How to Authenticate with Radius Server on Mikrotik Router

We will use the Mikrotik device RB941-2nD model that we will use in this setup. We will proceed by installing Radius Server on Mikrotik RouterOS 6.46.2 version and Windows server 2008.

In the first step, after installing the radius server on Windows server 2008, we will configure it so that the users in the technical section in the environment can access it. Now let’s click on Add Roles under Rollers on the Windows server.

Server_Manager
Server_Manager

A setup wizard will open and click next in the first step.  Now we will see the wizard install the program and we will click the next button as the first step.

Add_Roles_wizard
Add_Roles_wizard

In the server roles step, after selecting Network Policy and Access Services, we click Next.

Add_Roles_wizard
Add_Roles_wizard

We move on to the next window in the Introduction to Network Policy and Access Services section. We don’t need to make any settings here. We click directly.

Add_Roles_wizard
Add_Roles_wizard

The next step is to get more detailed information about the Network Policy Server the window will open. Here, after performing the necessary checks, the last you need to click next is Role Services.

Add_Roles_wizard
Add_Roles_wizard

The loading window is now available here.

Add_Roles_wizard
Add_Roles_wizard

Since the installation has been completed successfully here, we can now close the window.

Add_Roles_wizard
Add_Roles_wizard

From Windows Server, open Network Policy Server from the Start menu.

Server_Manager
Server_Manager

Expand Radius Client and Servers and right-click Radius clients and then select New Radius Client.

Network_Policy_Server
Network_Policy_Server

In the newly opened window, enter the device name you want, the IP address of the device we want to access, and its secret information.

New Radius Client
New Radius Client

In this tab, open policies and right-click on Network Policies, then click New.

Network_Policy_Server
Network_Policy_Server

First, give the policy a name and click the next button.

New_Network_Policy
New_Network_Policy

In the window that suggests terms, click Add, select the Windows Group option, and then add the user who can access the group devices.

Specify_Conditions
Specify_Conditions

According to this rule, it means that only the user in the Tech group can access our devices.

In the next step, we check the Access permission option and click Next.

New_Network_Policy
New_Network_Policy

In the Authentication Methods step, we will follow the EAP types, leave it blank and click Next.

New_Network_Policy
New_Network_Policy

In the next two steps, under Configure Restrictions and settings. we will leave them as default. From here go to the next one and click finish in the summary step.

We will continue our next settings in Mikrotik Router. Go to Mikrotik System> Users and click the AAA button

User_List
User_List

Check the Use RADIUS option and set the Default Group to full.

Login_Authentication_Accounting
Login_Authentication_Accounting

In the next step, we click RADIUS from the winbox menu and click the plus sign to add a new radius server.

Mikrotik_Radius
Mikrotik_Radius

Check the login option in the new window, enter the radius server address, and enter the same password. We leave everything else at default.

New Radius Server
New Radius Server

After that, you can log into your devices using your user credentials.

It is important to know your login credentials as a backup option when Radius is off.

Unlike Cisco, Mikrotik doesn’t have this option, but some workarounds can be done.

Since there is no option to disable the administrator user in RouterOS, if it is the only user with full permissions, we will create an additional user with full permissions and set some hard passwords on the system default user.

Next, we will create a script and set it to run every 10 seconds for example. The script pings the radius server and if the ping is successful, the additional username will be enabled if it is disabled.

Create additional users first

User_List
User_List

We will create some difficult passwords in the system default user “admin”. Now we are creating the second scenario, the script.

Mikrotik Script
Mikrotik Script

And we make a schedule to be run every 10 seconds.

Mikrotik Schedule
Mikrotik Schedule

That is all.

I hope it has been a useful article.