add credit
Opens credit add form. The same form is used to edit credits:
Fields:
• Name. Credit's name. Must be unique per subscriber;
• Time. How long this credit is valid when started;
• Full price. The price of this as the first credit for a user. When the checkbox at the right is empty, full price is
unavailable - this credit can not be used as a base credit;
• Extended price. The price of this as extended credit for a user (user already has credits before this on). When the
checkbox at the right is empty, extended price is unavailable - this credit can not be used as an extended credit;
Users
View users
Table displaying users:
User Manager/Customer page 35
Only part of user's attributes are shown here. To see all details of specific user, open user detail form by clicking on
username in the table.
If the user has credits assigned the total prepaid time is shown at the bottom. To see credit details click on the plus
sign ("+") under Prepaid time:
User Manager/Customer page 36
New credits can also be assigned (if permitted) to user. At the bottom is a select-box called "Extend" (called "Add
time" when user has no credits yet). The price depends on what kind of credit this is for a user - first or extended.
Price is shown in braces:
.
To assign credit to the user, choose the desired credit and click Save.
Options (buttons at the bottom):
• Save - saves edited information, assigns credit, if one selected;
• View report - opens single user report.
• Remove last credit - removes last credit that's not started yet;
• Show sessions - opens window with all sessions this user has;
Add user
Detail form for filling in information about the new user. Very similar to user detail form. This form does not have
read-only counters and other user statistics:
User Manager/Customer page 37
Sessions
View sessions
Table displaying sessions:
Only part of session's attributes are shown here. To see all details of specific session, open session detail form by
clicking on ID in the table.
To see details of session user click on the username in the table.
User Manager/Customer page 38
Customers
View customers
Table displaying customers:
Only part of customer's attributes are shown here. To see all details of specific customer, open customer detail form
by clicking on login in the table.
User Manager/Customer page 39
There are fields which are accessible only for subscribers: Public Host and Authorize.Net fields. These fields are not
shown for customers who are not subscribers:
User Manager/Customer page 40
There are sensitive-data fields (Authorize.Net) which are visible only when using secure connection (https):
There are sensitive-data fields (Authorize.Net) whose values are not shown. Whether the field has value specified or
not is visible by the title standing before it: if the title says "Set ...", this field has no value set; the title saying
"Change ..." means that this field has some value:
User Manager/Customer page 41
In the example above Login ID and Transaction Key fields have values (titles are "Change ...") while MD5 Value
field has no value specified (title is "Set ...").
Add customer
Detail form for filling in information about the new customer. Very similar to customer detail form. This form does
not have subscriber fields since subscribers cannot be added here:
Reports
This section refers to user time and traffic reports.
Reports generated here can be printed directly.
Configurable options:
• Users - which users to show: prepaid, unlimited or all;
• Type - time (contains prepaid time, extend time and price) or amount (contains upload and download amount)
report;
• Period - total (whole history) or with specific time boundaries;
See user time and traffic reports for further detail.
Sample report:
User Manager/Customer page 42
Logs
View logs
Table displaying logs:
Only part of log's attributes are shown here. To see all details of specific log, open log detail form by clicking on ID
in the table.
User Manager/Customer page 43
References
[1] http:/ / en. wikipedia. org/ wiki/ Comma-separated_values
User Manager/User page 44
Textual link
To get a textual link to user page, replace this template with your own values:
<a href="http://%hostname%/user?subs=%subid%">%caption%</a>
And it looks like this: This is an example link to Mikrotik User Manager demo User page [1]
Link button
To get a button, which leads to user page, replace this template with your own values:
<button onclick="document.location='http://%hostname%/user?subs=%subid%'">%caption%</button>
Example: To get a button-link to userman.mt.lv router's demo subscriber user page, use the following link:
<button onclick="document.location='http://userman.mt.lv/user?subs=demo'">Check</button>
The visual representation cannot be shown here because of the wiki security so you have to pretend how it looks like.
The same button-link is used in HotSpot page templates. By default it looks like this:
$(hostname) here is replaced with the hostname of the HotSpot router (so the default link works only if HotSpot and
User Manager are running on the same router). And "subs=" means that first subscriber will be used (works fine
when there's only one subscriber on the router). Hostname and subscriber id can be replaced with desired values.
Sections
This par of a document describes sections available in user page. For navigation use the menu on the left side:
Status
Here the user can see account's status:
• Summary;
• Credits;
• Sessions.
