cnMaestro external hotspot via MikroTik routerOS


I’m working on a setup where I’m using a MikroTik router’s Hotspot feature as a captive portal and user database. I’m facing issues with users successfully authenticating through the portal when connecting to a Cambium AP.

Here’s my configuration:

  • Guest Access on Cambium AP: Configured for external Hotspot.
  • Authentication Options: Tried both click-through and RADIUS, neither fully succeed.
  • MikroTik Router: IP address added to the AP with the correct Hotspot URL. I can connect to the relevant SSID and sometimes see the MikroTik’s captive portal. Login works, but internet access is not granted.
  • Internet Connectivity: Verified as working on the router.
  • HTTPS: I’ve enabled HTTPS for authentication (using a valid SSL certificate)

My Understanding: RouterOS Hotspot functions as a RADIUS client, not a server. I prefer to keep my existing Hotspot user profile scripts and avoid switching to UserManager.

Questions and Troubleshooting:

  1. Authentication Protocol: Can anyone confirm expected authentication protocols between the MikroTik Hotspot and Cambium AP? Are there specific settings I need to verify on the AP side?
  2. RADIUS: If RADIUS is involved, are any additional steps required on the MikroTik besides the basic configuration?
  3. Firewall: Could firewall rules on the MikroTik be interfering with post-authentication traffic?

Thank you in advance for any insights or suggestions!

Hi Brayden,
AP will allow the internet access to the client only after the successful authentication message is received to the AP. Seems like this is failing for you. Please refer to the integration document available at the following link: (Guest Access WLAN-External Hotspot with RADIUS Authentication)


Thank you, I’ve come across this article before but I’m wondering if it’s at all possible to use just Hotspot?

In assuming if you’re sending me this link, hotspot can’t be integrated with the cambium AP as it doesn’t send the required authentication response?

If the redirection configuration is on the AP, AP should learn the authentication status of the client to allow the client to pass traffic. Alternatively, consider configuring redirection outside the AP, such as on the Microtik, and utilize the AP solely for connecting wireless clients and bridging traffic.

(This is Brayden on a different account)

Ok, I’ve decided to try following the guide you gave me. I’ve configured the MikroTik router on the voucher VLAN. The APs are also connected to the router on the management VLAN.

I’m using the internal captive portal on the AP, but when I login from a client device I’m unable to get authenticated. This is the error I get:

I’m unsure why the POST request isn’t getting through

Here is my wireshark capture
RADIUS_test1.pcapng (248.3 KB)

Can you share cambium AP configuration and Microtik configuration.