I just implemented this here in Florida. It's actually not that hard, and it would be trivial to implement OTP or token based auth if you wanted to get really fancy. Mikrotik config /radius add accounting-backup=no accounting-port=1813 address=44.98.252.1 authentication-port=1812 called-id="" \ disabled=no domain="" realm="" secret=RADIUS-PW service=login timeout=300ms /user aaa set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=yes Freeradius setup it to listen on a give ipv4/v6 interface in radiusd.conf clients.conf: client 44.98.248.0/23 { secret = RADIUS-PW shorname = HamWAN } users: bobdole Cleartext-Password := "PASSWORD!" Mikrotik-Group = "full", # only if you want root! Service-Type = Login-User, Juniper-Local-User-Name := "super-users", # only if you want root! Juniper: groups { global { system { authentication-order [ radius password ]; radius-server { 44.98.252.1 { port 1812; accounting-port 1813; secret "nope.jpg"; ## SECRET-DATA } } login { user full { class super-user; } } } } } system { host-name TAMPA-CORE-EX; authentication-order [ radius password ]; root-authentication { encrypted-password "nope.jpg"; ## } radius-server { 44.98.254.1 { secret "nope.jpg"; ## SECRET-DATA source-address 44.98.249.1; } } login { user super-users { uid 2003; class super-user; } } -- Bryan Fields 727-409-1194 - Voice http://bryanfields.net