I’d like to move away from local usernames/passwords and instead go entirely to RADIUS for logins. Problem i’m having is finding an easy way to classify devices into access levels
I want to use a single RADIUS server (in my case i’m using Windows NPS) and point all of out mikrotik routers at it, but only give certain users access to certain devices (i.e. new staff no access to core routers at all, other staff read but not full access for diagnosing etc)
I’ve used wireshark to analyse what is sent in a RADIUS request and there appears to be no clean easy way to classify a user. The only easily managed attribute I can find is that the devices send their name as NAS identity. I could use regex and rename all of our core routers to begin with i.e. C-[Name] and then a user would have to be a part of a higher permission group to get access, but i’m wondering if there’s a way to get mikrotik routers to send additional attributes in the RADIUS request. I.e. model number (blocking access to all CCR devices would help) or some other custom attribute