Manual:Router AAA: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(Created page with '{{Versions|2.9, v3, v4}} <div class=manual> <h2>Summary</h2> <p><b>Sub-menu:</b> <code>/user</code></p> <br /> <p> MikroTik RouterOS router user facility manage the users conne…')
 
(46 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Versions|2.9, v3, v4}}
{{Versions|2.9, v3, v4, v5+}}
 
 
==Summary==
<p id="shbox"><b>Sub-menu:</b> <code>/user</code></p>


<div class=manual>


<h2>Summary</h2>
<p><b>Sub-menu:</b> <code>/user</code></p>
<br />
<p>
MikroTik RouterOS router user facility manage the users connecting the router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.
MikroTik RouterOS router user facility manage the users connecting the router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.
</p>
 
<p>
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
</p>
 
<p>
In case the user authentication is performed using RADIUS, the [[RADIUS Client]] should be previously configured.
In case the user authentication is performed using RADIUS, the [[RADIUS Client]] should be previously configured.
</p>


<h2>User Groups</h2>
 
<p><b>Sub-menu:</b> <code>/user group</code></p>
==User Groups==
<p>
<p id="shbox"><b>Sub-menu:</b> <code>/user group</code></p>
 
The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
</p>


<h3>Properties</h3>


<table class="styled_table">
===Properties===
<tr>
 
  <th width="40%">Property</th>
{{Mr-arg-table-h
  <th >Description</th>
|prop=Property
</tr>
|desc=Description
<tr>
}}
    <td><var><b>name</b></var> (<em>string</em>; Default: <b></b>)</td>
 
    <td>The name of the user group</td>
{{Mr-arg-table
</tr>
|arg=name
<tr>
|type=string
    <td><var><b>policy</b></var> (<em>local | telnet | ssh | ftp | reboot | read | write | policy | test | web</em>; Default: <b></b>)</td>
|default=
    <td>group policy item set
|desc=The name of the user group
      <ul class="bullets">
}}
          <li><var>local</var> - policy that grants rights to log in locally via console
 
          <li><var>telnet</var> - policy that grants rights to log in remotely via telnet
{{Mr-arg-table
          <li><var>ssh</var> - policy that grants rights to log in remotely via secure shell protocol
|arg=policy
          <li><var>ftp</var> - policy that grants remote rights to log in remotely via FTP and to transfer files from and to the router  
|type=local {{!}} telnet {{!}} ssh {{!}} ftp {{!}} reboot {{!}} read {{!}} write {{!}} policy {{!}} test {{!}} winbox {{!}} password {{!}} web {{!}} sniff {{!}} sensitive {{!}} api {{!}} romon {{!}} dude {{!}} tikapp
          <li><var>reboot</var> - policy that allows rebooting the router  
|default=none
          <li><var>read</var> - policy that grants read access to the router's configuration. All console commands that do not alter router's configuration are allowed  
|desc=List of allowed policies:
          <li><var>write</var> - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well  
Login policies:
          <li><var>policy</var> - policy that grants user management rights. Should be used together with write policy  
* <var>local</var> - policy that grants rights to log in locally via console
          <li><var>test</var> - policy that grants rights to run ping, traceroute, bandwidth-test and wireless scan, sniffer and snooper commands  
* <var>telnet</var> - policy that grants rights to log in remotely via telnet
          <li><var>web</var> - policy that grants rights to log in remotely via WebBox
* <var>ssh</var> - policy that grants rights to log in remotely via secure shell protocol
          <li><var>winbox</var> - policy that grants rights to log in remotely via WinBox
* <var>web</var> - policy that grants rights to log in remotely via WebFig.
          <li><var>password</var> - policy that grants rights to change the password  
* <var>winbox</var> - policy that grants rights to log in remotely via WinBox and bandwidth test authentication
      </ul>
* <var>password</var> - policy that grants rights to change the password
    </td>
* <var>api</var> - grants rights to access router via API.
</tr>
* <var>tikapp</var> - policy that grants rights to log in remotely via Tik-App.
</table>
* <var>dude</var> - grants rights to log in to dude server.
* <var>ftp</var> - policy that grants full rights to log in remotely via FTP, to read/write/erase files and to transfer files from/to the router. Should be used together with read/write policies.
* <var>romon</var> - policy that grants rights to connect to RoMon server.
Config Policies:
* <var>reboot</var> - policy that allows rebooting the router  
* <var>read</var> - policy that grants read access to the router's configuration. All console commands that do not alter router's configuration are allowed. Doesn't affect FTP
* <var>write</var> - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well  
* <var>policy</var> - policy that grants user management rights. Should be used together with write policy. Allows also to see global variables created by other users (requires also 'test' policy).
* <var>test</var> - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan, snooper and other test commands  
* <var>sensitive</var> - grants rights to change "hide sensitive" option, if this policy is disabled sensitive information is not displayed, see below list as to what is regarded as sensitive.
* <var>sniff</var> - policy that grants rights to use packet sniffer tool.
}}
 
