Difference between revisions of "Manual:Router AAA"

From MikroTik Wiki
Jump to navigation Jump to search
m
 
(41 intermediate revisions by 4 users not shown)
Line 1: Line 1:
{{Versions|2.9, v3, v4}}
The article is moved to our [https://help.mikrotik.com/docs/display/ROS/User new manual!]
 
<div class=manual>
 
<h2>Summary</h2>
<p><b>Sub-menu:</b> <code>/user</code></p>
<br />
<p>
MikroTik RouterOS router user facility manage the users connecting the router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.
</p>
<p>
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
</p>
<p>
In case the user authentication is performed using RADIUS, the [[RADIUS Client]] should be previously configured.
</p>
 
<h2>User Groups</h2>
<p><b>Sub-menu:</b> <code>/user group</code></p>
<p>
The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
</p>
 
<h3>Properties</h3>
 
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>name</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>The name of the user group</td>
</tr>
<tr>
    <td><var><b>policy</b></var> (<em>local | telnet | ssh | ftp | reboot | read | write | policy | test | web</em>; Default: <b></b>)</td>
    <td>group policy item set
      <ul class="bullets">
          <li><var>local</var> - policy that grants rights to log in locally via console
          <li><var>telnet</var> - policy that grants rights to log in remotely via telnet
          <li><var>ssh</var> - policy that grants rights to log in remotely via secure shell protocol
          <li><var>ftp</var> - policy that grants full rights to log in remotely via FTP and to transfer files from and to the router. Users with this policy can both read, write and erase files, regardless of "read/write" permission, as that deals only with RouterOS configuration.
          <li><var>reboot</var> - policy that allows rebooting the router
          <li><var>read</var> - policy that grants read access to the router's configuration. All console commands that do not alter router's configuration are allowed. Doesn't affect FTP
          <li><var>write</var> - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well
          <li><var>policy</var> - policy that grants user management rights. Should be used together with write policy
          <li><var>test</var> - policy that grants rights to run ping, traceroute, bandwidth-test and wireless scan, sniffer and snooper commands
          <li><var>web</var> - policy that grants rights to log in remotely via WebBox
          <li><var>winbox</var> - policy that grants rights to log in remotely via WinBox
          <li><var>password</var> - policy that grants rights to change the password
          <li><var>sensitive</var> - grants rights to see sentitive information in the router, see below list as to what is regarded as sensitive.
      </ul>
    </td>
</tr>
</table>
 
<h3>Sensitive information</h3>
 
Starting with RouterOS v3.27, the following information is regarded as sensitive, and can be hidden from certain user groups with the ''''sensitive'''' policy unchecked.
 
Also, since RouterOS v4.3, [[Configuration_Management#System_Backup|backup files]] are considered sensitive, and users without this policy will not be able to download them in any way.
 
'''system package'''
/radius: secret
/snmp/community: authentication-password, encryption-password
 
'''advanced-tools package'''
/tool/sms: secret
 
'''wireless package'''
 
/interface/wireless/security-profiles: wpa-pre-shared-key,
wpa2-pre-shared-key, static-key-0, static-key-1, static-key-2,
static-key-3, static-sta-private-key
/interface/wireless/access-list: private-key, private-pre-shared-key
 
'''wireless-test package'''
 
/interface/wireless/security-profiles: wpa-pre-shared-key, wpa2-pre-shared-key,
static-key-0, static-key-1, static-key-2, static-key-3, static-sta-private-key, management-protection-key
/interface/wireless/access-list: private-key, private-pre-shared-key, management-protection-key
 
'''user-manager package'''
 
/tool/user-manager/user: password
/tool/user-manager/customer: password
 
'''hotspot package'''
 
/ip/hotspot/user: password
 
'''ppp package'''
 
/ppp/secret: password
 
'''security package'''
/ip/ipsec/installed-sa: auth-key, enc-key
/ip/ipsec/manual-sa: ah-key, esp-auth-key, esp-enc-key
/ip/ipsec/peer: secret
 
'''routing package'''
 
/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key
 
'''routing-test package'''
 
/routing/bgp/peer: tcp-md5-key
/routing/rip/interface: authentication-key
/routing/ospf/interface: authentication-key
/routing/ospf/virtual-link: authentication-key
 
 
<h3>Notes</h3>
 
There are three system groups which cannot be deleted:
<pre>
[admin@rb13] > /user group print
0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy
 
1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy
 
2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web
 
3 name="test" policy=ssh,read,policy,!local,!telnet,!ftp,!reboot,!write,!test,!winbox,!password,!web
[admin@rb13] >
</pre>
Exclamation sign '!' just before policy item name means NOT.
 
