Would like to request a simple toggle where one can only use local users to access mikrotik (ssh, winbox, telnet) only if all login radius servers are down. This would greatly help in securing mikrotik since most of the time we have to share the local user password whenever there is a network outage preventing radius access, thus we can never disable the local account for this cases.
In other words, if a single login radius is up then reject any local user.
If all login radius are down then allow local user accounts.
@elecx, do it with netwatch:
If RADIUS IP is not reachable, enable user “test”,
when is reachable again, disable user “test”.
Obviously if RADIUS is blocked, but the IP still reply to ping, the user “test” is not enabled.
I tried to disable the admin user with a netwatch script but was unable to since the admin is the only local user for me. error message: “failure: the user is last one with full access permissions”. Do you have any suggestion to enable this functionality with only the local admin user available?
On all OS I know, you can’t disable the last admin.
On all OS I know, keep admin “admin” (or similar) user is for dummies.
Everytime must be created another user, the true admin, with not dummy names like root or superuser.
Often is better one unknow user than a verysuperstrong password…
I understand the issues with disabling admin user, especially if it is the only local account. I am looking for a way to make the local users available only if RADIUS is down (down with ping or service not responding). This seems like a basic feature which is available on other platforms. Alternatively to use RADIUS first and try to authenticate and if RADIUS respond with deny och drop then use the local user database as last resort. I guess the best solution currently is to create another admin user and disable the default admin user to prevent login with user “admin” for the moment.
IP and interface reply will be the same with using radius or local user, so that does not make sense. I could however change the “Allowed Address” on the admin user to some dummy address like “0.0.0.0/32” when radius is reachable and remove it when not reachable using netwatch.
