Hello all,
I’ve read many about Radius and Mikrotik but I did not found a solution. (I have this already working for Cisco devices)
What do we have:
AD group Mikrotik-Read
AD group Mikrotik-Write
Radius Server
Login authentication:
- Accounting
Interim Update
Default group read
Exclude Groups
Whats working with this setup:
User can login via SSH with read permissions.
What do we want:
User A added to group Mikrotik-Read can login via SSH with read permissions
User B added to group Mikrotik-Write can login via SSH with write permissions
Any hints which setup I’ve to use for it?
Many thanks
Peer-Mario
Hi all, at least I got it by myself.
For all other which struggle with this issue:
AD
add two groups eg:
mikrotik_read_access
mikrotik_write_access
/system/user/aaa
check “Use Radius”
/system/user/group
add a group e.g. read_access - add policies like ssh read web (or whatever the read group should have access to)
add a group e.g write_access - ad policies like aah read write web (or whatever the read group should have access to)
Network Policy Server (here Windows 2016)
add network policies
- eg. mikrotik_read_access
- eg. mikrotik_write_access
Important thing here are the settings tab
Vendor Specific
add new attribute
Enter Vendor Code - 14988
check "Yes. it conforms
click on “Configure Attribute”
Vendor-assigned attribute numer : 3
Attribute format: string
Attribute value for read access
you have to use the user group name you have configured in your mikrotik upfront, here we used read_access
Attribute value for write access
you have to use the user group name you have configured in your mikrotik upfront, here we used write_access
Kr, Peer-Mario