Hi.
I’m in the process of implementing radius login servers for our customer CPE’s.
I was wondering why the radius shared secret is shown in clear-text in the CLI. I’ve been looking through the
documentation and i’m not able to find anything about how to encrypt the shared secret password.
Is there any way to get the routerOS to hash the radius shared secret password with MD5 og SHA so it’s not visible to the user?
Any help will be appreciated.
TIA
Best regards
Kasper A.
Network engineer
If the user’s group doesnt have access to “sensitive” they wont see any passwords.
Is it possible for a user to have write access but not “sensitive”, if yes - How do i control that “user-group” using radius login?
We have a large group of supporters who need access and a lot of routers, so it’s not an option if we have to build a local user-group containing the different users as these would change over time.
Is it possible to send an option via radius - maybe the class attribute 25 or something similar to control the “sensitive” parameter?
TIA
Best regards
Kasper A.
Network engineer
You send a radius option which controls which group a user is in.
How we handle this:
# create a totaly restricted group as a base radius group - additional security
/user group
add name=restricted
# if no group specified in radius option use the totaly restricted group - additional security
/user aaa
set default-group=restricted use-radius=yes
Then create your groups, like one without sensitive, one for read only, etc…
Then send a radius option with the group name for the user which logs in.
http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client/vendor_dictionary
Send the “Mikrotik-Group” option with the group name for the user.