Mikrotik - Automatically create unknown user-manager entries¶
The goal- I wish to use Mikrotik's user manager, as the radius server for allocating VLANs for my Unifi network deployment.
The problem- If a mac address is not pre-entered into user-manager, then the client will be rejected, and unable to connect.
My solution- A mikrotik script which will automatically create the user-manager record, at the time the user is connected, with a default vlan and configuration.
Details¶
Here is the full configuration, in a mostly copy/pastable way. You will need to modify this for your needs however.
Your access points do need to be added, with a shared secret, to allow them to connect to the radius server.
You will also, need to add user groups for your vlans.
## Default Group - Set VLAN here.
# Tunnel-Private-Group-ID = The default vlan which will be assigned.
/user-manager user group add attributes=Tunnel-Medium-Type:6,Tunnel-Type:13,Tunnel-Private-Group-ID:10 name=V_IOT_Unknown outer-auths=pap
# Example, for another vlan
/user-manager user group add attributes=Tunnel-Medium-Type:6,Tunnel-Type:13,Tunnel-Private-Group-ID:6 name=V_IOT_Generic outer-auths=pap
# You will need to add your access points.
/user-manager router add address=10.1.2.2 name=livingroom-ap shared-secret=YOUR-SHARED-SECRET
/user-manager router add address=10.1.2.3 name=bedroom-ap shared-secret=YOUR-SHARED-SECRET
/user-manager router add address=10.1.2.4 name=gameroom-ap shared-secret=YOUR-SHARED-SECRET
/system script add dont-require-permissions=no name=add-unknown-radius-user owner=admin policy=ftp,read,write,policy,test source="# \$message = the triggering log line, passed in by the script-target log action.\
\n:local debug true\
\n:local msg [:tostr \$message]\
\n:if (\$debug) do={ :log info (\"um-dbg: msg=[\" . \$msg . \"]\") }\
\n:if ([:typeof [:find \$msg \"exist\"]] = \"num\") do={\
\n :local mac [:pick \$msg ([:len \$msg] - 17) [:len \$msg]]\
\n :if (\$debug) do={ :log info (\"um-dbg: mac=[\" . \$mac . \"] len=\" . [:len \$mac]) }\
\n :if ([:len [/user-manager user find where name=\$mac]] = 0) do={\
\n :do {\
\n /user-manager user add name=\$mac password=\$mac group=V_IOT_Unknown \\\
\n comment=(\"Unknown Device: \" . \$mac)\
\n :log info (\"Auto-added unknown client: \" . \$mac)\
\n } on-error={\
\n :log warning (\"um-dbg: ADD FAILED [\" . \$mac . \"] - is group V_IOT_Unknown present\?\")\
\n }\
\n } else={\
\n :if (\$debug) do={ :log info (\"um-dbg: already present \" . \$mac) }\
\n }\
\n}\
\n"
/system logging action add comment="Auto-create missing radius users" name=addRadiusUser script=add-unknown-radius-user target=script
/system logging add action=addRadiusUser prefix="rejected for user" regex="rejected for user: \"\" username doesn't exist:.*" topics=manager,debug
How does it work?¶
User connects to wifi.
Unifi sends radius authorization request to your radius server (aka, Mikrotik's user-manager, in this case).
User manager rejects access, which is logged.
Logging script action triggers on the rejected access, and kicks off script to add the unknown client.
Unifi retries on a different device? - By this time, the unknown client has already been added, and is associated with the default vlan.
User is now connected to the wifi, on a default vlan.
Unifi Configuration¶
In unifi, under Networks, there is a section for Radius servers.
Create a new one. I named mine, "Mikrotik: Radius".
You will need to set a shared-secret.
When configuring a WIFI Network, specify the radius server.
Does it work?¶
Yes. Works perfectly fine. When I have a new IOT client, I enter the default IOT password and it will connect, and land in the "Unknown" / "Unassigned" vlan id, where I can then go into user-manager, and reassign it to the new, intended vlan.