Manual:Router AAA: Difference between revisions
Line 55: | Line 55: | ||
* <var>write</var> - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well | * <var>write</var> - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well | ||
* <var>policy</var> - policy that grants user management rights. Should be used together with write policy. Allows also to see global variables created by other users (requires also 'test' policy). | * <var>policy</var> - policy that grants user management rights. Should be used together with write policy. Allows also to see global variables created by other users (requires also 'test' policy). | ||
* <var>test</var> - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan | * <var>test</var> - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan, snooper and other test commands | ||
* <var>sensitive</var> - grants rights to change "hide sensitive" option, if this policy is disabled sensitive information is not displayed, see below list as to what is regarded as sensitive. | * <var>sensitive</var> - grants rights to change "hide sensitive" option, if this policy is disabled sensitive information is not displayed, see below list as to what is regarded as sensitive. | ||
* <var>sniff</var> - policy that grants rights to use packet sniffer tool. | * <var>sniff</var> - policy that grants rights to use packet sniffer tool. |
Revision as of 10:47, 8 April 2019
Applies to RouterOS: 2.9, v3, v4, v5+
Summary
Sub-menu: /user
MikroTik RouterOS router user facility manage the users connecting the router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
In case the user authentication is performed using RADIUS, the RADIUS Client should be previously configured.
User Groups
Sub-menu: /user group
The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
Properties
Property | Description |
---|---|
name (string; Default: ) | The name of the user group |
policy (local | telnet | ssh | ftp | reboot | read | write | policy | test | winbox | password | web | sniff | sensitive | api | romon | dude | tikapp; Default: none) | List of allowed policies:
Login policies:
Config Policies:
|
skin (name; Default: default) | Used skin for WebFig |
Sensitive information
Starting with RouterOS v3.27, the following information is regarded as sensitive, and can be hidden from certain user groups with the 'sensitive' policy unchecked.
Also, since RouterOS v4.3, backup files are considered sensitive, and users without this policy will not be able to download them in any way.
system package
/radius: secret /snmp/community: authentication-password, encryption-password
advanced-tools package
/tool/sms: secret
wireless package
/interface/wireless/security-profiles: wpa-pre-shared-key, wpa2-pre-shared-key, static-key-0, static-key-1, static-key-2, static-key-3, static-sta-private-key /interface/wireless/access-list: private-key, private-pre-shared-key
wireless-test package
/interface/wireless/security-profiles: wpa-pre-shared-key, wpa2-pre-shared-key, static-key-0, static-key-1, static-key-2, static-key-3, static-sta-private-key, management-protection-key /interface/wireless/access-list: private-key, private-pre-shared-key, management-protection-key
user-manager package
/tool/user-manager/user: password /tool/user-manager/customer: password
hotspot package
/ip/hotspot/user: password
ppp package
/ppp/secret: password
security package
/ip/ipsec/installed-sa: auth-key, enc-key /ip/ipsec/manual-sa: ah-key, esp-auth-key, esp-enc-key /ip/ipsec/peer: secret
routing package
/routing/bgp/peer: tcp-md5-key /routing/rip/interface: authentication-key /routing/ospf/interface: authentication-key /routing/ospf/virtual-link: authentication-key
routing-test package
/routing/bgp/peer: tcp-md5-key /routing/rip/interface: authentication-key /routing/ospf/interface: authentication-key /routing/ospf/virtual-link: authentication-key
Default groups
There are three system groups which cannot be deleted:
[admin@rb13] > /user group print 0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default 1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default 2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default [admin@rb13] >
Please note, that even the "read" group includes sensitive, reboot and other important polcies, meaning that this group should not be given to untrusted users. For true limited groups, make a custom group, defining specific policies. All groups have access to file operations.
Exclamation sign '!' just before policy item name means NOT.
