Router User AAA
Document revision: | 2.3 (Fri Jul 08 11:58:32 GMT 2005) |
Applies to: | V2.9 |
General Information
Summary
This documents provides summary, configuration reference and examples on router user management.
Specifications
Packages required: systemLicense required: Level1
Submenu level: /user
Hardware usage: Not significant
Related Documents
Description
MikroTik RouterOS router user facility manage the users connecting the router from the local console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local database or designated RADIUS server.
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
In case the user authentication is performed using RADIUS, the RADIUS client should be previously configured under the /radius submenu.
Router User Groups
Submenu level: /user groupDescription
The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
Property Description
name (name) - the name of the user grouppolicy (multiple choice: local | telnet | ssh | ftp | reboot | read | write | policy | test | web; default: !local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,!test,!web) - group policy item settelnet - policy that grants rights to log in remotely via telnet
ssh - policy that grants rights to log in remotely via secure shell protocol
ftp - policy that grants remote rights to log in remotely via FTP and to transfer files from and to the router
reboot - policy that allows rebooting the router
read - policy that grants read access to the router's configuration. All console commands that do not alter router's configuration are allowed
write - policy that grants write access to the router's configuration, except for user management. This policy does not allow to read the configuration, so make sure to enable read policy as well
policy - policy that grants user management rights. Should be used together with write policy
test - policy that grants rights to run ping, traceroute, bandwidth-test and wireless scan, sniffer and snooper commands
web - policy that grants rights to log in remotely via WebBox
winbox - policy that grants rights to log in remotely via WinBox
password - policy that grants rights to change the password
Notes
There are three system groups which cannot be deleted:
[admin@rb13] > /user group print 0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy 1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy 2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web 3 name="test" policy=ssh,read,policy,!local,!telnet,!ftp,!reboot,!write,!test,!winbox,!password,!web [admin@rb13] >
Exclamation sign '!' just before policy item name means NOT.
Example
To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the router's configuration, enter the following command:
[admin@rb13] user group> add name=reboot policy=telnet,reboot,read,local [admin@rb13] user group> print 0 name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy 1 name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy 2 name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web 3 name="reboot" policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web [admin@rb13] user group>
Router Users
Submenu level: /userDescription
Router user database stores the information such as username, password, allowed access addresses and group about router management personnel.
Property Description
address (IP address/netmask; default: 0.0.0.0/0) - host or network address from which the user is allowed to log ingroup (name) - name of the group the user belongs toname (name) - user name. Although it must start with an alphanumeric character, it may contain "*", "_", "." and "@" symbolspassword (text; default: "") - user password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbolsNotes
There is one predefined user with full access rights:
[admin@MikroTik] user> print Flags: X - disabled # NAME GROUP ADDRESS 0 ;;; system default user admin full 0.0.0.0/0 [admin@MikroTik] user>
There always should be at least one user with fulls access rights. If the user with full access rights is the only one, it cannot be removed.
Example
To add user joe with password j1o2e3 belonging to write group, enter the following command:
[admin@MikroTik] user> add name=joe password=j1o2e3 group=write [admin@MikroTik] user> print Flags: X - disabled 0 ;;; system default user name="admin" group=full address=0.0.0.0/0 1 name="joe" group=write address=0.0.0.0/0 [admin@MikroTik] user>
Monitoring Active Router Users
Command name: /user active printDescription
This command shows the currently active users along with respective statisics information.
Property Description
address (read-only: IP address) - host IP address from which the user is accessing the routertelnet - user is logged in remotely via telnet
ssh - user is logged in remotely via secure shell protocol
winbox - user is logged in remotely via WinBox tool
Example
To print currently active users, enter the following command:
[admin@rb13] user> active print Flags: R - radius # WHEN NAME ADDRESS VIA 0 feb/27/2004 00:41:41 admin 1.1.1.200 ssh 1 feb/27/2004 01:22:34 admin 1.1.1.200 winbox [admin@rb13] user>
Router User Remote AAA
Submenu level: /user aaaDescription
Router user remote AAA enables router user authentication and accounting via RADIUS server.
Property Description
accounting (yes | no; default: yes) - specifies whether to use RADIUS accountingdefault-group (name; default: read) - user group used by default for users authenticated via RADIUS serverinterim-update (time; default: 0s) - RADIUS Interim-Update intervaluse-radius (yes | no; default: no) - specifies whether a user database on a RADIUS server should be consultedNotes
The RADIUS user database is consulted only if the required username is not found in the local user database
Example
To enable RADIUS AAA, enter the following command:
[admin@MikroTik] user aaa> set use-radius=yes [admin@MikroTik] user aaa> print use-radius: yes accounting: yes interim-update: 0s default-group: read [admin@MikroTik] user aaa>