FreeRADIUS + MikroTik Operations Guide | ITI Internal

FreeRADIUS + MikroTik Admin Login Operations Guide

Centralized administrator authentication for ITI's MikroTik infrastructure. Individual user accounts, centralized management, instant revocation.

On This Page

01 Purpose and Overview 02 Architecture Overview 03 Key Terms 04 Server Information 05 Accessing the Server 06 File Locations 07 Managing User Accounts 08 Employee Offboarding 09 Adding MikroTik Hardware 10 Client Configuration 11 Testing and Verification 12 Troubleshooting 13 Security Best Practices 14 Emergency Access 15 Change Log 16 Future Roadmap

This system centralizes MikroTik router administrator authentication through a FreeRADIUS server. Instead of every router having its own shared admin password that multiple employees know, each person gets their own unique login that works across all enrolled routers.

What This Solves

Individual accountability. Every login is tied to a specific person. No more shared "admin" credentials.
Instant revocation. When someone leaves ITI, their access to every router is disabled from one place in under a minute.
Faster onboarding. New hires get one RADIUS account and immediately have access to all enrolled routers.
Reduced password sprawl. No need to change the local admin password on dozens of routers every time someone departs.
Future-ready. This architecture supports integration with Microsoft Entra (Azure AD) and Active Directory down the road.

System Components

FreeRADIUS Server runs on a DigitalOcean Droplet (Ubuntu Linux). This is the central authentication engine.
MikroTik Routers at customer sites are configured to check with the RADIUS server whenever someone logs in.
Admin Users are defined in a text file on the RADIUS server with individual usernames and passwords.
SSH Access is how authorized admins manage the server itself (add/remove users, troubleshoot, etc.).

Authentication Flow

Admin User
enters credentials

→

MikroTik Router
forwards to RADIUS

→

FreeRADIUS Server
checks credentials

→

Accept / Reject
grants or denies access

The router never stores the user's password. It simply asks the RADIUS server "is this person allowed?" and acts on the answer.

Term	What It Means
RADIUS	A protocol for centralizing login authentication. The router asks a central server whether to let someone in.
FreeRADIUS	The specific open-source RADIUS server software we run. It is the most widely deployed RADIUS server in the world.
DigitalOcean Droplet	A virtual server (cloud VM) hosted by DigitalOcean. Think of it as a Linux computer running in a data center.
Ubuntu	The Linux operating system running on our Droplet. It is the OS that FreeRADIUS is installed on.
SSH	Secure Shell. The encrypted connection method used to remotely manage the Linux server from a terminal.
NAS / RADIUS Client	In RADIUS terminology, the "Network Access Server" is the device asking RADIUS for permission. In our case, each MikroTik router is a NAS.
Shared Secret	A password shared between the MikroTik router and the RADIUS server so they can trust each other. This is not a user password.
AAA	Authentication, Authorization, and Accounting. The three functions RADIUS provides: verifying who you are, what you can do, and logging what you did.
MikroTik RouterOS	The operating system on MikroTik routers. Winbox and the terminal are interfaces for managing RouterOS.
Entra / Active Directory	Microsoft's identity platforms. A future integration could let employees log in to routers using their Microsoft 365 credentials.

The FreeRADIUS server runs on a DigitalOcean Droplet, a cloud-hosted virtual machine. This keeps the authentication infrastructure off-premises and accessible from any ITI-managed site.

Detail	Value
Server IP	`<RADIUS_SERVER_IP>`
Hostname	`<HOSTNAME>`
Provider	DigitalOcean
OS	Ubuntu Linux
Software	FreeRADIUS 3.x
Account Owner	`<ACCOUNT_OWNER>`
Backups	`<ENABLED / PENDING>`

DigitalOcean backups should be enabled for this Droplet. If the server is lost without a backup, all RADIUS user accounts and client configurations must be rebuilt from scratch.

Only authorized administrators should access this server. Access is via SSH using key-based authentication.

Procedure

Open PowerShell (Windows) or Terminal (Mac/Linux).
Connect to the server:

SSH Command

ssh root@<RADIUS_SERVER_IP>

Confirm you see a Linux command prompt (e.g., root@radius:~#).
You are now on the RADIUS server and can manage users and configuration.

SSH private keys must never be shared, emailed, or stored in unsecured locations. If a key is compromised, it must be revoked immediately and a new key pair generated.