Sample screenshot:
This information is also formatted for printing. See print preview in the browser (Usually under File > Print preview
in the browser's toolbar). Credits and sessions are formed in tables. These tables can be "minimized" - the button on
the upper right corner of the table. A minimized table will not be printed (see print preview).
User Manager/User page 46
Summary
Here the user can see:
• Prepaid time - duration of all the credits bought (See: time constants). Or the word unlimited (See prepaid and
unlimited users);
• Total price - how much all the credits cost;
• Uptime limit - the maximum allowed duration of user's sessions;
• Uptime used - current duration of user's sessions;
• Download used
• Upload used
Credits
Table with all credits this user has bought. No data for unlimited users.
Sample screenshot:
If there are credits that are not started yet (see: credits), start-time and end-time fields contain values "awaiting
login".
User Manager/User page 47
Sessions
Table with all user's sessions.
Sample screenshot:
Payments
Here the user can view payment history and buy a new credit. This section is only available if the subscriber has
allowed any payments.
View payments
Table with all user salles de poker [2] payments.
Sample screenshot:
To see all details of specific payment, open payment detail form by clicking on ID in the table.
User Manager/User page 48
Buy credit
A new credit can be bought here using payment methods which are allowed by the subscriber.
There are a number of restrictions for this sub-section to be accessible:
• Secure connection (https [3]) must be used to access the site. Otherwise a notification with a link to secure page
will be shown;
• At least one payment method must be allowed by the subscriber;
• Subscriber must have configured all required payment attributes;
Sample screenshot:
Here user can see his/her current balance and choose a credit to buy. After click on the "Buy" button user will be
redirected to payment gateway where he/she will have to enter required data to process payment.
User Manager/User page 49
Important - payment data (such as credit card number and expiry date) is sent directly from user's computer to
payment gateway and is not captured by User Manager. User Manager processes only response about the payment
result from the payment gateway. This response does not contain any sensitive user's data.
When the payment is successful, the selected credit is added to user's account.
Settings
In this section user can configure his/her parameters:
• Private information (informational, not used by User Manager):
• First name;
• Last name;
• Phone;
• Location.
• Email - used to send emails to user. Must be unique.
If values provided in "New password" and "Retype new password" fields, the password will be changed.
Sample screenshot:
References
[1] http:/ / userman. mt. lv/ user?subs=demo
[2] http:/ / www. pokerenfrancais. eu/ salles-de-poker
[3] http:/ / en. wikipedia. org/ wiki/ Https
User Manager/User sign up 50
Setup
User sign-up can be enabled per customer. I.e., some customers can allow it while others don't.
Sign-up is disabled by default. To enable it several requirements must be met:
• Note: All the attributes mentioned above can be configured in customer section of the customer web-page;
• Customer, who wants to allow sign-up, must have public ID. Since Only subscribers have permissions to edit
customers, this public ID must be assigned by the subscriber. In other words - subscriber must configure public
IDs for its customers.
• Subscriber must have at least one credit with full price specified;
• In the case when users access sign-up page from a local address which is not accessible from outside (global
Internet) subscriber must have public host address configured. This address is needed by PayPal, payment
response will be sent to this it;
• The customer has to enable sign-up by checking the "Signup allowed" box in Signup options section;
• The subscriber must have at least one payment method enabled and configured;
• The customer should have email address specified. Email will be send to users who sign up (if the user specifies
his/her email address) using this as the from-address;
• SMTP-server should be specified. It can be done via console, under tool email, command "set
server=xxx.xxx.xxx.xxx". This SMTP server will be used to send email reminding user's account data. Users can
however log on to the HotSpot after a successful payment without receiving this email;
• Signup email subject and body can be personalized. There are defaults defined, but one can customize them.
However there are constant strings (will be replaced by actual values) that must be present within the message
body. See sign-up email body field definition.
Sign-up steps
User sign-up can divided in following steps:
• Subscriber configures required parameters (described above);
• User creates an account:
• User opens sign-up page URL in the browser;
• User fills in the sign-up form;
• User chooses credit;
• User chooses payment method;
• An inactive account is created for the user;
• User activates the account (executes payment):
• User is redirected to Payment Gateway;
• The payment is being processed;
• Payment gateway sends response (was the payment successful or not) to User Manager router;
• The account gets activated (if the payment was successful);
• User can start using services. Status check and setting change can be done in the user web-page.
May seem a little confusing, but all these steps are simple and can be done in several minutes.
User Manager/User sign up 51
Creating account
User opens http:/ / routerIP/ user?signup=publicID, where routerIP must be replaced with the IP address of the User
Manager router and publicID must be replaced with subscribers public id.