Example
To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:
[admin@rb13] user group> add name=reboot policy=telnet,reboot,read,local [admin@rb13] user group> print 0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default 1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default 2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default 3 name="reboot" policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp skin=default [admin@rb13] user group>
Router Users
Sub-menu: /user
Router user database stores the information such as username, password, allowed access addresses and group about router management personnel.
Properties
Property | Description |
---|---|
address (IP/mask | IPv6 prefix; Default: ) | Host or network address from which the user is allowed to log in |
group (string; Default: ) | Name of the group the user belongs to |
name (string; Default: ) | User name. Although it must start with an alphanumeric character, it may contain "*", "_", "." and "@" symbols. |
password (string; Default: ) | User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols. |
last-logged-in (time and date; Default: "") | Read-only field. Last time and date when user logged in. |
Notes
There is one predefined user with full access rights:
[admin@MikroTik] user> print Flags: X - disabled # NAME GROUP ADDRESS LAST-LOGGED-IN 0 ;;; system default user admin full 0.0.0.0/0 dec/08/2010 16:19:24 [admin@MikroTik] user>
There always should be at least one user with full access rights. If the user with full access rights is the only one, it cannot be removed.
Monitoring Active Users
Sub-menu: /user active
/user active print
command shows the currently active users along with respective statisics information.
Properties
All properties are read-only.
Property | Description |
---|---|
address (IP/IPv6 address) | Host IP/IPv6 address from which the user is accessing the router. 0.0.0.0 means that user is logged in locally |
group (string) | Group that user belongs to. |
name (string) | User name. |
radius (true | false) | Whether user is authenticated by RADIUS server. |
via (local | telnet | ssh |winbox | api | web | tikapp | ftp) | User's access method |
when (time) | Time and date when user logged in. |
Example
To print currently active users, enter the following command:
[admin@dzeltenais_burkaans] /user active> print detail Flags: R - radius 0 when=dec/08/2010 16:19:24 name="admin" address=10.5.8.52 via=winbox group=full 2 when=dec/09/2010 09:23:04 name="admin" address=10.5.101.38 via=telnet group=full 3 when=dec/09/2010 09:34:27 name="admin" address=fe80::21a:4dff:fe5d:8e56 via=api group=full
Remote AAA
Sub-menu: /user aaa
Router user remote AAA enables router user authentication and accounting via RADIUS server. The RADIUS user database is consulted only if the required username is not found in the local user database
Properties
Property | Description |
---|---|
accounting (yes | no; Default: yes) | |
exclude-groups (list of group names; Default: ) | Exclude-groups consists of the groups that should not be allowed to be used
for users authenticated by radius. If radius server provides group specified in this list, default-group will be used instead.
|
default-group (string; Default: read) | User group used by default for users authenticated via RADIUS server. |
interim-update (time; Default: 0s) | Interim-Update time interval |
use-radius (yes |no; Default: no) | Enable user authentication via RADIUS |
Note: If you are using RADIUS, you need to have CHAP support enabled in the RADIUS server for Winbox to work
SSH Keys
Sub-menu: /user ssh-keys
This menu allows to import public keys used for ssh authentication.
Warning: User is not allowed to login via ssh by password if ssh-keys for the user is added
Properties:
Property | Description |
---|---|
user (string; Default: ) | username to which ssh key is assigned. |
Read-only properties:
Property | Description |
---|---|
key-owner (string) |
When importing ssh key by /user ssh-keys import
command you will be asked for two parameters:
- public-key-file - file name in routers root directory containing the key.
- user - name of the user to which key will be assigned
Private keys
Sub-menu: /user ssh-keys private
This menu is used to import and list imported private keys. Private keys are used to authenticate remote login attempts using certificates.
Read-only properties:
Property | Description |
---|---|
user (string) | |
key-owner (string) |
When importing ssh keys from this sub menu using /user ssh-keys private
import command you will be asked for three parameters:
- private-key-file - file name in routers root directory containing private key.
- public-key-file - file name in routers root directory containing public key.
- user - name of the user to which key will be assigned