MikroTik RouterOS

Set up MikroTik RouterOS devices with IronWiFi's RADIUS authentication and external hotspot portal. This guide covers RADIUS server configuration, hotspot profile setup, walled garden configuration, custom login page integration, WPA-Enterprise deployment, and Passpoint (802.11u) configuration for advanced wireless scenarios.

tip

Use the latest long-term or stable RouterOS release for best compatibility.

Prerequisites

In MikroTik RouterOS:

MikroTik device with wireless capability
RouterOS 6.x or 7.x
Admin access via Terminal/SSH or WinBox
Wireless interface configured (e.g., wlan1)

In IronWiFi Console (complete these first):

Create a Network in IronWiFi Console
Create a Captive Portal with vendor MikroTik
Note your RADIUS settings (Primary IP, Backup IP, Secret) and Splash Page URL

RouterOS Configuration

Step 1: Configure RADIUS

Via Terminal:

/radius
add address={PRIMARY_IP} secret={SECRET} service=hotspot \
    authentication-port={AUTH_PORT} accounting-port={ACCT_PORT}

add address={BACKUP_IP} secret={SECRET} service=hotspot \
    authentication-port={AUTH_PORT} accounting-port={ACCT_PORT}

Via WinBox:

Navigate to RADIUS
Click + to add
Configure server settings
Check hotspot service

Step 2: Configure Hotspot

/ip hotspot profile
add name=IronWiFi hotspot-address=10.5.50.1 \
    dns-name=wifi.local \
    html-directory=hotspot \
    login-by=http-chap,http-pap,https \
    radius-accounting=yes \
    radius-interim-update=2m

/ip hotspot
add name=hotspot1 interface=wlan1 address-pool=hs-pool \
    profile=IronWiFi disabled=no

Step 3: Configure Walled Garden

warning

MikroTik requires both IP-based and DNS-based walled garden entries. Add

107.178.250.42

/ip hotspot walled-garden ip

for reliable access, since DNS resolution may not be available for all clients before authentication.

Allow access to IronWiFi servers and authentication providers before login:

/ip hotspot walled-garden ip
add dst-host=107.178.250.42 action=accept
add dst-address=107.178.250.42 action=accept

If you're using social login or payment providers, add these entries to your walled garden:

Provider	Required Entries
Google	`.google.com` , `.googleapis.com` , `*.gstatic.com` , `accounts.google.com`
Facebook	`.facebook.com` , `.fbcdn.net` , `connect.facebook.net` , `facebook.com`
LinkedIn	`.linkedin.com` , `.licdn.com` , `linkedin.com`
Twitter/X	`.twitter.com` , `.twimg.com` , `twitter.com` , `*.x.com` , `x.com`
Apple	`.apple.com` , `.icloud.com` , `appleid.apple.com`
Microsoft Entra ID	`.microsoft.com` , `.microsoftonline.com` , `*.msftauth.net` , `login.microsoftonline.com`
Stripe	`*.stripe.com` , `js.stripe.com`
PayPal	`.paypal.com` , `.paypalobjects.com`
Twilio (SMS)	`*.twilio.com`

Example configuration for Google login:

/ip hotspot walled-garden
add dst-host=*.google.com action=accept
add dst-host=*.googleapis.com action=accept
add dst-host=*.gstatic.com action=accept
add dst-host=accounts.google.com action=accept

tip

The login page redirect passes MikroTik session variables (MAC address, IP, CHAP credentials) to IronWiFi. Do not modify the URL parameters in the redirect -- they are required for authentication to work.

Edit hotspot files to redirect to IronWiFi:

/file

/hotspot/login.html

, replace content with redirect:

<!DOCTYPE html>
`<html>`
`<head>`
<meta http-equiv="refresh" content="0; url={SPLASH_PAGE_URL}?$(if chap-id)chap-id=$(chap-id)&chap-challenge=$(chap-challenge)&$(endif)link-login-only=$(link-login-only)&link-orig=$(link-orig)&mac=$(mac)&ip=$(ip)&username=$(username)&link-login=$(link-login)&link-orig-esc=$(link-orig-esc)&error=$(error)">
`</head>`
`<body>`</body>
`</html>`

Step 5: Configure IP Pool and DHCP

/ip pool
add name=hs-pool ranges=10.5.50.2-10.5.50.254

/ip dhcp-server
add name=dhcp-hs interface=wlan1 address-pool=hs-pool lease-time=1h

/ip dhcp-server network
add address=10.5.50.0/24 gateway=10.5.50.1 dns-server=10.5.50.1

WPA-Enterprise

For 802.1X:

/radius
add address={PRIMARY_IP} secret={SECRET} service=wireless

/interface wireless security-profiles
add name=wpa2-enterprise mode=dynamic-keys \
    authentication-types=wpa2-eap \
    eap-methods=eap-tls,passthrough

/interface wireless
set wlan1 security-profile=wpa2-enterprise

Passpoint Configuration

For devices supporting 802.11u:

/interface wireless
set wlan1 interworking-profile=IronWiFi-Passpoint

/interface wireless interworking-profiles
add name=IronWiFi-Passpoint \
    access-network-type=chargeable-public-network \
    internet=yes \
    hessid=auto \
    venue-type=business.office

Verification

After completing the configuration, verify everything is working correctly by running these commands:

/ip hotspot active print
/radius monitor 0
/ip hotspot host print

Troubleshooting

If you encounter issues after configuration, use this table to diagnose and resolve common problems:

Symptom	Cause	Solution
No redirect to splash page	Walled garden or DNS misconfiguration	Verify walled garden configuration, check hotspot profile settings, ensure DNS is working, test redirect URL manually
RADIUS timeout	Network connectivity or incorrect RADIUS settings	Check server connectivity with `ping {RADIUS_IP}` , verify shared secret, check service type is correct, review RADIUS monitor with `/radius monitor 0`
Users not authenticated	RADIUS or login page misconfiguration	Check RADIUS configuration, verify login page redirect, test user credentials in IronWiFi Console, review hotspot logs

For this vendor

Shared configuration

Was this page helpful?

Prerequisites​

In MikroTik RouterOS:​

In IronWiFi Console (complete these first):​

RouterOS Configuration​

Step 1: Configure RADIUS​

Step 2: Configure Hotspot​

Step 3: Configure Walled Garden​

Step 4: Configure Login Page​

Step 5: Configure IP Pool and DHCP​

WPA-Enterprise​

Passpoint Configuration​

Verification​

Troubleshooting​

Related Topics​