{{Mr-arg-table-end
|arg=skin
|type=name
|default=default
|desc=Used [[Manual:Webfig#Skins | skin]] for WebFig
 
}}
 
===Sensitive information===
 
Starting with RouterOS v3.27, the following information is regarded as sensitive, and can be hidden from certain user groups with the ''''sensitive'''' policy unchecked.
 
Also, since RouterOS v4.3, [[Configuration_Management#System_Backup|backup files]] are considered sensitive, and users without this policy will not be able to download them in any way.
 
'''system package'''
/radius: secret
/snmp/community: authentication-password, encryption-password
 
'''advanced-tools package'''
/tool/sms: secret
 
'''wireless package'''
 
/interface/wireless/security-profiles: wpa-pre-shared-key,
wpa2-pre-shared-key, static-key-0, static-key-1, static-key-2,
static-key-3, static-sta-private-key
/interface/wireless/access-list: private-key, private-pre-shared-key
 
'''wireless-test package'''
 
/interface/wireless/security-profiles: wpa-pre-shared-key, wpa2-pre-shared-key,
static-key-0, static-key-1, static-key-2, static-key-3, static-sta-private-key, management-protection-key
/interface/wireless/access-list: private-key, private-pre-shared-key, management-protection-key
 
'''user-manager package'''
 
/tool/user-manager/user: password
/tool/user-manager/customer: password
 
'''hotspot package'''
 
/ip/hotspot/user: password
 
'''ppp package'''
 
/ppp/secret: password
 
'''security package'''
/ip/ipsec/installed-sa: auth-key, enc-key
/ip/ipsec/manual-sa: ah-key, esp-auth-key, esp-enc-key
/ip/ipsec/peer: secret
 
'''routing package'''
 
/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key
 
'''routing-test package'''
 
/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key
 


<h3>Notes</h3>
===Default groups===


There are three system groups which cannot be deleted:
There are three system groups which cannot be deleted:
<pre>
<pre>
[admin@rb13] > /user group print
[admin@rb13] > /user group print
  0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy
  0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default
 
1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy


  2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web
  1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default


  3 name="test" policy=ssh,read,policy,!local,!telnet,!ftp,!reboot,!write,!test,!winbox,!password,!web
  2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default
[admin@rb13] >
[admin@rb13] >
</pre>
</pre>
Exclamation sign '!' just before policy item name means NOT.


Please note, that even the "''read''" group includes ''sensitive'', ''reboot'' and other important polcies, meaning that this group should not be given to untrusted users. For true limited groups, make a custom group, defining specific policies. All groups have access to file operations.


Exclamation sign '!' just before policy item name means NOT.


<h3>Example</h3>
===Example===


To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:
To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:
Line 78: Line 153:
[admin@rb13] user group> add name=reboot policy=telnet,reboot,read,local
[admin@rb13] user group> add name=reboot policy=telnet,reboot,read,local
[admin@rb13] user group> print
[admin@rb13] user group> print
  0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy
  0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default


  1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy
  1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default


  2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web
  2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default


  3 name="reboot" policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web
  3 name="reboot" policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp skin=default
[admin@rb13] user group>
[admin@rb13] user group>
</pre>
</pre>


<h2>Router Users</h2>
==Router Users==
<p><b>Sub-menu:</b> <code>/user</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/user</code></p>
<br />
<br />
<p>
 
Router user database stores the information such as username, password, allowed access addresses and group about router management personnel.
Router user database stores the information such as username, password, allowed access addresses and group about router management personnel.
</p>