Sign-up form will be shown:
Input fields:
• email. Email address for user account. must be unique per subscriber. Account data will be sent to this address if
one specified;
• login. Desired username. If user prefix is defined, it is shown at the left and cannot be changed. So the prefix is
already predefined (may be empty), the remaining part of username can be chosen. IT must be at least 3
characters long. Example: if the prefix is "cu" (shown on the left) and "test" is entered as the remaining part, the
username will be "cutest";
• password. Self explanatory;
• confirm password. Password once again to reduce possibility to mistype it;
• time. The initial credit for the user account;
• pay with. Payment method selector.
After the "sign up" button is pressed, authorization data is show to the user. He/She must remember this data as it
will be required to log in later:
Activating account
On a successful payment, the account is activated and the user is returned to User Manager/User page where he/she
can check the status of the account.
If the email address was specified in sign-up form, an email with authorization information is sent to it. The text is
customizable in customer web-page. By default it looks like this:
Your authorization data:
login: userLogin
password: userPassword
here:
• userLogin is the username (login);
• userPassword is the password.
• http://userman.mt.lv/'' is the hostname of the User Manager router;
Login
After successful account activation user is able to start using services (Hotspot). Status and settings are available in
user web-page.
Authorize.Net
Authorize.Net requirements
To allow Authorize.Net payments for users the following requirements must be met:
• User Manager v3.0 (or v2.9.x, >= 2.9.40) package installed on the router. See: Getting started;
• User Manager subscriber created (See: Getting started);
• Subscriber must have merchant account in Authorize.Net [3] gateway;
• Web server on the router must be configured to support secure SSL connections (See HTTPS connection
enabling);
• HotSpot router should contain entries in 'walled-garden to User Manager router and Authorize.net webpage,
Authorize.Net setup
Relay URL
Relay URL list must either be empty or contain URL to the User Manager router. For example, if you are using
userman.mt.lv as User Manager router, then Relay URL list must contain URL https:/ / userman. mt. lv/ (works with
and without trailing slash). Relay URL list can be configured in Authorize.Net [3] merchant gateway under Account
> Settings > Response/Receipt URLs
API Login ID
[3]
API Login ID is shown in Authorize.Net merchant gateway under Account > Settings > API Login ID and
Transaction Key.
Transaction Key
Transaction Key can be obtained in Authorize.Net [3] merchant gateway under Account > Settings > API Login ID
and Transaction Key > Create New Transaction Key.
MD5-Hash value
MD5-Hash value can be set in Authorize.Net [3] merchant gateway under Account > Settings > MD5-Hash.
WARNING!: Standard MD5 hash values are 32 characters long, however, the Authorize.net MD5-Hash input fields
only allow 20 characters. Best chance of success if you paste your md5sum into the Authorize.net input field, then
copy it back out to paste into User Manager configuration. By re-copying from the Authorize.net input field, you are
selecting only the 20 characters that the field length allows.
Payment Form
Payment Form configuration can be found in Authorize.Net [3] merchant gateway under Account > Settings >
Payment Form. The look of this form is customizable here. While the only required fields for processing transaction
are credit card number and expiration date, another fields are allowed to be shown in the form. Form customization
is up to merchant.
• If users access User Manager page through a local IP address, public host attribute must be specified. It must
contain a public address of User Manager router which is acceptable as Relay URL for Authorize.Net gateway
(See: Authorize.Net Merchant account configuration). Domain name or IP address can be used. Only the address
must be specified, not URL (for example, userman.mt.lv, not https://userman.mt.lv/and not https://userman.
mt.lv/userman):
User Manager/User payments 55
Authorize.Net usage
• User can buy credits in User Manager page. First he/she has to log on the page. See: User page.
• Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://
router_IP/user (https instead of http).
• Payment section is available on main menu only if subscriber has allowed any payment method.
• To buy credit user chooses "Buy credit" from "Payments" section:
• If https connection is not used for web session, a message with error and link to https site will be opened:
• When the credit is chosen, "Buy" button must be pressed to start payment transaction:
User Manager/User payments 57
• User is redirected to Authorize.Net gateway payment form, which should look similar to following:
• The actual look of this form can be configured in Authorize.Net merchant gateway
• User fills in credit card number and expiry date. Other fields are optional:
User Manager/User payments 58
• The data is transmitted directly to Authorize.Net gateway via secure connection. Neither credit card number nor
expiry date is submitted to User Manager router.
