MikroTik setup guide

RouterOS 7.x

Applies to: MikroTik is heavily used in EMEA SME and WISP markets. RouterOS handles RADIUS, hotspot, and CAPsMAN (controller for wireless APs) in one config tree. Examples are RouterOS 7.x CLI.

Wired — RADIUS server, 802.1X and MAB

MikroTik switches (CRS/CSS lines) support 802.1X via dot1x server config. RouterOS does not implement MAB natively in the same way Cisco does; the equivalent is dot1x-server with reject-vlan-id fallback, or DHCP-snooping-based VLAN assignment.

/radius
add address=10.10.10.10 secret=ARBITER_PSK service=dot1x timeout=2s
add address=10.10.10.11 secret=ARBITER_PSK service=dot1x timeout=2s

/interface ethernet switch
set dot1x-server-enabled=yes

/interface ethernet switch port
set ether1 dot1x-server-auth-types=dot1x,mac-auth

Wireless — 802.1X SSID

RouterOS wireless (or CAPsMAN-managed CAPs) WPA2-EAP.

/radius
add address=10.10.10.10 secret=ARBITER_PSK service=wireless timeout=2s
add address=10.10.10.11 secret=ARBITER_PSK service=wireless timeout=2s

/interface wireless security-profiles
add name=corp-1x mode=dynamic-keys authentication-types=wpa2-eap \
    eap-methods=passthrough radius-mac-authentication=no

/interface wireless
set wlan1 ssid=Corp security-profile=corp-1x

Guest SSID — open with captive portal redirect

MikroTik Hotspot is the native captive portal. It can either render its own login page or redirect to an external URL; use external for Arbiter.

/ip hotspot profile
add name=arbiter-guest html-directory=hotspot \
    http-cookie-lifetime=1d login-by=mac use-radius=yes \
    radius-default-domain=guest \
    radius-mac-format=XX-XX-XX-XX-XX-XX

/ip hotspot
add name=guest interface=bridge-guest profile=arbiter-guest \
    addresses-per-mac=2

/ip hotspot walled-garden
add dst-host=acme-7f3-guest.arbiter.ie action=allow

/ip hotspot walled-garden ip
add dst-host=acme-7f3-guest.arbiter.ie action=accept

DHCP relay to Edge

MikroTik can run a DHCP relay alongside its real DHCP server.

/ip dhcp-relay
add name=relay-vlan10 interface=vlan10 \
    dhcp-server=10.0.0.5,10.10.10.10,10.10.10.11 \
    local-address=10.0.10.1

AAA dead-server detection

Optional but recommended where supported. RouterOS RADIUS does not expose a formal dead-criteria / deadtime pair: failover is reactive and a per-request timeout is the only knob. Keep it short so the supplicant fails over to the second Edge inside its own retry window rather than stalling on Edge #1.

/radius
set [find service=dot1x]    timeout=3s
set [find service=wireless] timeout=3s

! Note: the Portnox-style 30s/4-tries/3-min cadence does not map
! cleanly to RouterOS. Multiple short attempts let the supplicant
! reach Edge #2 within a normal retry window when Edge #1 is down.

CoA listener

Enabled by 'incoming' on the RADIUS service.

/radius incoming
set accept=yes port=3799