general_settings_for_user_authentication_and_accounting.pdf

AAA

Document revision 2.1 (Fri Dec 17 18:28:01 GMT 2004)

This document applies to MikroTik RouterOS V2.8

Table of Contents

Summary

Specifications

Related Documents

•

Package Management

•

IP Addresses and ARP

•

HotSpot Gateway

•

PPP and Asynchronous Interfaces

•

PPPoE

•

PPTP

Page 2 of 20

•

L2TP

•

ISDN

Description

The MikroTik RouterOS provides scalable Authentication, Athorization and Accounting (AAA)

functionality.

Local authentication is performed consulting User Database and Profile Database. The

configuration is collected from the respective item in User Database (determined by the username),

from the item in Profile Database, that is associated with this item and from the item in Profile

Database, that is set as default for the service the user is authenticating to. Settings received from

the default profile for the service is overriden by the respective settings from the user's profile, and

the resulting settings are overriden by the respective settings taken from the User Database (the only

exception is that particular IP addresses take precedence over IP pools in the local-address and

remote-address settings, as described later on).

RADIUS authentication gives the ISP or network administrator the ability to manage PPP user

access and accounting from one server throughout a large network. The MikroTik RouterOS has a

RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN connections. The

attributes received from RADIUS server override the ones set in the default profile, but if some

parameters are not received they are taken from the respective default profile.

Traffic is accounted locally with Cisco IP pairs and snapshot image can be gathered using Syslog

utilities. If RADIUS accounting is enabled, accounting information is also sent to the RADIUS

server default for that service.

Router User Groups

Home menu level: /user group

Property Description

name ( name ) - the name of the user group

!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,!test,!web ) - group rights set

• local - user can log on locally via console

• telnet - user can log on remotely via telnet

• ssh - user can log on remotely via secure shell

• ftp - user can log on remotely via ftp and send and retrieve files from the router

• reboot - user can reboot the router

• read - user can retrieve the configuration

• write - user can retrieve and change the configuration

• policy - user can manage user policies and add and remove users

• test - user can run ping, traceroute, bandwidth test

• web - user can log on remotely via winbox

Page 3 of 20

Notes

There are three system groups which cannot be deleted:

[admin@MikroTik] user group> print

0 ;;; users with read only permission

name="read"

policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web

1 ;;; users with write permission

name="write"

policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web

2 ;;; users with complete access

name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web

[admin@MikroTik] user group>

Exclamation sign ' ! ' just before policy name means NOT .

Example

To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the

router's configuration:

[admin@MikroTik] user group> add name=reboot policy=telnet,reboot,read

[admin@MikroTik] user group> print

0 ;;; users with read only permission

name="read"

policy=local,telnet,ssh,!ftp,reboot,read,!write,!policy,test,web

1 ;;; users with write permission

name="write"

policy=local,telnet,ssh,!ftp,reboot,read,write,!policy,test,web

2 ;;; users with complete access

name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,web

3 name="reboot"

policy=!local,telnet,!ssh,!ftp,reboot,read,!write,!policy,!test,!web

[admin@MikroTik] user group>

Router Users

Home menu level: /user

Property Description

address ( IP address/mask ; default: 0.0.0.0/0 ) - IP address from which the user is allowed to log in

group ( name ) - name of the group the user belongs to

name ( name ) - user name. Although it must start with an alphanumeric character, it may "*", "_",

".", "@" symbols

password ( text ; default: "" ) - user password. If not specified, it is left blank (hit [Enter] when

logging in). It conforms to standard Unix characteristics of passwords and can contain letters, digits,

"*" and "_" symbols

Page 4 of 20

Notes

There is one predefined user that cannot be deleted:

[admin@MikroTik] user> print

Flags: X - disabled

# NAME

GROUP ADDRESS

0 ;;; system default user

admin

full 0.0.0.0/0

[admin@MikroTik] user>

When the user has logged in he can change his password using the /password command. The user

is required to enter his/her current password before entering the new password. When the user logs

out and logs in for the next time, the new password must be entered.

Example

To add user joe with password j1o2e3 belonging to write group:

[admin@MikroTik] user> add name=joe password=j1o2e3 group=write

[admin@MikroTik] user> print

Flags: X - disabled

0 ;;; system default user

name="admin" group=full address=0.0.0.0/0

1 name="joe" group=write address=0.0.0.0/0

[admin@MikroTik] user>

Monitoring Active Router Users

Home menu level: /user active print

Property Description

address ( read-only: IP address ) - IP address from which the user is accessing the router

• 0.0.0.0 - the user is logged in locally

name ( read-only: name ) - user name

via ( read-only: console | telnet | ssh | web ) - user's access method

when ( read-only: date ) - log-in time

Example

[admin@MikroTik] user> active print

Flags: R - radius

# WHEN

NAME

ADDRESS

VIA

0 feb/21/2003 17:48:21 admin

0.0.0.0

console

1 feb/24/2003 22:14:48 admin

10.0.0.144

ssh

2 mar/02/2003 23:36:34 admin

10.0.0.144

web

[admin@MikroTik] user>

Page 5 of 20

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: