disable local login accounts when radius is reachable and responding

ok1mgj · January 24, 2018, 7:32am

Hi all.
we are using radius server only for login via ssh/winbox.

is there any way, how to disable local acocunts, when radius server is reachable and is answering?
so:
when network admins are trying to log into RB, use radius and when (and only when) radius is not responding try to use local admin account. So in standard environment is local admin acc unusable. When something on network fails and radius is not reachable or not answering, RB can be accessed via local admin acc.
We are using this scheme on 3com/HP/Cisco switches and now i`m trying to set this on mikrotik, but without sucess.

rememberme · April 25, 2018, 4:52pm

1

doneware · April 25, 2018, 8:50pm

you can use a script based workaround, like i did.
run this every minute from scheduler. it is quite lame, works only with a single local user and a single RADIUS server.
whenever it detects outgoing requests with timeouts/bad replies, it will enable the specified local user.
if it responds again, it will disable it.

       :local username "test";
       :local radius [/radius monitor 0 once as-value ];   
       :local valid (($radius->"accepts") + ($radius->"rejects"));
       :local invalid (($radius->"bad-replies") + ($radius->"timeouts"));
       :local requests (($radius->"requests"))
       :local userenabled (![/user get $username disabled])
       :local lradiusup;
       
       :if ($requests > 0) do={
       
       :if ($valid = 0) do={ \
           :if ($invalid > 0) do={ :set lradiusup false; } else={ :set lradiusup true; } } else={ :set lradiusup true; }
       
       :if ($userenabled != !$lradiusup) do={ \
           :if ($lradiusup = true) \
                do={ /user disable $username; :log info "RADIUS working, disabling local user $username" } \
                else={ /user enable $username; :log info "RADIUS down, enabling local user $username" }; 
           }
       }
       
       /radius reset-counters

rextended · April 26, 2018, 5:17pm

~~[quote=neu post_id=657511 time=1524742033 user_id=118637]~~
Instead of meshing with complexity, you can use RADIUS Authentication alone.

I think your RADIUS server in remote location, so you are getting issues.

You can also install your own RADIUS server, and directly connect with your Router. Now a days any normal Desktop computer is more than enough to install RADIUS server.

If you want a Professional RADIUS, Billing, Customer Management try [REDACTED]
[/quote]

But did you join the forum just to advertise?

What you have write do nothing with “disable local login accounts when radius is reachable and responding”

danklod · August 6, 2019, 12:05pm

Hi all,
I want to do same things. I use Radius server with AD Authentication and want to stop local users when Radius responding. Is there some way to do this on RouterOS version 6.43 or newer?
Kind Regards
Danail