File/Path	Purpose
`/etc/freeradius/3.0/users`	User account definitions. This is where you add, modify, or remove employee login credentials.
`/etc/freeradius/3.0/clients.conf`	RADIUS client definitions. This is where MikroTik routers are registered so the server trusts them.
`/etc/freeradius/3.0/sites-enabled/default`	Main site configuration. Controls how authentication requests are processed. Rarely needs editing.
`/var/log/freeradius/`	Log files. Authentication attempts (successes and failures) are recorded here for troubleshooting and auditing.

Day-to-day operations only require editing two files: users (for employee accounts) and clients.conf (for adding new routers).

All user accounts are managed in the users file on the RADIUS server.

Adding a New Employee

SSH into the RADIUS server.
Open the users file:

Edit Users File

sudo nano /etc/freeradius/3.0/users

Add the new user entry at the top of the file:

User Entry Format

<USERNAME>   Cleartext-Password := "<STRONG_PASSWORD>"
             Auth-Type := PAP

Save the file (Ctrl+O, then Ctrl+X in nano).
Restart FreeRADIUS to apply the change:

Restart Service

sudo systemctl restart freeradius

Test the new credentials from a MikroTik router or using radtest.
Record the change in the change log.

Resetting a Password

Edit the users file, find the employee's entry, change the password value, save, and restart FreeRADIUS. Communicate the new password securely (never via email or text).

Disabling an Employee (Temporary)

Comment out their entry by adding a # at the beginning of each line of their user block. Restart FreeRADIUS. This preserves the entry for easy re-enablement.

Removing an Employee (Permanent)

Delete their entry from the users file entirely. Restart FreeRADIUS. Confirm login no longer works. Record the removal in the change log.

Rules for user accounts:
• Never create shared accounts (e.g., "technician" or "admin").
• Never reuse passwords between employees.
• Never leave former employees active. Disable on their last day.
• Always document every change in the change log.

When an employee leaves ITI, their RADIUS account must be disabled immediately. This is one of the primary benefits of centralized authentication: one change revokes access everywhere.

Offboarding Checklist

SSH into the RADIUS server.
Open the users file and locate the employee's entry.
Comment out or delete their user block.
Save the file and restart FreeRADIUS: sudo systemctl restart freeradius
Attempt to log in as the former employee from any enrolled router to confirm the login is rejected.
Record the change in the change log with the date, your name, and the reason.
Review whether the employee had any local MikroTik accounts on individual routers (break-glass accounts). If so, change those passwords.

Offboarding must happen on the employee's last day, not after. A gap in access revocation is a security exposure.

Each MikroTik router must be configured to use RADIUS for administrator logins. Paste these commands into the router's Winbox terminal.

MikroTik RADIUS Setup

/radius add address=<RADIUS_SERVER_IP> secret=<RADIUS_SECRET> service=login
/user aaa set use-radius=yes
/radius set 0 src-address=0.0.0.0
/radius set 0 require-message-auth=no

What Each Command Does

Command	Purpose
`/radius add ...`	Registers the RADIUS server address, shared secret, and tells the router to use it for login authentication.
`/user aaa set use-radius=yes`	Enables RADIUS-based authentication for user logins on this router.
`/radius set 0 src-address=0.0.0.0`	Allows the router to send RADIUS requests from any interface (useful when the WAN IP changes).
`/radius set 0 require-message-auth=no`	Disables message authenticator requirement for compatibility with FreeRADIUS PAP authentication.

Always keep a local "break-glass" admin account on each router in case the RADIUS server is unreachable. This account should have a strong, unique password stored in the company password vault.

FreeRADIUS will only accept authentication requests from routers it trusts. Trust is established in the clients.conf file. There are two approaches:

Option A: Individual Client Entries (More Secure)

Each router is registered by its public IP address. This is the most secure approach because the RADIUS server only accepts requests from known IPs.

Individual Client

client mikrotik-example {
    ipaddr = <ROUTER_PUBLIC_IP>
    secret = <RADIUS_SECRET>
}

Option B: Global Client Entry (More Convenient)

Accepts requests from any IP address. This is easier to manage when deploying many routers, but requires extra vigilance on user account security and logging.

Global Client

client mikrotik-global {
    ipaddr = 0.0.0.0/0
    secret = <RADIUS_SECRET>
}

Using a global client (0.0.0.0/0) means anyone who knows the shared secret can attempt authentication. If you use this approach, use a very strong shared secret and review logs regularly.

