usermanager playbook (nordic mum 2016) by lorenzo busatti
TRANSCRIPT
![Page 1: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/1.jpg)
UserManager: a free radius server for Wireless,
Hotspot, PPP, users and DHCP. (UserManager PlayBook)
by Lorenzo Busatti
1 MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy
![Page 2: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/2.jpg)
Lorenzo Busatti
• Founder of Grifonline S.r.l. [ISP] (1997)
• Founder of Linkwave [WISP] (2006)
• MikroTik Trainer [NA,RE,WE,TCE,INE,UME](2010)
• Member of RIPE, AMS-IX, MIX-IT
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 2
About me
![Page 3: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/3.jpg)
Lorenzo Busatti
• Worldwide Trainer and Consultant, previous experiences in:
• Italy, USA, UnitedArabEmirates, Brasil, Slovenia, Poland, Croatia, Czech Republic, etc ….
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 3
About me
![Page 4: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/4.jpg)
Lorenzo Busatti
• Founder of Grifonline S.r.l. [ISP] (1997)
• Founder of Linkwave [WISP] (2006)
• MikroTik Trainer (2010)
• Member of RIPE, AMS-IX, MIX-IT
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 4
About me
![Page 5: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/5.jpg)
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 5
About me
![Page 6: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/6.jpg)
I'm a MikroTik enthusiast
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 6
![Page 7: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/7.jpg)
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 7
I'm a MikroTik evangelist
![Page 8: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/8.jpg)
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 8
About me • Founder (2016) of the
Non Profit Organization for
High Quality Training Partners
![Page 9: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/9.jpg)
Dedicated to Max
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 9
![Page 10: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/10.jpg)
The UserManager
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 10
• Additional “package” for RouterOS;
• A powerful radius server that can be used for managing authentication in:
Hotspot
PPP
RouterOS Users
Wireless
DHCP server
![Page 11: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/11.jpg)
The UserManager
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 11
And it's free.
![Page 12: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/12.jpg)
Why this presentation?
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 12
Doing trainings the students are used to ask info about radius servers.
The UserManager is not well known
There are reasons for not to use a radius included in RouterOS for free?
![Page 13: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/13.jpg)
Why this presentation?
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 13
Is also not well known where RouterOS can ask authentication at a radius server:
Most used: Not well known:
Hotspot RouterOS Users
PPP Wireless (and in the CAPsMAN)
DHCP server
![Page 14: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/14.jpg)
Why this presentation?
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 14
And now the question:
How many are using the UserManager?
![Page 15: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/15.jpg)
My style
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 15
1. I don’t have “hours” into the time slot 2. I don’t like “boring” presentations
So • I’ll not show you ALL the things about the
UserManager (will not be possible); • You can use the wiki.mikrotik.com • You can take the MTCUME training class
![Page 16: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/16.jpg)
RADIUS server
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 16
The UserManager is a radius server. Remote Authentication Dial-In User Service Is a networking protocol that provides centralized: Authentication, Authorization, and Accounting (AAA or Triple A), using UDP packets.
![Page 17: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/17.jpg)
RADIUS server
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 17
He will allow You to manage Centralized authentication
![Page 18: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/18.jpg)
RADIUS server
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 18
![Page 19: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/19.jpg)
RADIUS client
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 19
• RouterOS have a radius client, included in the system;
• Don’t require optional packages or special licenses;
• Can ask authentication at ANY standard radius server.
• It’s free
![Page 20: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/20.jpg)
RADIUS client
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 20
![Page 21: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/21.jpg)
RADIUS client
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 21
The rules of thumb is: •RouterOS will use the LOCAL
users database FIRST; •THEN will ask at a RADIUS server
(if set)
![Page 22: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/22.jpg)
Where is the UserManager?
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 22
You have to manually install this optional package:
![Page 23: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/23.jpg)
Requirements
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 23
You can install the UserManager in any RouterBoard with at least 32MB RAM and 2MB free space. Will work on x86 or CHR also.
