MikroTik
RouterOS 7.x
Examples assume two Edge appliances at 10.10.10.10 and 10.10.10.11, a tenant PSK shown as ARBITER_PSK and a guest portal URL of https://acme-7f3-guest.arbiter.ie/. Substitute your own values from the Arbiter portal.
For the universal context (architecture, AAA dead-server tuning, DHCP relay intent), see the Network devices overview.
Wired: RADIUS server, 802.1X and MAB
MikroTik switches (CRS/CSS lines) support 802.1X via dot1x server config. RouterOS does not implement MAB natively in the same way Cisco does; the equivalent is dot1x-server with reject-vlan-id fallback, or DHCP-snooping-based VLAN assignment.
/radius
add address=10.10.10.10 secret=ARBITER_PSK service=dot1x timeout=2s
add address=10.10.10.11 secret=ARBITER_PSK service=dot1x timeout=2s
/interface ethernet switch
set dot1x-server-enabled=yes
/interface ethernet switch port
set ether1 dot1x-server-auth-types=dot1x,mac-authWireless: 802.1X SSID
RouterOS wireless (or CAPsMAN-managed CAPs) WPA2-EAP.
/radius
add address=10.10.10.10 secret=ARBITER_PSK service=wireless timeout=2s
add address=10.10.10.11 secret=ARBITER_PSK service=wireless timeout=2s
/interface wireless security-profiles
add name=corp-1x mode=dynamic-keys authentication-types=wpa2-eap \
eap-methods=passthrough radius-mac-authentication=no
/interface wireless
set wlan1 ssid=Corp security-profile=corp-1xGuest SSID: open with captive portal redirect
MikroTik Hotspot is the native captive portal. It can either render its own login page or redirect to an external URL; use external for Arbiter.
/ip hotspot profile
add name=arbiter-guest html-directory=hotspot \
http-cookie-lifetime=1d login-by=mac use-radius=yes \
radius-default-domain=guest \
radius-mac-format=XX-XX-XX-XX-XX-XX
/ip hotspot
add name=guest interface=bridge-guest profile=arbiter-guest \
addresses-per-mac=2
/ip hotspot walled-garden
add dst-host=acme-7f3-guest.arbiter.ie action=allow
/ip hotspot walled-garden ip
add dst-host=acme-7f3-guest.arbiter.ie action=acceptDHCP relay to Edge
MikroTik can run a DHCP relay alongside its real DHCP server.
/ip dhcp-relay
add name=relay-vlan10 interface=vlan10 \
dhcp-server=10.0.0.5,10.10.10.10,10.10.10.11 \
local-address=10.0.10.1AAA dead-server detection
Optional but recommended where supported. RouterOS RADIUS does not expose a formal dead-criteria / deadtime pair: failover is reactive and a per-request timeout is the only knob. The Edge appliances are on your LAN, so keep the timeout short and the supplicant fails over to the second Edge inside its own retry window rather than stalling on Edge #1.
/radius
set [find service=dot1x] timeout=2s
set [find service=wireless] timeout=2s
! RouterOS has no formal dead-criteria / deadtime pair. A short
! per-request timeout lets the supplicant reach Edge #2 within a
! normal retry window when Edge #1 is down.CoA listener
Enabled by 'incoming' on the RADIUS service.
/radius incoming
set accept=yes port=3799Notes
- RouterOS MAB story is weaker than enterprise vendors. For sites with significant IoT, evaluate whether MikroTik is the right NAS for the access layer.
- Hotspot's use-radius=yes means MikroTik authenticates portal logins against Arbiter via standard PAP/CHAP RADIUS, on top of the MAC-based shortcut.
Verify the integration
Once the device is configured, validate against the Arbiter portal rather than the vendor's own RADIUS test tooling. Vendor tools confirm reachability but not policy outcomes. See the validation checklist on the overview page.
Need help?
Onboarding kit not behaving as expected? Email support@arbiter.ie with the device model, firmware version and the syntax you tried. We can usually identify the difference within a working day.