You are going to configure a real PPPoE server, point it at a RADIUS instance, create per-user access profiles with enforced time limits, connect your machines as PPPoE clients, and then watch the router log you off. Every step maps back to what Session 06 explained in theory.
Session 06 was all words. This session is all hands. You are going to take a home-router-sized device called a MikroTik hAP, turn it into a PPPoE server the same way a real ISP would, wire it to a RADIUS server, then connect your laptop to it as if your laptop were a customer premises device. Every command has a reason and that reason was explained in Session 06.
Everyone takes the same steps to connect. The difference is what RADIUS tells the router about each of you. Each person has a different Session-Timeout value assigned by the RADIUS profile. That value is the prize. You will not know how much time you have until you are connected and the countdown starts.
When your session expires the router drops the PPPoE link. No warning from the router. Your internet stops. That is the real behaviour of a timed ISP session: the network enforces the policy, not a pop-up.
The diagram below shows every device and every arrow of traffic in this lab. Read it before you touch anything.
The hAP acts as PPPoE server and RADIUS client at the same time. User Manager is the RADIUS server running on the same device. That is fine for a lab. In production the RADIUS server lives on a separate server and the PPPoE server (Juniper MX, Cisco, MikroTik BRAS) is the RADIUS client. The conversation between them is identical.
Connect the trainer laptop to the hAP via Ethernet and open WinBox. You should see the hAP appear in the Neighbors list. Click it to connect. Default credentials after a reset are admin with no password.
PPPoE clients need an IP address assigned when they connect. You create a pool: a range of IPs the router draws from each time a client authenticates.
This gives 29 addresses. More than enough for 4 trainees. Address 10.0.0.1 will be the router's end of every PPPoE link.
A profile defines the IP settings applied to all PPPoE sessions that use it. You can have multiple profiles (different speeds, different pools), but for this lab one is enough.
local-address is the IP on the router's side of the PPPoE tunnel. remote-address points to the pool you just made. The client gets an IP from that pool. use-encryption=no skips MPPE, which simplifies the lab.
The server needs to know which interface to listen on. On the hAP, trainees will connect over Wi-Fi, and the hAP bridges its LAN ports and Wi-Fi into one interface called bridge by default. Run:
By default the router checks users against its own local secrets list under /ppp secret. You need to tell it to ask RADIUS instead.
address=127.0.0.1 means the hAP is asking itself — because User Manager is running on the same device. secret=labsecret is the shared secret that the RADIUS client (this router process) and the RADIUS server (User Manager) both need to know. We will set it on the User Manager side in Part 4.
User Manager is MikroTik's built-in RADIUS server. It ships with RouterOS but requires a package install on some versions. First check whether it is already running.
Once the package is installed you access User Manager through a web browser, not WinBox. The default address is:
The username is admin. The password is the same as your WinBox admin password (blank by default).
User Manager needs to know that this hAP is allowed to ask it for authentication. In User Manager:
This is the key part. You are creating four user accounts. Each account has a different Session-Timeout attribute. That attribute travels from RADIUS to the router inside the Access-Accept packet. The router reads it and enforces the timeout.
In User Manager, go to Profiles → Add. Create one profile per trainee.
| Username | Password | Session-Timeout (seconds) | Human-readable |
|---|---|---|---|
| irene | irene123 | 180 | 3 minutes |
| dennis | dennis123 | 300 | 5 minutes |
| msabi | msabi123 | 600 | 10 minutes |
| ibrahim | ibrahim123 | 900 | 15 minutes |
For each user the steps are:
When Irene authenticates, the RADIUS Access-Accept packet looks like this:
The Session-Timeout: 180 line is the only difference between Irene's session and Ibrahim's. Everything else is the same. The router stores that value, starts a countdown, and at 0 it terminates the session regardless of what Irene is doing.
Each trainee follows these steps on their own machine. The interface name varies by OS. The username and password are from the table in Part 5.
After a successful connection, run ipconfig in Command Prompt. You should see a PPP adapter with an IP address from the range 10.0.0.2–10.0.0.30.
While trainees are connected, go back to WinBox on the trainer laptop and look at what the router knows about the active sessions.
Go to PPP → Active Connections. You will see a row for each connected trainee. The columns to read:
| Column | What it means |
|---|---|
| Name | The PPPoE username the trainee authenticated with |
| Service | The service name you gave the server (sprint-lab) |
| Caller ID | The MAC address of the trainee's network interface |
| Address | The IP assigned to this session from the pool |
| Uptime | How long this session has been active |
| Session Timeout | Remaining seconds — counting down from the RADIUS value |
In User Manager, go to Log. You will see Accounting-Start entries when each person connects and Accounting-Stop entries when they disconnect. The Stop entry includes a Terminate-Cause field. When the router times the session out, that field reads Session-Timeout. That confirms the policy was enforced correctly.
Once you are connected and authenticated, your instructor will give you a direct link. Open it on your phone before your session expires. The page will show your personal countdown mirroring what the router is doing. When the router ends your session, you will lose connectivity and the page will show that your session terminated.
When your PPPoE session goes down, your machine will try to reconnect automatically (most operating systems do). If you reconnect before the class ends, RADIUS will apply the same Session-Timeout again — the policy does not care how many times you reconnect.
These are the problems that happen in real labs and on real networks. Work through each scenario and identify what the real cause is before checking the answer.
Symptom: The connection status in Windows says "Connected" but ipconfig shows 0.0.0.0 or no PPP adapter.
remote-address field does not point to the correct pool name. Check with /ip pool print and /ppp profile print.
Symptom: Windows error 691: "The remote connection was denied because the username and password combination you provided is not recognised."
Symptom: The session appears in PPP Active for less than 2 seconds then disappears.
Symptom: Connections hang at the authentication stage indefinitely.
/radius print and confirm User Manager is installed and active in /system package print.
Symptom: Irene's session should drop at 3 minutes but she is still connected at 5 minutes.
use-radius=yes set, so the session is being authenticated locally without applying RADIUS attributes. The local /ppp secret list may have shadow credentials that match without a timeout. Check with /ppp profile print detail and remove any matching entries from /ppp secret.
Run through this checklist after the lab finishes. Each item is a link between something you physically experienced today and something Session 06 described.
Every ISP in Tanzania doing PPPoE is building exactly what you built today. The scale is different. The protocol is identical.
| Term | What it is |
|---|---|
| PPPoE server | The device that listens for PADI broadcasts and creates the PPPoE tunnel per client. In this lab: the hAP. |
| PPPoE client | The device that initiates the connection. In this lab: your laptop. |
| RADIUS client | The device that sends authentication requests to RADIUS. In this lab: the hAP (the same device as the PPPoE server). |
| RADIUS server | The service that holds user credentials and policies. In this lab: User Manager running on the hAP. |
| Access-Accept | RADIUS response meaning: credentials valid, here are the session policies. |
| Access-Reject | RADIUS response meaning: credentials invalid or policy denies access. |
| Session-Timeout | RADIUS attribute 27. Maximum seconds before the session is forcibly terminated. |
| Accounting-Start | RADIUS packet sent when a session begins. Records start time, session ID, and assigned IP. |
| Accounting-Stop | RADIUS packet sent when a session ends. Includes duration, bytes in/out, and Terminate-Cause. |
| Shared secret | The pre-shared string that proves a RADIUS client is authorised to use this RADIUS server. Must match on both ends. |
| IP pool | A range of IP addresses the router draws from when assigning a client an address during session creation. |
| CHAP | Challenge Handshake Authentication Protocol. Password never travels in plain text. A hashed response to a server challenge travels instead. |