After editing clients.conf, restart FreeRADIUS: sudo systemctl restart freeradius

Ping the RADIUS Server from MikroTik

MikroTik Terminal

/ping <RADIUS_SERVER_IP> count=4

Test a Login

Open a new Winbox session to the router and log in with a RADIUS user account. If it works, the user is authenticated via RADIUS.

Check FreeRADIUS Service Status

Linux Terminal

sudo systemctl status freeradius

Run Debug Mode

If something isn't working, stop the service and run FreeRADIUS in debug mode to see authentication attempts in real time:

Debug Mode

sudo systemctl stop freeradius
sudo freeradius -X

Debug mode shows every incoming request, the lookup result, and the accept/reject decision. Press Ctrl+C to stop, then restart the service normally.

Symptom	Likely Cause	Next Steps
Login fails, nothing in FreeRADIUS logs	Router is not sending requests to the RADIUS server. RADIUS may not be configured on the router, or the server IP is wrong.	Verify `/radius print` and `/user aaa print` on the router. Confirm the server IP is correct.
"Unknown client" in debug output	The router's IP is not registered in `clients.conf`.	Add the router's public IP to `clients.conf` and restart FreeRADIUS.
"No Auth-Type found" in debug	The user entry is missing `Auth-Type := PAP` or the line is malformatted.	Check the `users` file for correct formatting. The second line must be indented with spaces or a tab.
MikroTik cannot ping RADIUS server	Firewall on the Droplet, ISP blocking, or wrong IP.	Check DigitalOcean firewall rules. Ensure UDP port 1812 is open. Verify the server IP.
FreeRADIUS will not start	Syntax error in a config file.	Run `freeradius -X` to see the exact error message and line number. Fix the syntax and retry.
User gets rejected despite correct password	Password mismatch, typo in users file, or the wrong Auth-Type.	Run debug mode, attempt the login, and read the rejection reason in the debug output.

Individual accounts only. Every person gets their own username and password. No shared accounts.
Strong, unique passwords. Use the company password vault to generate and store credentials.
Restrict SSH access. Only authorized administrators should have SSH keys for the RADIUS server.
Enable DigitalOcean backups. Weekly automated backups protect against data loss.
Maintain local break-glass accounts. Each router should have one local admin account in case RADIUS is unreachable. Store these passwords in the vault.
Review user accounts quarterly. Audit the users file to confirm every entry is a current, active employee.
Document every change. Use the change log at the bottom of this page for every addition, removal, or modification.
Never send credentials in plaintext. Use phone calls, encrypted messaging, or in-person delivery for new account passwords.

If FreeRADIUS Is Down

When the RADIUS server is unreachable, MikroTik routers will fall back to local authentication. Employees can log in using the local break-glass admin account on each router. This is why maintaining those local accounts in the password vault is critical.

Recovering Server Access

Log into the DigitalOcean control panel.
Access the Droplet via the DigitalOcean web console (if SSH is down).
Check the FreeRADIUS service status and logs.
If the Droplet itself is unresponsive, use DigitalOcean's power cycle or recovery options.

Restoring from Backup

In the DigitalOcean control panel, navigate to the Droplet's Backups section.
Select the most recent backup and restore.
After restoration, verify FreeRADIUS starts and users can authenticate.
Check the users file to confirm it reflects the latest employee roster (backup may be up to a week old).

Consider keeping a local copy of the users and clients.conf files in your password vault or a secure internal location so they can be rebuilt quickly if needed.

Record every user account or configuration change below. This log is the audit trail for RADIUS administration.

Date	Changed By	Change Made	Reason	Verified By
YYYY-MM-DD	Name	Description of change	Reason	Name

The FreeRADIUS system is the foundation for centralized authentication at ITI. Planned enhancements include:

Microsoft Entra Integration. Allow employees to authenticate with their Microsoft 365 credentials instead of separate RADIUS passwords.
Role-Based Access Groups. Define permission levels (full admin, read-only, CSR access) so different staff get different capabilities.
CSR Read-Only Access. Give CSRs visibility into router status for troubleshooting without full admin rights.
Web Management Interface. A simple web panel for adding/removing users without SSH access.
Mass MikroTik Rollout Automation. Scripts to configure RADIUS on many routers at once instead of one at a time.
Multi-Factor Authentication. Add a second factor (TOTP/push notification) for router logins for high-security environments.