Mikrotik administrator authentication against radius

dibatech · April 5, 2020, 12:34pm

Trying to secure Mikrotik administration by forcing admins to authenticate against radius.
The idea is to have administrators not make use of shared single usernames and passwords for system administration and ascotiated problems.

It is unfortunaly extremely easy for a sysadmin to add own radius server to authenticate against in Mikrotik and creating a backdoor.
I am not seeing any group rules that will help with this while still providing admins with enough freedom to administer systems.
Is there a solution to lock down radius (radsec) and user configuration?

floaty · May 6, 2020, 10:08pm

.
what*s with good old trust ?
.
or maybe our MTikl-friends add a radius-tickbox … end of story … your complain makes sense … seems not to be a very big story
.

.
other question … were you able to authenticate against a RADSEC-enabled server ?
.
have’nt found a success-message on the forum …
.

[admin@chr] > 
07:29:01 echo: radius,debug new request 0d:2a code=Access-Request service=login
07:29:01 echo: radius,debug sending 0d:2a to 192.168.222.25:8968
[admin@chr] >

.
when I set up a new radius-server with protocol ‘radsec’ debug tells the related packet is leaving with destination port 8968 ??
.
draft says destination port is 2083 for radsec
.
while torching on my interface … there isn’t even a packet ? … seems Potemkin himself programmed that service : )
.
testing with the beta … maybe I should retry with production or testing
… so … did you made it with one of these ?
.

floaty · May 6, 2020, 10:11pm

.
or maybe “radius” is already sensitive
.
… it smells sensitive : )

floaty · May 7, 2020, 1:25pm

.
obviously something odd with the parser in the log-subsystem … communication is running on port 2083
.

[admin@tikki] > 
15:05:47 echo: radius,debug new request 0d:5f code=Access-Request service=login
15:05:47 echo: radius,debug sending 0d:5f to 192.168.7.74:8968
15:05:47 echo: radius,debug RADSEC: failed to setup connection: handshake failed: unsupported certificate purpose (6)
15:05:48 echo: radius,debug timeout for 0d:5f
[admin@tikki] >

.

.
but my certificate is crap … “unsupported certificate purpose (6)” … nice … on server ? … on client ? … both ? … and what purpose is it ( .. or not) ?
at least both sides agree about things in denmark
.

floaty · May 7, 2020, 1:36pm

.
https://www.open.com.au/radiator/ref/RadSecCertificateValidation.html
.
… guess this is the point where I ask for a “generate RADSEC-Cert-pair” button … … jeez … why has it always to be pandemonium ?

floaty · May 8, 2020, 9:32pm

.
the squirrel may be not really the fastest one on the ash … but nimble and diligent !
.