I was wondering if it was possible to either use a Mikrotik, or other software application to use as a centralized authentication point? We have many Mikrotik’s throughout our company and we wish to move away from having a shared “admin” password because you never know who did what when something wrong happens, so I would like everybody in my team to have their own login, but I don’t want to have to manage 20+ logins on all our routers in every branch office etc.
I was wondering, wether with User Manager, or a Radius server on Linux if it was possible to set up credentials for Winbox logins?
Yes. You could use a RADIUS server like User Manager for example.
To enable the router to authenticate against a RADIUS server, just click the “AAA” button in the users menu, and check the “Use RADIUS” checkbox. The exact RADIUS server parameters can be set at the “Radius” menu.
Are all Radius users limited to a single authentication group?
In Winbox, under Users, AAA, there’s a “Default Group” drop down, does that mean all users have to use this profile?
The reason why I ask this is because we would like some less experienced users to only be able able to view configuration, issues, logs, etc, but not able to change anything without consulting a senior technician (to avoid issues, like disconnecting a remote site by accident, etc).
You must configure the RADIUS server to also send an actual group name. AFAIK, if the group doesn’t exist, the login will fail, but I don’t use RADIUS, so it might be that the default group is used as a fallback then.
(disregarding RADIUS for a second, this is setting is actually used when you call “/user add” from a terminal)
