MikroTik UserManager in a (W)ISP environment · Replace self developed Hotspot feature with MikroTik Hotspot UserManager usable from any hotspot also dial-in locations Additional

Introduction Practice Interaction Contact

MikroTik UserManager

in a (W)ISP environment

Sebastian Inacker · FMS InternetserviceMUM Krakow · 29.02.2008

Sebastian Inacker MikroTik UserManager 1/31


1 Introduction to UserManager

2 From theory into practice

3 Interaction of UserManager with other applications








Reasons for UserManager. . .

Wanted: Central usermanagement (accounting and authentication)

Setup a RADIUS server + user interface

Tested servers: FreeRADIUS, XTRadius, Steel-Belted RadiusIntegrate MikroTik RADIUS Dictionary

Setup MikroTik UserManager



What is UserManager?

Usable as a RADIUS server

Hotspot, ppp (pptp, pppoe), dhcp, wireless users, routerosusers

Central authentication and accounting

Service independed (login, accounting)

Web-Interface

Paypal / Authorize.Net integrationAccount creation by users possible

Can serve di�erent customers



Usermanager



What do I need?

Plattforms: x86, MIPS (big and little endian), PowerPC

Seperate or same MikroTik system for Usermanager andservice(s)

Package included in all_packages

Easy installation

Supported browsers1: Opera, Mozilla Firefox, MicrosoftInternet Explorer, Safari

Documentation:http://wiki.mikrotik.com/wiki/User_Manager

Online Demo (demo/demo):http://userman.mt.lv/userman

1Version information: See WikiSebastian Inacker MikroTik UserManager 7/31

http://wiki.mikrotik.com/wiki/User_Manager

http://userman.mt.lv/userman


Licences

Level 3: 10 active sessions



Level 6: Unlimited active sessions



How can it be used by (W)ISP?

Central accounting and authentication

Sell accounts on your website or by the UserManager page

Create individual user categories (tra�c, online time, . . . )

Rent UserManager service to other ISPs

. . .

Be able to. . .

inform users about used tra�c, uptime, . . .

tell them, how they can check themself

(also with locked account)

Allow users to change their password/contact information



What can be done?

Create user accounts with one or more of:

uptime limit (for example: 5h online time)

Limited tra�c amount: Upload, download, total used tra�c

speed limitations (with burst, priority and min. rate)

Validity for a �xed time after �rst login (credit time)

Credit: Limit accounts to a �xed timeframe for use.



In combination. . .

For example:

5h online time (uptime limit)

within 7 days from �rst login (credit time)

be restricted to 1GB tra�c

be able to buy another 7 days (di�erent price)








Real world example

Customer fr-wlan GmbH:

http://www.fr-wlan.de/

Wireless internet, started Feb/2001 (hotel service)

May/2003: Free of charge internet access

June/2005: vpn accounts

Useing our internet backbone and IP-address-space


http://www.fr-wlan.de/


Real world example

Volume accounts (2 GB tra�c/month)

Flatrate accounts (reduced bandwith after 15 GB tra�c2)

Prepaid accounts

valid for 30 days from �rst login500, 1000 and 2000 MB tra�c limit

Usable almost without scripting in version 3 (see footnote).

2this is planed by MikroTik as far as I know.Sebastian Inacker MikroTik UserManager 14/31


Before UserManager

FreeBSD based vpn-server

Accounting system demanded �xed IP addresses for users. . .

Account creation + accounting was complex

Tra�c information by mail

Fixed user passwords

Prepaid accounts on paper: A lot of work



How to create a new contract customer?

With UserManager: Simply add a new user account.

Volume accounts: 2 GB tra�c/month.

Flatrate accounts: unlimited/month(Script will reduced bandwith after 15 GB of tra�c)



How to create a new contract customer?



How to create new prepaid accounts?

Bulk account creation: Users, add batch. . .

Vouchers can be printed directly from UserManager

Automated username and password generation

Ability to set a pre�x for usernames

De�ne tra�c/bandwith limits (if needed)



Voucher templates for each customer



Customers future plans

Replace self developed Hotspot feature with MikroTik Hotspot

UserManager usable from any hotspot � also dial-in locations

Additional management of free of charge accounts

Free of charge access only from selected locations

Paid service (vpn or paid hotspot accounts) from everywere

Possible with MikroTik UserManager and some other MikroTikRouterOS features








Create users from your own website

Import of external created users

Collect necessary information

Create script �le with MikroTik CLI commands/tool user-manager user add subscriber=FMS

name=johndoe password=foobar [email protected]

first-name=John last-name=Doe

transfer-limit=1073741824

Transfer script3 and import

Why not UserManager user payments integration?

User identity veri�cation not depending on other companies

3by scp or /tool fetch � remember securitySebastian Inacker MikroTik UserManager 22/31


Export of UserManager accounting information

Situation:

Prepaid and monthly paid accounts

Need for a bill for contract customers (tra�c/online time)

Possible, to generate a csv �le on the web interface. But:

Export have to be done each month at midnight. . .

Export and counter reset contemporary

Don't reset prepaid accounts by accident



Export information (fragment)

:local contractusers;

:set contractusers [/tool user-manager user find \

credit-price=0 comment!="reset: $year/$mm"];

/tool user-manager user print from=$contractusers \

file=$filename append;

:foreach user in $contractusers do={

:local uname [/tool user-manager user get $user name];

:local down [/tool user-manager user get $uname download-used];

:local up [/tool user-manager user get $uname upload-used];

:log info ("counter-reset for: " . $uname . " (down: " . \

$down . " up: " . $up . ")");

/tool user-manager user reset-counters $user;

/tool user-manager user set $user comment="reset: $year/$mm"

}



Script execution

Script will be run:

Every �rst day of the month4

At system reboot5

No problem if run twice.

:local date;

:local day;

:set date [/system clock get date];

:set day [:pick $date 4 6];

:if ( [$day] = "01" ) do={

/system script run export-and-reset;

}

4run a script each day at midnight and check the date. . .5create schedule job with start-time=startup



automated communication

ssh-keygen -t dsa -f usermanager-key

scp usermanager-key.pub admin@<ip>:

ssh admin@<ip> "/user ssh-keys import \

file=usermanager-key.pub user=fms-comm"

ssh -i usermanager-key fms-comm@<ip>

scp -i usermanager-key fms-comm@<ip>:file.txt .

User logins should be secured:

Group policies: read, ssh (maybe write)

restricted ssh login



Integration into external billing systems

Export/save information at UserManager

Transfer information

Import data into your billing system backend

Billing by mail is enough?http://wiki.mikrotik.com/wiki/AutomatedBilling


http://wiki.mikrotik.com/wiki/AutomatedBilling


CAO Faktura

Free (german) billing system

MySQL backend

www.cao-faktura.de


www.cao-faktura.de


CAO Faktura and UserManager



Thank you

Thanks for listening

Questions?



Contact

Sebastian InackerFMS InternetserviceGermany

Mail: [email protected]: http://www.fmsweb.de/Onlineshop: http://www.mikrotik-shop.de/


http://www.fmsweb.de/

http://www.mikrotik-shop.de/

Documents

MikroTik UserManager in a (W)ISP environment · Replace self developed Hotspot feature with MikroTik Hotspot UserManager usable from any hotspot also dial-in locations Additional