<h3>Properties</h3>


<table class="styled_table">
===Properties===
<tr>
 
  <th width="40%">Property</th>
 
  <th >Description</th>
{{Mr-arg-table-h
</tr>
|prop=Property
<tr>
|desc=Description
    <td><var><b> address </b></var> (<em>IP/mask</em>; Default: <b>0.0.0.0/0</b>)</td>
}}
    <td>Host or network address from which the user is allowed to log in</td>
 
</tr>
{{Mr-arg-table
<tr>
|arg=address
    <td><var><b>group</b></var> (<em>string</em>; Default: <b></b>)</td>
|type=IP/mask {{!}} IPv6 prefix
    <td>name of the group the user belongs to</td>
|default=
</tr>
|desc=Host or network address from which the user is allowed to log in
<tr>
}}
    <td><var><b>name</b></var> (<em>string</em>; Default: <b></b>)</td>
 
    <td>User name. Although it must start with an alphanumeric character, it may contain "*", "_", "." and "@" symbols</td>
{{Mr-arg-table
</tr>
|arg=group
<tr>
|type=string
    <td><var><b>password</b></var> (<em>string</em>; Default: <b></b>)</td>
|default=
    <td>User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols</td>
|desc=Name of the [[#User_Groups | group]] the user belongs to
</tr>
}}
</table>
 
{{Mr-arg-table
|arg=name
|type=string
|default=
|desc=User name. Although it must start with an alphanumeric character, it may contain "*", "_", "." and "@" symbols.
}}
 
{{Mr-arg-table
|arg=password
|type=string
|default=
|desc=User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols.
}}
 
{{Mr-arg-table-end
|arg=last-logged-in
|type=time and date
|default=""
|desc=Read-only field. Last time and date when user logged in.
}}


<h3>Notes</h3>
===Notes===


There is one predefined user with full access rights:
There is one predefined user with full access rights:
Line 126: Line 219:
[admin@MikroTik] user> print
[admin@MikroTik] user> print
Flags: X - disabled
Flags: X - disabled
   #  NAME                                            GROUP ADDRESS
   #  NAME                                            GROUP ADDRESS   LAST-LOGGED-IN
   0  ;;; system default user
   0  ;;; system default user
       admin                                            full  0.0.0.0/0
       admin                                            full  0.0.0.0/0 dec/08/2010 16:19:24


[admin@MikroTik] user>
[admin@MikroTik] user>
</pre>
</pre>
There always should be at least one user with fulls access rights. If the user with full access rights is the only one, it cannot be removed.
There always should be at least one user with full access rights. If the user with full access rights is the only one, it cannot be removed.
 
==Monitoring Active Users==


<h2>Monitoring Active Users</h2>
<p id="shbox"><b>Sub-menu:</b> <code>/user active</code></p>


<p><b>Sub-menu:</b> <code>/user active</code></p>
<p>
<code>/user active print</code> command shows the currently active users along with respective statisics information.
<code>/user active print</code> command shows the currently active users along with respective statisics information.
</p>


<h3>Properties</h3>
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>


<tr>
===Properties===
    <td><var><b>address</b></var> (<em>IP</em>)</td>
 
    <td>Host IP address from which the user is accessing the router. 0.0.0.0 means that user is logged in locally.</td>
All properties are read-only.
</tr>
 
<tr>
{{Mr-arg-table-h
    <td><var><b>name</b></var> (<em>string</em>)</td>
|prop=Property
    <td>User name</td>
|desc=Description
</tr>
}}
<tr>
 
    <td><var><b>via</b></var> (<em>console | telnet | ssh | winbox</em>)</td>
{{Mr-arg-ro-table
    <td>user's access method</td>
|arg=address
</tr>
|type=IP/IPv6 address
<tr>
|desc=Host IP/IPv6 address from which the user is accessing the router. 0.0.0.0 means that user is logged in locally
    <td><var><b>when</b></var> (<em>time</em>)</td>
}}
    <td>Log in date and time</td>
</tr>
</table>


{{Mr-arg-ro-table
|arg=group
|type=string
|desc=[[#User_Group | Group]] that user belongs to.
}}


<h3>Example</h3>
{{Mr-arg-ro-table
|arg=name
|type=string
|desc=User name.
}}
 
{{Mr-arg-ro-table
|arg=radius
|type=true {{!}} false
|desc=Whether user is authenticated by RADIUS server.
}}
 
