Have just installed a hAP lite at a customer’s site (a small fitness center).
Customer asked to get access to the unit in order to change the WPA2 key when needed (they are offering wifi access their members).
I’m hesitant to give them full admin access. Looked at the user setting, but didn’t find a way to limit access to specific parts of the configuration.
Question: is it possible to limit user access (preferably by Winbox) to setting just the encryption keys and maybe a few other - non vital parts of the router?
Another (much easier) way might be creating limited skin for webfig which will give access only to this setting. I do not have own experience but I saw several posts doing this. For example here is pretty nice tutorial
Can you lock that to a user, so the can not add the missing view?
Since you need a username and password to login to the web, can you prevent the same user from login using Winbox (mac-connection)?
Certainly you can! policy “sensitive” controls (among other features) whether user see or does not see the “design skin” button. (I just tested it myself)
Again - yes. All you need is to disable corresponding policies.
For my testing, i ended up with following user group:
/user group
add name=wireless policy="read,write,web,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp" skin=wireless
With this, user can’t login via local console, ssh, winbox, telnet (including mac-winbox and mac-telnet) and others…
Only allowed is “web” service. User can read/write setting but thanks to limited skin, nothing except wireless password can be changed.
This method may not be 100% secure agains hackers but c’mon - all you need is hide stuff from common folks so they don’t play with buttons they don’t understand.
Thanks for good suggestions!
Haven’t looked into Webfig yet, but will do soon.
If setting up Webfig with new skin on a router - is there a way to export or copy it to another unit - maybe with a (slightly) different configuration?‘’
Thanks for the interesting info about Webfig.
Have tried to set up a new skin and have disabled access to several things. Have kept mainly the wireless settings, the logs and system (for upgrading software). Then added a new user and a new (limited) group and assigned the new skin to this user. When logging in as the limited user I still see all options - even those I tried to exclude. Guess I’m doing something wrong, but can’t figure out what it is.
Thanks for feedback and congrats that you made it working!
I couldn’t figure out what you might get wrong as I don’t really have much experience with webfig.
Just last piece of advice
letting your customer to update software is risky. Especially last year, it is not uncommon that new versions come with issues and I wouldn’t dare to upgrade, without reading changelog.
even though you limited the access in webfig, keep in mind that it is HTTP server and it might have some unknown vulnerabilities (all of them have - mikrotik, cisco, tplink etc etc.. ). It is recommended to limit the access to the HTTP service as much as possible with firewall.
Thanks!
Yes, I’m aware of the risks related to using a web-based tool.
Have blocked all access to port 80 from the outside and also allowed the www service from addresses within the LAN. Hope this will be ok.