• Authorize.Net gateway processes the data and sends response to specified User Manager router. This response
contains only data required to identify payment in User Manager and detect result status of transaction - was it
successful or not. It does not contain any information about the user - credit card number, expiry date or other
sensitive data.
• User Manager processes the response and updates payment record status;
• If the transaction was successful requested credit is added to user's account;
• A message describing payment result is shown to user:
• Click on the button redirects the user back to User Manager page:
PayPal
PayPal requirements
To allow PayPal payments for users the following requirements must be met:
• User Manager v3.0 (>= 3.0beta6) or v2.9.x (>= 2.9.41) package installed on the router. See: Getting started;
• User Manager subscriber created (See: Getting started);
• Subscriber must have merchant PayPal [4] account;
• Web server on the router must be configured to support secure SSL connections (See HTTPS connection
enabling);
• HotSpot router should contain entries in 'walled-garden to User Manager router and Paypal webpage,
• version v3
/ ip hotspot walled-garden add dst-host=":^www\\.paypal\\.com\$" dst-port=443 action=allow
These four entries are required to allow reliable access to the Paypal system.
PayPal setup
• If users access User Manager page through a local IP address, public host attribute must be specified. It must
contain a public address of User Manager router which is acceptable as response URL for PayPal gateway
(PayPal will send payment result to this address). Domain name or IP address can be used. Only the address must
be specified, not complete URL (for example, userman.mt.lv, not https://userman.mt.lv/and not https://
userman.mt.lv/userman):
PayPal usage
• User can buy credits in User Manager page. First he/she has to log on the page. See: User page.
• Secure connection must be used for web page, so user has to use https://router_IP/user instead of http://
router_IP/user (https instead of http).
• Payment section is available on main menu only if subscriber has allowed any payment method.
• To buy credit user chooses "Buy credit" from "Payments" section:
• If https connection is not used for web session, a message with error and link to https site will be opened:
• When the credit is chosen, "Buy" button must be pressed to start payment transaction:
• User is redirected to PayPal gateway payment form, which should look similar to following (PayPal web site can
change, these screen shots may differ from actual page):
User Manager/User payments 64
• User logs on to the account. Payment is now displayed with the Pay button:
• When user presses Pay button, PayPal starts to process data. On successful payment result page is displayed:
• This page contains button "Return to merchant" pressing which returns user to User Manager payment history
page:
User Manager/User payments 65
PayPal chargeback
When a payment changes status from "Approved" to "Aborted" (For example, "Reversed") User Manager tries to
remove credit bought for this money. This is however possible only if the two following requirements are met:
• The credit is not started yet;
• The credit is last for current user, i.e., no other credit is bought after this one.
Related activities
HTTPS connection enabling
Creating certificate
Trusted SSL Certificate can be bought from trusted authorities, for example, VeriSign [7]. An unsigned certificate
can be generated by hand, using OpenSSL on a Linux box. To do it issue following commands in the shell:
Importing certificate
Certificate file can be then uploaded to the router and imported with command
certificates-imported: 1
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
If it doesn't, could happen that the file contains private key and certificate sections in incorrect order. In this situation
the output should be
certificates-imported: 1
private-keys-imported: 0
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 1
certificates-imported: 0
private-keys-imported: 1
files-imported: 1
decryption-failures: 0
keys-with-no-certificate: 0
where cert1 must be replaced by a correct certificate name (from /certificate section)
Troubleshooting
1. Authorize.net requires that time time on the server be within 15 minutes of UTC or you will get a failed
transaction, use NTP client.
2. Your user manager must be accessible from the internet on port 443, make sure you have DNS setup properly or
use the IP address for all of your references. Don't forget to open your firewall for port 443 and use NAT to get to
your user manager if behind a firewall.
3. You must put the URL of your UserManager instance in your Authorize.net control panel. For example: Response
Reason Code: 14
Response Reason Text: The Referrer or Relay Response URL is invalid.
User Manager/User payments 68
Notes: Applicable only to SIM and WebLink APIs. The Relay Response or Referrer URL does not match the
merchant?s configured value(s) or is absent.
4. When inputting the above URL, use only the base URL, not /userman or it won't work.
References
[1] http:/ / authorize. net/
[2] https:/ / www. paypal. com/
[3] https:/ / authorize. net
[4] https:/ / www. paypal. com
[5] http:/ / en. wikipedia. org/ wiki/ Man_in_the_middle
[6] http:/ / en. wikipedia. org/ wiki/ Certification_authority
[7] http:/ / www. verisign. com
Requirements
Central location: MikroTik OS with User Manager (suggested License is L6 [1]).
