I am looking for real world experiences with managing passwords for hundreds to thousands of devices. Do you use the same password for all? A different password for each device? If the latter then how do you manage the passwords?
Thanks. 
SSH keys …
SSH keys .
How do manage passwords for hundreds or thousands of Winbox logins?
What do you mean by “manage”?
You shouldn’t use local passwords at all for this kind of deployment. Look into asymmetric crypto (ssh public keys) and/or centralized authentication (radius, etc).
Try use radius login with AAA [emoji106]
Odesláno z mého Redmi Note 2 pomocà Tapatalk
I am new to the whole WISP thing. Hence my asking. I probably should have posted this question in Beginner Basics. With respect to Mikrotik devices I am still at the ELI5 (explain like I’m five) stage.
What do you mean by “manage”?
I am not referring to customers but company personnel. Routine maintenance and configuration. To modify a RouterOS system with Winbox/Webfig requires a password.
What to do when there are hundreds or thousands of APs, routers, CPEs, backhauls, etc. Winbox, Webfig, etc. Using a single password for common device types is easier to remember but less secure. Complex passwords are more difficult to remember but more secure. A common security recommendation is never use the same password in more than one place. Convenience and security often conflict. Storing passwords in Winbox provides convenience but is not secure should the computer get compromised. Encrypting hard drives is an option but does not help once the user decrypts the hard drive for actual use. Password managers might help but are less convenient.
Try use radius login with AAA
I understand the basic idea of RADIUS but I emphasize basic. I never have configured a RADIUS server. Do you mean configuring the RADIUS server to allow access only from MAC addresses of certain workstations or field laptops? Do you mean creating multiple user accounts on each Mikrotik device?
We generate unique passwords for each router and treat these as once off tokens when routers do not have connectivity.
Centralised RADIUS authentication with permission profiles being applied via AD group membership. We process RADIUS logs and automatically blackhole abusive IPs.
SSH key authentication is used by rancid to revision configuration and a separate key to make mass changes.
We use FreeRADIUS with a custom perl AD authentication module. I have notes on how to easily integrate a Windows based solution (Radiator) using Strawberry Perl to use AD group memberships to effect security group membership.
Works with SSH and Winbox
I am researching security issues and best practices for a new WISP owner.
All of the WISP backend is Linux based. No Windows except for the office.
There is a FreeRADIUS server used for authenticating CPEs and APs but not being used to authenticate Mikrotik routers. I am not yet familiar with how FreeRADIUS works or what needs to be done to absorb Mikrotik routers into the fold.
Winbox is used exclusively for accessing RouterOS systems. Webfig is not used because there are no certificates yet generated.
Occasionally SSH is used to access Mikrotik routers but not using key pairs.
The Winbox password for the routers is not lengthy or complex. The same password is used for all routers. I think is a nightmare waiting to happen.
After reading around the web until my head hurt and eyes glazed, the following seems recommended practice:
-
Use a unique password for every device.
-
Use complex passwords. That the password can be memorized should not be a priority with hundreds or thousands of devices.
-
Use an encrypted password manager because few people on this planet can memorize hundreds or thousands of passwords.
-
Use a password generator to create truly unique passwords. Human generated passwords are fine for a few systems but with hundreds or thousands of systems, human generated passwords likely create password patterns.
-
With hundreds or thousands of passwords, creating memorizable passwords is more or less futile because few people can memorize that many passwords – back to using an encrypted password manager that stores unique passwords for each device.
Am I on the right track or out in left field?
Thanks.
I would like to know if there is a better method but the way I’ve implemented it is to run up a copy of Windows Server, install active directory and Network Policy Server and set it up accordingly (wasn’t easy to figure out from scratch but once understood it’s quite straightforward)
This server acts as a RADIUS server for logins. The tricky thing is Windows Server is not directly compatible with Mikrotik for authentication requests by RADIUS because Mikrotik requires the use of reversible encryption. But anyhow it is possible to enable this in Windows then I lock that server down so it can O let be accessed by very restricted locations
Then I configure this RADIUS server in a Mikrotik, tick the login box and then change the local login on the router to be unique (and store this in a safe encrypted location). The local logins are only used when the device doesn’t have internet and this can’t talk to the RADIUS server, or simply as a backup login method. Only admins have access to this
Net result is each Mikrotik is logged into by using a username and password unique to each staff member. To disable a staff member or change their password we do it only once on the Windows Server, we don’t need to login to each Mikrotik device
I wrote a script for this, it’s simply copy and paste and it automatically sets up user groups, RADIUS server, script and scheduler. The script updates the RADIUS server IP address and shared key if it changes. The script does multiple port knocks and then downloads the updated details from an FTP server.
I feel this is pretty secure and it allows us to make a broad change if necessary by editting the config file on the FTP server and all MikroTiks will apply these changes within 24hrs
The RADIUS server is heavily firewalled and secured and is possible to move or rebuild it from scratch should anything go wrong. The FTP server is protected behind port knocks and passwords, and all users get to use their own login. And finally login attempts are logged by each router and sent to a remote syslog server so if a router gets hacked or loses connectivity we know who to blame and shame I mean change their password and revert config