PPP User Aaa: General Information
PPP User Aaa: General Information
PPP User Aaa: General Information
php
Home > Documentation > V2.9 > PPP User AAA PDF version
General Information
Summary
This documents provides summary, configuration reference and examples on PPP user management. This
includes asynchronous PPP, PPTP, PPPoE and ISDN users.
Specifications
Related Documents
Description
The MikroTik RouterOS provides scalable Authentication, Athorization and Accounting (AAA) functionality.
Local authentication is performed using the User Database and the Profile Database. The actual configuration for
the given user is composed using respective user record from the User Database, associated item from the
Profile Database and the item in the Profile database which is set as default for a given service the user is
authenticating to. Default profile settings from the Profile database have lowest priority while the user access
record settings from the User Database have highest priority with the only exception being particular IP
addresses take precedence over IP pools in the local-address and remote-address settings, which described
later on.
Support for RADIUS authentication gives the ISP or network administrator the ability to manage PPP user access
and accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS client which
can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections. The attributes received from RADIUS server
override the ones set in the default profile, but if some parameters are not received they are taken from the
respective default profile.
Description
PPP profiles are used to define default values for user access records stored under /ppp secret submenu.
Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP
addresses always take precedence over IP pools when specified as local-address or remote-address
parameters.
Property Description
1 of 5 13/01/2011 23:19
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_ppp_content.php
idle-timeout (time) - specifies the amount of time after which the link will be terminated if there was no
activity present. There is no timeout set by default
0s - no link timeout is set
incoming-filter (name) - firewall chain name for incoming packets. Specified chain gets control for each packet
coming from the client. The ppp chain should be manually added and rules with action=jump
jump-target=ppp should be added to other relevant chains in order for this feature to work. For more
information look at the Examples section
local-address (IP address | name) - IP address or IP address pool name for PPP server
only-one (yes | no | default; default: default) - defines whether a user is allowed to have more then one
connection at a time
yes - a user is not allowed to have more than one connection at a time
no - the user is allowed to have more than one connection at a time
default - derive this value from the interface default profile; same as no if this is the interface default profile
outgoing-filter (name) - firewall chain name for outgoing packets. Specified chain gets control for each packet
going to the client. The ppp chain should be manually added and rules with action=jump jump-target=ppp
should be added to other relevant chains in order for this feature to work. For more information look at the
Examples section
remote-address (IP address | name) - IP address or IP address pool name for PPP clients
session-timeout (time) - maximum time the connection can stay up. By default no time limit is set
0s - no connection timeout
use-compression (yes | no | default; default: default) - specifies whether to use data compression or not
yes - enable data compression
no - disable data compression
default - derive this value from the interface default profile; same as no if this is the interface default profile
use-encryption (yes | no | default; default: default) - specifies whether to use data encryption or not
yes - enable data encryption
no - disable data encryption
default - derive this value from the interface default profile; same as no if this is the interface default profile
use-vj-compression (yes | no | default; default: default) - specifies whether to use Van Jacobson header
compression algorithm
yes - enable Van Jacobson header compression
no - disable Van Jacobson header compression
default - derive this value from the interface default profile; same as no if this is the interface default profile
wins-server (IP address{1,2}) - IP address of the WINS server to supply to Windows clients
Notes
2 of 5 13/01/2011 23:19
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_ppp_content.php
Use Van Jacobson compression only if you have to because it may slow down the communications on bad or
congested channels.
incoming-filter and outgoing-filter arguments add dynamic jump rules to chain ppp, where the jump-target
argument will be equal to incoming-filter or outgoing-filter argument in /ppp profile. Therefore, chain ppp
should be manually added before changing these arguments.
If there are more that 10 simultaneous PPP connections planned, it is recommended to turn the change-mss
property off, and use one general MSS changing rule in mangle table instead, to reduce CPU utilization.
Example
To add the profile ex that assigns the router itself the 10.0.0.1 address, and the addresses from the ex pool to
the clients, filtering traffic coming from clients through mypppclients chain:
Description
PPP User Database stores PPP user access records with PPP user profile assigned to each user.
Property Description
caller-id (text; default: "") - for PPTP and L2TP it is the IP address a client must connect from. For PPPoE it
is the MAC address (written in CAPITAL letters) a client must connect from. For ISDN it is the caller's number
(that may or may not be provided by the operator) the client may dial-in from
"" - no restrictions on where clients may connect from
limit-bytes-in (integer; default: 0) - maximal amount a client can upload, in bytes, for a session
limit-bytes-out (integer; default: 0) - maximal amount a client can download, in bytes, for a session
local-address (IP address | name) - IP address or IP address pool name for PPP server
profile (name; default: default) - profile name to use together with this access record for user authentication
remote-address (IP address | name) - IP address or IP address pool name for PPP clients
routes (text) - routes that appear on the server when the client is connected. The route format is: dst-address
gateway metric (for example, 10.1.0.0/ 24 10.0.0.1 1). Several routes may be specified separated with
commas
service (any | async | isdn | l2tp | pppoe | pptp; default: any) - specifies the services available to a particular
user
Example
To add the user ex with password lkjrht and profile ex available for PPTP service only, enter the following
command:
3 of 5 13/01/2011 23:19
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_ppp_content.php
Property Description
address (read-only: IP address) - IP address the client got from the server
bytes (read-only: integer/integer) - amount of bytes transfered through tis connection. First figure represents
amount of transmitted traffic from the router's point of view, while the second one shows amount of received
traffic
caller-id (read-only: text) - for PPTP and L2TP it is the IP address the client connected from. For PPPoE it is
the MAC address the client connected from. For ISDN it is the caller's number the client dialed-in from
"" - no restrictions on where clients may connect from
encoding (read-only: text) - shows encryption and encoding (separated with '/' if asymmetric) being used in
this connection
limit-bytes-in (read-only: integer) - maximal amount of bytes the user is allowed to send to the router
limit-bytes-out (read-only: integer) - maximal amount of bytes the router is allowed to send to the client
packets (read-only: integer/integer) - amount of packets transfered through tis connection. First figure
represents amount of transmitted traffic from the router's point of view, while the second one shows amount of
received traffic
service (read-only: async | isdn | l2tp | pppoe | pptp) - the type of service the user is using
Example
Property Description
use-radius (yes | no; default: no) - enable user authentication via RADIUS
Notes
RADIUS user database is consulted only if the required username is not found in local user database.
4 of 5 13/01/2011 23:19
http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_ppp_content.php
Example
© Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are
trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are
properties of their respective owners.
5 of 5 13/01/2011 23:19