Hotspot: Mikrotik Routerboard with at least a L4 License
Network 192.168.1.0/24
Centralized Authentication for Hotspot user 69
R1-Hotspot Master
WAN IP- <Connected to Internet>
LAN IP – 192.168.1.1/24
R2-Hotspot IT Dept
WAN IP – 192.168.1.2/24
LAN IP – 10.10.10.1/24
We assume that all the setup is ready and the hotspot is configured on R2, R3, R4, and R5 with local authentication.
First, we will configure R2, R3, R4 & R5 to use MikroTik user manager as a Radius server.
/radius add
service=hotspot address=192.168.1.1 secret=123456
The user name and password will work for all the remote hotspot router…a user can login from any department of
the company with same ID and password and we can have all the user data centrally.
Now you can log into the User Manager web interface on the address http:/ / 192. 168. 1. 1/ userman and start setting
up your user accounts.
NEED the Solution..??? - Pl Contact.
ASHISH PATEL - anpatel@eitl.elecon.com - +91 2692 227275 - +91 99098 90908.
More information in the User Manager section.
References
[1] http:/ / www. mikrotik. com/ pricelist. php?sect=1#product10
User Manager/QA/How to make MAC authentication 71
Command enables MAC authentication for the particular profile and forces to use RADIUS for AAA. Note, first
local HotSpot database is consulted, then User Manager database.
User Manager configuration (for each mac-address):
We add user information belonging to the particular subscriber, it allows HotSpot user with MAC-address
XX:XX:XX:XX:XX:XX to authenticate in HotSpot without prompting login/password.
1. Create credit;
2. Create users accounts with desired credits;
3. Open user table in customer web-page;
4. Check users for which you want to print vouchers;
5. Chose action Generate > print page (at the bottom of the table);
6. Formatted information will be shown on the page. It is ready for printing.
7. Choose File > Print in your web-browser.
User Manager/Introduction Source: http://wiki.mikrotik.com/index.php?oldid=15583 Contributors: EotThj, Girts, Jandrade28, Janisk, Ni3ls, Normis, SergejsB, WcjZrv
User Manager/Getting started Source: http://wiki.mikrotik.com/index.php?oldid=15586 Contributors: Ctech4285, Fewi, Girts, HarvSki, Janisk, MwdNx0, Normis, Vitell, Xhimimavraj,
Xm0Vlj
User Manager/Hotspot Example Source: http://wiki.mikrotik.com/index.php?oldid=17669 Contributors: Girts, Nest, Normis, SergejsB, Vitell
User Manager/PPP Example Source: http://wiki.mikrotik.com/index.php?oldid=15590 Contributors: Bney, Cmit, Girts, SergejsB
User Manager/Public ID Source: http://wiki.mikrotik.com/index.php?oldid=5237 Contributors: Girts, Normis, NzvKqo, Vw3Bfw, Yo8Zyo
User Manager/Languages Source: http://wiki.mikrotik.com/index.php?oldid=20409 Contributors: Anjunior, Girts, Josemari, Medianet, Normis, SergejsB
User Manager/Customer page Source: http://wiki.mikrotik.com/index.php?oldid=12984 Contributors: Girts, Infoservi, Normis, WpyOj4, Xhimimavraj
User Manager/User page Source: http://wiki.mikrotik.com/index.php?oldid=20401 Contributors: Ahmed allam, Girts, Mala, MollyRodriguez, Prence iraq, SergejsB
User Manager/User payments Source: http://wiki.mikrotik.com/index.php?oldid=14296 Contributors: Girts, Nest, Normis, Sdischer, SergejsB, Stutteringp0et, WruAqo
Centralized Authentication for Hotspot user Source: http://wiki.mikrotik.com/index.php?oldid=10129 Contributors: Ashish, Normis
User Manager/QA/How to make MAC authentication Source: http://wiki.mikrotik.com/index.php?oldid=5229 Contributors: Girts, LvsJl6, Normis, RurA4z, SergejsB, ZmzGwx
User Manager/QA/How to turn off logging for specific Routers Source: http://wiki.mikrotik.com/index.php?oldid=3473 Contributors: Girts
User Manager/QA/How to create timed Voucher Source: http://wiki.mikrotik.com/index.php?oldid=15632 Contributors: Girts, Normis
Image Sources, Licenses and Contributors 74