MikroTik RouterOS
Set up MikroTik RouterOS devices with IronWifi's RADIUS authentication and external hotspot portal. This guide covers RADIUS server configuration, hotspot profile setup, walled garden configuration, custom login page integration, WPA-Enterprise deployment, and Passpoint (802.11u) configuration for advanced wireless scenarios.
Use the latest long-term or stable RouterOS release for best compatibility.
Prerequisites
In MikroTik RouterOS:
- MikroTik device with wireless capability
- RouterOS 6.x or 7.x
- Admin access via Terminal/SSH or WinBox
- Wireless interface configured (e.g., wlan1)
In IronWifi Console (complete these first):
- Create a Network in IronWifi Console
- Create a Captive Portal with vendor MikroTik
- Note your RADIUS settings (Primary IP, Backup IP, Secret) and Splash Page URL
RouterOS Configuration
Step 1: Configure RADIUS
Via Terminal:
/radius
add address={PRIMARY_IP} secret={SECRET} service=hotspot \
authentication-port=1812 accounting-port=1813
add address={BACKUP_IP} secret={SECRET} service=hotspot \
authentication-port=1812 accounting-port=1813
Via WinBox:
- Navigate to RADIUS
- Click + to add
- Configure server settings
- Check hotspot service
Step 2: Configure Hotspot
/ip hotspot profile
add name=IronWifi hotspot-address=10.5.50.1 \
dns-name=wifi.local \
html-directory=hotspot \
login-by=http-chap,http-pap,https \
radius-accounting=yes \
radius-interim-update=2m
/ip hotspot
add name=hotspot1 interface=wlan1 address-pool=hs-pool \
profile=IronWifi disabled=no
Step 3: Configure Walled Garden
Allow access to IronWifi servers and authentication providers before login:
/ip hotspot walled-garden ip
add dst-host=107.178.250.42 action=accept
add dst-address=107.178.250.42 action=accept
If you're using social login or payment providers, add these entries to your walled garden:
| Provider | Required Entries |
|---|---|
*.google.com, *.googleapis.com, *.gstatic.com, accounts.google.com | |
*.facebook.com, *.fbcdn.net, connect.facebook.net, facebook.com | |
*.linkedin.com, *.licdn.com, linkedin.com | |
| Twitter/X | *.twitter.com, *.twimg.com, twitter.com, *.x.com, x.com |
| Apple | *.apple.com, *.icloud.com, appleid.apple.com |
| Microsoft/Azure AD | *.microsoft.com, *.microsoftonline.com, *.msftauth.net, login.microsoftonline.com |
| Stripe | *.stripe.com, js.stripe.com |
| PayPal | *.paypal.com, *.paypalobjects.com |
| Twilio (SMS) | *.twilio.com |
Example configuration for Google login:
/ip hotspot walled-garden
add dst-host=*.google.com action=accept
add dst-host=*.googleapis.com action=accept
add dst-host=*.gstatic.com action=accept
add dst-host=accounts.google.com action=accept
Step 4: Configure Login Page
Edit hotspot files to redirect to IronWifi:
/file
In /hotspot/login.html, replace content with redirect:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="0; url={SPLASH_PAGE_URL}?$(if chap-id)chap-id=$(chap-id)&chap-challenge=$(chap-challenge)&$(endif)link-login-only=$(link-login-only)&link-orig=$(link-orig)&mac=$(mac)&ip=$(ip)&username=$(username)&link-login=$(link-login)&link-orig-esc=$(link-orig-esc)&error=$(error)">
</head>
<body></body>
</html>
Step 5: Configure IP Pool and DHCP
/ip pool
add name=hs-pool ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add name=dhcp-hs interface=wlan1 address-pool=hs-pool lease-time=1h
/ip dhcp-server network
add address=10.5.50.0/24 gateway=10.5.50.1 dns-server=10.5.50.1
WPA-Enterprise
For 802.1X:
/radius
add address={PRIMARY_IP} secret={SECRET} service=wireless
/interface wireless security-profiles
add name=wpa2-enterprise mode=dynamic-keys \
authentication-types=wpa2-eap \
eap-methods=eap-tls,passthrough
/interface wireless
set wlan1 security-profile=wpa2-enterprise
Passpoint Configuration
For devices supporting 802.11u:
/interface wireless
set wlan1 interworking-profile=IronWifi-Passpoint
/interface wireless interworking-profiles
add name=IronWifi-Passpoint \
access-network-type=chargeable-public-network \
internet=yes \
hessid=auto \
venue-type=business.office
Verification
After completing the configuration, verify everything is working correctly by running these commands:
/ip hotspot active print
/radius monitor 0
/ip hotspot host print
Troubleshooting
If you encounter issues after configuration, use this table to diagnose and resolve common problems:
| Symptom | Cause | Solution |
|---|---|---|
| No redirect to splash page | Walled garden or DNS misconfiguration | Verify walled garden configuration, check hotspot profile settings, ensure DNS is working, test redirect URL manually |
| RADIUS timeout | Network connectivity or incorrect RADIUS settings | Check server connectivity with ping {RADIUS_IP}, verify shared secret, check service type is correct, review RADIUS monitor with /radius monitor 0 |
| Users not authenticated | RADIUS or login page misconfiguration | Check RADIUS configuration, verify login page redirect, test user credentials in IronWifi Console, review hotspot logs |