MikroTik RouterOS is the most common network operating system for ISPs across South Asia — Bangladesh, Pakistan, Nepal, and Bhutan. Connecting it to FreeRADIUS for automated PPPoE billing eliminates manual session management and lets your billing platform control subscriber access in real time. This guide walks through the complete setup from RADIUS server configuration to MikroTik PPPoE profile and the billing events that trigger automatic disconnect and reconnect.
How MikroTik PPPoE Authentication Works with RADIUS
When a PPPoE client connects to MikroTik, RouterOS sends an Access-Request to your FreeRADIUS server with the subscriber's username and password. FreeRADIUS checks the radcheck table for a Cleartext-Password match. If found and valid, it replies with an Access-Accept that includes rate-limit attributes in the radreply table — specifically Mikrotik-Rate-Limit in the format upload/download (e.g., "5M/20M"). The subscriber gets online at their assigned speed. If the password is wrong or the account is expired, FreeRADIUS returns an Access-Reject and the PPPoE session fails.
Setting Up FreeRADIUS for MikroTik PPPoE
The critical FreeRADIUS configuration files for MikroTik PPPoE billing are:
- /etc/freeradius/3.0/mods-enabled/sql — enable Postgres or MySQL backend
- /etc/freeradius/3.0/sites-enabled/default — enable authorize and accounting sections
- /etc/freeradius/3.0/dictionary.mikrotik — add if Mikrotik-Rate-Limit is unrecognized
The dictionary entry for MikroTik rate limit must be present for FreeRADIUS to send the attribute correctly. Without it, the Access-Accept arrives without the rate limit and MikroTik applies no speed cap. This is the most common misconfiguration in new FreeRADIUS setups for ISPs.
MikroTik RouterOS PPPoE Server Configuration
On the MikroTik side, configure the PPPoE server to point at your FreeRADIUS server:
- PPP > AAA: enable RADIUS authentication and accounting
- RADIUS: add your server IP, port 1812 (auth), 1813 (acct), shared secret
- PPP > Profiles: set the rate-limit source to RADIUS, not the local profile
- PPP > Secrets: leave empty — RADIUS handles credentials, not local secrets
The rate-limit in the PPP Profile should be empty or set to a fallback value only. If you put a rate-limit in the Profile, MikroTik uses that instead of the RADIUS-supplied Mikrotik-Rate-Limit attribute, and all subscribers get the same speed regardless of their package.
RADIUS Accounting and Session Tracking
FreeRADIUS accounting records each PPPoE session start (Accounting-Request Start) and stop (Accounting-Request Stop) in the radacct table. Each record includes the subscriber's username, session duration, bytes sent and received, and the termination cause. iBilling reads this table to track online status, monthly data usage for FUP enforcement, and connection history for billing disputes.
CoA Disconnect for Expired Subscribers
The most important automation in MikroTik PPPoE billing is Change of Authorization (CoA). When a subscriber's account expires, your billing platform must terminate their active PPPoE session immediately — otherwise the subscriber stays online until they disconnect themselves. CoA sends a Disconnect-Request from the billing server to MikroTik's RADIUS client on port 3799. MikroTik terminates the session, and the subscriber's router dials again, this time getting an Access-Reject because their account is now expired in FreeRADIUS.
iBilling sends CoA automatically on every billing event: suspension, expiry, package change, and manual disconnect. The CoA target is the NAS IP stored in the iBilling NAS configuration. Port 3799 is standard — do not use 1700, which some older MikroTik documentation mistakenly references.
Five Common MikroTik PPPoE RADIUS Mistakes to Avoid
ISPs migrating to RADIUS billing from local secret authentication frequently hit these issues:
- Using port 1700 instead of 3799 for CoA — CoA silently fails with no subscriber disconnect
- Forgetting to add the MikroTik dictionary to FreeRADIUS — rate limits are silently ignored
- Setting a rate-limit in the MikroTik PPP Profile — overrides the RADIUS rate limit for all users
- Not enabling RADIUS accounting — billing platform loses session data and FUP enforcement breaks
- Using MD5-Password in radcheck instead of Cleartext-Password — CHAP authentication fails
How iBilling Automates MikroTik PPPoE Billing
iBilling writes directly to the FreeRADIUS database tables on every billing event. When you activate a new subscriber, iBilling inserts their credentials and Mikrotik-Rate-Limit reply into radcheck and radreply. When you renew their package, the rate-limit updates automatically if the package speed changed. When the account expires, iBilling moves the subscriber to an expiry group with a throttled speed (e.g., 4k/4k) and sends CoA to disconnect their active session. When they renew, iBilling moves them back to the normal group and sends CoA again to force reconnect at the new speed. No Winbox, no SSH — the entire subscriber lifecycle runs from the billing dashboard.