![Page 24: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/24.jpg)
Comparing the mAP
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 24
Real sizes:
![Page 25: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/25.jpg)
Unique features
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 25
![Page 26: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/26.jpg)
Licensing
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 26
The UserManager is free, but have different limitations depending your RouterOS license level:
L3 (CPE) L4 (WISP) L5 (WISP) L6 (Controller)
Max active sessions
10 20 50 Unlimited
![Page 27: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/27.jpg)
The web interface
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 27
![Page 28: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/28.jpg)
The CLI interface
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 28
/tool user-manager>
customer database history
log payment profile router
session user export
![Page 29: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/29.jpg)
The User Guide
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 29
http://wiki.mikrotik.com/wiki/Manual:User_Manager
![Page 30: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/30.jpg)
Tips
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 30
Don’t forget: • To change the UserManager default password • That all the users/customers of the UserManager
are not shared into RouterOS
• To add routers to be managed • To create PROFILES (and limitations) BEFORE
adding Users
![Page 31: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/31.jpg)
Tips
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 31
Don’t mess up between Users and Customers: Users The users the Userman will authenticate Customers The Userman administrators
![Page 32: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/32.jpg)
PPP Services
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 32
![Page 33: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/33.jpg)
PPP Services
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 33
Enabling the radius client for the PPP services will be used by ALL the PPP services: PPPoE, PPTP, L2TP, OVPN, SSTP You can easily manage VPN authentication via one radius server. Centralized Management of VPN Servers.
![Page 34: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/34.jpg)
Tips
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 34
Radius attributes (replied to the client) will override settings into the Profiles in RouterOS.
![Page 35: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/35.jpg)
PPP Profile’s limitations
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 35
Group name: “/user group” for RouterOS users “/user profile” for HotSpot users
![Page 36: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/36.jpg)
HotSpot Services
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 36
![Page 37: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/37.jpg)
HotSpot Services
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 37
With the radius you can easily manage tons of hotspots with just one user DB. Centralized Management of HotPot Servers.
![Page 38: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/38.jpg)
RouterOS Users
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 38
One of my favourite Radius client apps. A question for you: Do you think is possible to disconnect a
RouterOS user from Winbox or CLI ?
![Page 39: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/39.jpg)
RouterOS Users
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 39
No! Once connected you can’t disconnect them.
![Page 40: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/40.jpg)
RADIUS client - incoming
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 40
![Page 41: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/41.jpg)
RADIUS client - incoming
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 41
![Page 42: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/42.jpg)
RouterOS Users
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 42
![Page 43: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/43.jpg)
DHCP Server
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 43
Is possible to use the radius for managing DHCP lease by DHCP servers. Centralized Management of DNS Servers.
![Page 44: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/44.jpg)
DHCP Server
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 44
![Page 45: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/45.jpg)
DHCP Server
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 45
![Page 46: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/46.jpg)
Wireless Clients
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 46
Is possible to use the radius for managing Wireless Clients connecting to an AP. Will work “against” Access List. Centralized Management of Wireless Clients. (and will be possibile to disconnect them by the radius)
![Page 47: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/47.jpg)
Wireless Clients
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 47
![Page 48: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/48.jpg)
Wireless Clients
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 48
![Page 49: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/49.jpg)
Wireless Clients
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 49
![Page 50: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/50.jpg)
CAPsMAN Wireless Clients
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 50
Is possible to use the radius for managing Wireless Clients connecting to an AP managed by a CAPsMAN. (and will be possibile to disconnect them by the radius)
![Page 51: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/51.jpg)
CAPsMAN Wireless Clients
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 51
In this case the radius server will be query by a CAPs Access List rule:
![Page 52: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/52.jpg)
The power of RouterOS
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 52
• ALL the functions and his POWER into small devices also!
• APs, firewall, traffic shaper, hotspot, ospf, …. and also MPLS, BGP and the usermanager!
• Awesome!
![Page 53: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/53.jpg)
The power of RouterOS
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 53
![Page 54: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/54.jpg)
Wrap up
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 54
I hope you enjoyed my presentation;
And from today you’ll start to increase to use the UserManager more than before
![Page 55: UserManager PlayBook (Nordic MUM 2016) By Lorenzo Busatti](https://reader034.vdocuments.us/reader034/viewer/2022051405/589d919c1a28ab3f4a8bbca2/html5/thumbnails/55.jpg)
Thank you!
Q & A
http://training.grifonline.it [email protected]
MUM Copenhagen 2016 © Lorenzo Busatti, http://routing.wireless.academy 55