{{Mr-arg-ro-table
|arg=via
|type=local {{!}} telnet {{!}} ssh {{!}}winbox {{!}} api {{!}} web {{!}} tikapp {{!}} ftp
|desc=User's access method
}}
 
{{Mr-arg-ro-table-end
|arg=when
|type=time
|desc=Time and date when user logged in.
}}
 
===Example===
To print currently active users, enter the following command:
To print currently active users, enter the following command:
<pre>
<pre>
[admin@rb13] user> active print
[admin@dzeltenais_burkaans] /user active> print detail
Flags: R - radius
Flags: R - radius  
#  WHEN                NAME                                              ADDRESS        VIA
  0  when=dec/08/2010 16:19:24 name="admin" address=10.5.8.52 via=winbox group=full
  0  feb/27/2004 00:41:41 admin                                             1.1.1.200      ssh
 
  1   feb/27/2004 01:22:34 admin                                             1.1.1.200      winbox
  2   when=dec/09/2010 09:23:04 name="admin" address=10.5.101.38 via=telnet group=full
[admin@rb13] user>
 
3  when=dec/09/2010 09:34:27 name="admin" address=fe80::21a:4dff:fe5d:8e56 via=api group=full
</pre>
</pre>


<h2>Remote AAA</h2>
==Remote AAA==
<p><b>Sub-menu:</b> <code>/user aaa</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/user aaa</code></p>
<p>
 
Router user remote AAA enables router user authentication and accounting via RADIUS server. The RADIUS user database is consulted only if the required username is not found in the local user database
Router user remote AAA enables router user authentication and accounting via RADIUS server. The RADIUS user database is consulted only if the required username is not found in the local user database
</p>




<h3>Properties</h3>
===Properties===
 
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-table
|arg=accounting
|type=yes {{!}} no
|default=yes
|desc=
}}
 
{{Mr-arg-table
|arg=exclude-groups
|type=list of group names
|default=
|desc=Exclude-groups consists of the groups that should not be allowed to be used
for users authenticated by radius. If radius server provides group specified in
this list, default-group will be used instead.
 
 
This is to protect against privilege escalation when one user (without policy
permission) can change radius server list, setup it's own radius server and
log in as admin.
}}
 
{{Mr-arg-table
|arg=default-group
|type=string
|default=read
|desc=User group used by default for users authenticated via RADIUS server.
}}
 
{{Mr-arg-table
|arg=interim-update
|type=time
|default=0s
|desc=Interim-Update time interval
}}
 
{{Mr-arg-table-end
|arg=use-radius
|type=yes {{!}}no
|default=no
|desc=Enable user authentication via RADIUS
}}
 
 
{{Note|If you are using RADIUS, you need to have CHAP support enabled in the RADIUS server for Winbox to work}}
 
==SSH Keys==
<p id="shbox"><b>Sub-menu:</b> <code>/user ssh-keys</code></p>
 
 
This menu allows to import public keys used for ssh authentication.
 
{{Warning | User is not allowed to login via ssh by password if ssh-keys for the user is added }}
 
 
Properties:
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-table-end
|arg=user
|type=string
|default=
|desc=username to which ssh key is assigned.
}}
 
 
Read-only properties:
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-ro-table-end
|arg=key-owner
|type=string
|desc=
}}
 
 
When importing ssh key by <code>/user ssh-keys import</code> command you will be asked for two parameters:
* '''public-key-file''' - file name in routers root directory containing the key.
* '''user''' - name of the user to which key will be assigned
 
 
=== Private keys===
<p id="shbox"><b>Sub-menu:</b> <code>/user ssh-keys private</code></p>
 
This  menu is used to import and list imported private keys. Private keys are used to verify public keys of remote devices.
 
Read-only properties:
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-ro-table
|arg=user
|type=string
|desc=
}}
 
{{Mr-arg-ro-table-end
|arg=key-owner
|type=string
|desc=
}}
 
 
 
When importing ssh keys from this sub menu using <code>/user ssh-keys private</code> import command you will be asked for three parameters:
 
* '''private-key-file''' - file name in routers root directory containing private key.
* '''public-key-file''' - file name in routers root directory containing public key.
* '''user''' - name of the user to which key will be assigned
 
===Example===
[[ M:System/SSH_client#Log-in_using_certificate | Read full example >>]]