 
 
<h3>Example</h3>
 
To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:
<pre>
[admin@rb13] user group> add name=reboot policy=telnet,reboot,read,local
[admin@rb13] user group> print
0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy
 
1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy
 
2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web
 
3 name="reboot" policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web
[admin@rb13] user group>
</pre>
 
<h2>Router Users</h2>
<p><b>Sub-menu:</b> <code>/user</code></p>
<br />
<p>
Router user database stores the information such as username, password, allowed access addresses and group about router management personnel.
</p>
 
<h3>Properties</h3>
 
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b> address </b></var> (<em>IP/mask</em>; Default: <b>0.0.0.0/0</b>)</td>
    <td>Host or network address from which the user is allowed to log in</td>
</tr>
<tr>
    <td><var><b>group</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>name of the group the user belongs to</td>
</tr>
<tr>
    <td><var><b>name</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>User name. Although it must start with an alphanumeric character, it may contain "*", "_", "." and "@" symbols</td>
</tr>
<tr>
    <td><var><b>password</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols</td>
</tr>
</table>
 
<h3>Notes</h3>
 
There is one predefined user with full access rights:
<pre>
[admin@MikroTik] user> print
Flags: X - disabled
  #  NAME                                            GROUP ADDRESS
  0  ;;; system default user
      admin                                            full  0.0.0.0/0
 
[admin@MikroTik] user>
</pre>
There always should be at least one user with fulls access rights. If the user with full access rights is the only one, it cannot be removed.
 
<h2>Monitoring Active Users</h2>
 
<p><b>Sub-menu:</b> <code>/user active</code></p>
<p>
<code>/user active print</code> command shows the currently active users along with respective statisics information.
</p>
 
<h3>Properties</h3>
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>
 
<tr>
    <td><var><b>address</b></var> (<em>IP</em>)</td>
    <td>Host IP address from which the user is accessing the router. 0.0.0.0 means that user is logged in locally.</td>
</tr>
<tr>
    <td><var><b>name</b></var> (<em>string</em>)</td>
    <td>User name</td>
</tr>
<tr>
    <td><var><b>via</b></var> (<em>console | telnet | ssh | winbox</em>)</td>
    <td>user's access method</td>
</tr>
<tr>
    <td><var><b>when</b></var> (<em>time</em>)</td>
    <td>Log in date and time</td>
</tr>
</table>
 
 
<h3>Example</h3>
To print currently active users, enter the following command:
<pre>
[admin@rb13] user> active print
Flags: R - radius
#  WHEN                NAME                                              ADDRESS        VIA
0  feb/27/2004 00:41:41 admin                                              1.1.1.200      ssh
1  feb/27/2004 01:22:34 admin                                              1.1.1.200      winbox
[admin@rb13] user>
</pre>
 
<h2>Remote AAA</h2>
<p><b>Sub-menu:</b> <code>/user aaa</code></p>
<p>
Router user remote AAA enables router user authentication and accounting via RADIUS server. The RADIUS user database is consulted only if the required username is not found in the local user database
</p>
 
 
<h3>Properties</h3>
 
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>
 
<tr>
    <td><var><b> accounting </b></var> (<em>yes | no</em>; Default: <b>yes</b>)</td>
    <td>Enable RADIUS accounting</td>
</tr>
<tr>
    <td><var><b>default-group</b></var> (<em>string</em>; Default: <b>read</b>)</td>
    <td>user group used by default for users authenticated via RADIUS server</td>
</tr>
<tr>
    <td><var><b> interim-update </b></var> (<em>time</em>; Default: <b>0s</b>)</td>
    <td>Interim-Update time interval</td>
</tr>
<tr>
    <td><var><b> use-radius </b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Enable user authentication via RADIUS</td>
</tr>
</table>
 
{{Note|If you are using RADIUS, you need to have CHAP support enabled in the RADIUS server for Winbox to work}}
 
[[Category:Manual|A]]
[[Category:AAA|A]]

Latest revision as of 12:05, 21 January 2021

The article is moved to our new manual!