<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>


<tr>
[[Category:Manual|A]]
    <td><var><b> accounting </b></var> (<em>yes | no</em>; Default: <b>yes</b>)</td>
[[Category:AAA|A]]
    <td>Enable RADIUS accounting</td>
</tr>
<tr>
    <td><var><b>default-group</b></var> (<em>string</em>; Default: <b>read</b>)</td>
    <td>user group used by default for users authenticated via RADIUS server</td>
</tr>
<tr>
    <td><var><b> interim-update </b></var> (<em>time</em>; Default: <b>0s</b>)</td>
    <td>Interim-Update time interval</td>
</tr>
<tr>
    <td><var><b> use-radius </b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Enable user authentication via RADIUS</td>
</tr>
</table>

Revision as of 10:32, 18 June 2020

Version.png

Applies to RouterOS: 2.9, v3, v4, v5+


Summary

Sub-menu: /user


MikroTik RouterOS router user facility manage the users connecting the router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.

Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.

In case the user authentication is performed using RADIUS, the RADIUS Client should be previously configured.


User Groups

Sub-menu: /user group

The router user groups provide a convenient way to assign different permissions and access rights to different user classes.


Properties

Property Description
name (string; Default: ) The name of the user group
policy (local | telnet | ssh | ftp | reboot | read | write | policy | test | winbox | password | web | sniff | sensitive | api | romon | dude | tikapp; Default: none) List of allowed policies:

Login policies:

  • local - policy that grants rights to log in locally via console
  • telnet - policy that grants rights to log in remotely via telnet
  • ssh - policy that grants rights to log in remotely via secure shell protocol
  • web - policy that grants rights to log in remotely via WebFig.
  • winbox - policy that grants rights to log in remotely via WinBox and bandwidth test authentication
  • password - policy that grants rights to change the password
  • api - grants rights to access router via API.
  • tikapp - policy that grants rights to log in remotely via Tik-App.
  • dude - grants rights to log in to dude server.
  • ftp - policy that grants full rights to log in remotely via FTP, to read/write/erase files and to transfer files from/to the router. Should be used together with read/write policies.
  • romon - policy that grants rights to connect to RoMon server.

Config Policies:

  • reboot - policy that allows rebooting the router
  • read - policy that grants read access to the router's configuration. All console commands that do not alter router's configuration are allowed. Doesn't affect FTP
  • write - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well
  • policy - policy that grants user management rights. Should be used together with write policy. Allows also to see global variables created by other users (requires also 'test' policy).
  • test - policy that grants rights to run ping, traceroute, bandwidth-test, wireless scan, snooper and other test commands
  • sensitive - grants rights to change "hide sensitive" option, if this policy is disabled sensitive information is not displayed, see below list as to what is regarded as sensitive.
  • sniff - policy that grants rights to use packet sniffer tool.
skin (name; Default: default) Used skin for WebFig

Sensitive information

Starting with RouterOS v3.27, the following information is regarded as sensitive, and can be hidden from certain user groups with the 'sensitive' policy unchecked.

Also, since RouterOS v4.3, backup files are considered sensitive, and users without this policy will not be able to download them in any way.

system package

/radius: secret
/snmp/community: authentication-password, encryption-password

advanced-tools package

/tool/sms: secret

wireless package

/interface/wireless/security-profiles: wpa-pre-shared-key,
wpa2-pre-shared-key, static-key-0, static-key-1, static-key-2,
static-key-3, static-sta-private-key
/interface/wireless/access-list: private-key, private-pre-shared-key

wireless-test package

/interface/wireless/security-profiles: wpa-pre-shared-key, wpa2-pre-shared-key, 
static-key-0, static-key-1, static-key-2, static-key-3, static-sta-private-key, management-protection-key
/interface/wireless/access-list: private-key, private-pre-shared-key, management-protection-key

user-manager package

/tool/user-manager/user: password
/tool/user-manager/customer: password

hotspot package

/ip/hotspot/user: password

ppp package

/ppp/secret: password

security package

/ip/ipsec/installed-sa: auth-key, enc-key
/ip/ipsec/manual-sa: ah-key, esp-auth-key, esp-enc-key
/ip/ipsec/peer: secret

routing package

/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key

routing-test package

/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key 


Default groups

There are three system groups which cannot be deleted:

[admin@rb13] > /user group print
 0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default 

 1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default

 2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default
[admin@rb13] >

Please note, that even the "read" group includes sensitive, reboot and other important polcies, meaning that this group should not be given to untrusted users. For true limited groups, make a custom group, defining specific policies. All groups have access to file operations.

Exclamation sign '!' just before policy item name means NOT.

Example

To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:

[admin@rb13] user group> add name=reboot policy=telnet,reboot,read,local
[admin@rb13] user group> print
 0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!write,!policy,!dude skin=default 

 1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,tikapp,!ftp,!policy,!dude skin=default

 2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp skin=default

 3 name="reboot" policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp skin=default
[admin@rb13] user group>

Router Users

Sub-menu: /user


Router user database stores the information such as username, password, allowed access addresses and group about router management personnel.


Properties

Property Description
address (IP/mask | IPv6 prefix; Default: ) Host or network address from which the user is allowed to log in
group (string; Default: ) Name of the group the user belongs to
name (string; Default: ) User name. Although it must start with an alphanumeric character, it may contain "*", "_", "." and "@" symbols.
password (string; Default: ) User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols.
last-logged-in (time and date; Default: "") Read-only field. Last time and date when user logged in.

Notes

There is one predefined user with full access rights:

[admin@MikroTik] user> print
Flags: X - disabled
  #   NAME                                             GROUP ADDRESS    LAST-LOGGED-IN
  0   ;;; system default user
      admin                                            full  0.0.0.0/0  dec/08/2010 16:19:24

[admin@MikroTik] user>

There always should be at least one user with full access rights. If the user with full access rights is the only one, it cannot be removed.

Monitoring Active Users

Sub-menu: /user active

/user active print command shows the currently active users along with respective statisics information.


Properties

All properties are read-only.

Property Description
address (IP/IPv6 address) Host IP/IPv6 address from which the user is accessing the router. 0.0.0.0 means that user is logged in locally
group (string) Group that user belongs to.
name (string) User name.
radius (true | false) Whether user is authenticated by RADIUS server.
via (local | telnet | ssh |winbox | api | web | tikapp | ftp) User's access method
when (time) Time and date when user logged in.

Example

To print currently active users, enter the following command:

[admin@dzeltenais_burkaans] /user active> print detail 
Flags: R - radius 
 0   when=dec/08/2010 16:19:24 name="admin" address=10.5.8.52 via=winbox group=full 

 2   when=dec/09/2010 09:23:04 name="admin" address=10.5.101.38 via=telnet group=full 

 3   when=dec/09/2010 09:34:27 name="admin" address=fe80::21a:4dff:fe5d:8e56 via=api group=full 

Remote AAA

Sub-menu: /user aaa

Router user remote AAA enables router user authentication and accounting via RADIUS server. The RADIUS user database is consulted only if the required username is not found in the local user database


Properties

Property Description
accounting (yes | no; Default: yes)
exclude-groups (list of group names; Default: ) Exclude-groups consists of the groups that should not be allowed to be used

for users authenticated by radius. If radius server provides group specified in this list, default-group will be used instead.


This is to protect against privilege escalation when one user (without policy permission) can change radius server list, setup it's own radius server and

log in as admin.
default-group (string; Default: read) User group used by default for users authenticated via RADIUS server.
interim-update (time; Default: 0s) Interim-Update time interval
use-radius (yes |no; Default: no) Enable user authentication via RADIUS


Icon-note.png

Note: If you are using RADIUS, you need to have CHAP support enabled in the RADIUS server for Winbox to work


SSH Keys

Sub-menu: /user ssh-keys


This menu allows to import public keys used for ssh authentication.

Icon-warn.png

Warning: User is not allowed to login via ssh by password if ssh-keys for the user is added



Properties:

Property Description
user (string; Default: ) username to which ssh key is assigned.


Read-only properties:

Property Description
key-owner (string)


When importing ssh key by /user ssh-keys import command you will be asked for two parameters:

  • public-key-file - file name in routers root directory containing the key.
  • user - name of the user to which key will be assigned


Private keys

Sub-menu: /user ssh-keys private

This menu is used to import and list imported private keys. Private keys are used to verify public keys of remote devices.

Read-only properties:

Property Description
user (string)
key-owner (string)


When importing ssh keys from this sub menu using /user ssh-keys private import command you will be asked for three parameters:

  • private-key-file - file name in routers root directory containing private key.
  • public-key-file - file name in routers root directory containing public key.
  • user - name of the user to which key will be assigned

Example

Read full example >>