Hello,
With Winbox login authentication over Windows Server 2012 RADIUS and AD is it possible to configure different AD groups with different level of access on Mikrotik devices and how?
Example:
Network-Admins AD group → full access
Network-Operators AD group → read access
Thanks.
I don’t know about radius on windows, but on freeradius we send a radius reply containing:
MikroTik-Group=full
which maps onto the user group on the Router.
Hope that helps
Nick
Thanks for the effort but I was hoping for a more detailed answer specific to Windows Server RADIUS implementation.
After reading the MikroTik Wiki on AAA with Radius, some googling on setting up Windows Server IAS for Remote Access Policies, I worked out this…
When you create the two Remote Access Policy Profiles on the windows server (one for full access and one for read access), in the Advanced tab of the profile, click on add a ‘Vendor-Specific’ Attribute. On the Multivalued Attribute Information window, add an attribute value using vendor code 14988, then under ‘Configure Attribute’ input 3 as the vendor-assigned attribute number, the format as ‘String’ and the value as “full”. For the second “read” profile, input “read”.
Hi, thanks for digging out the details. They sound promising.
Winbox logins work fine with this setup however access level is still dictated by “Default Group” value (read/write/full/custom) on Mikrotik device itself under System->Users->AAA.
Is any complementing configuration on Mikrotik side required in order to make access types work as desired?
Appears I had the case of the group wrong. By me stating you use =Full or =Read, the MikroTik RB was trying to match the group name exactly. There is no security group called “Full” or “Read”. It is “full” or “read”. Apologies.
I have edited my post to correct the error
I believe I configured everything as explained but still the access level is controlled on Mikrotik.
When I login with an account that is supposed to have full access according to RADIUS policy it ends up getting read access most likely due to default group value on RouterOS which is by the way mandatory setting once RADIUS is enabled.
RADIUS screen shot:
Mikrotik screen shot:
did you make the changes I suggested? Also your images are not working
Yes, I did make the changes.
Right click image icon → open in new tab/windows should load screenshots.
If not here are the links:
The string is “MikroTik-Group=full” not “Mikrotik-Group=full” (and ‘=read’ of course)
Try making that change and re-test
Hi, unfortunately capital T didn’t make a difference.
If you enable radius, debug logging on the router does it reveal any clues?
One of the entries in red says:
system, error, critical group MikroTik-Group=fulldoes not exist, using default one.
Screenshot
https://ibb.co/iNVRrJ
I do not know anything about Windows radius server, but shouldn’t you specify vendor code and value should be “full”, not “Mikrotik-Group=full”?
At least that how it looks like from your provided screenshots.
mrz you are right! Attribute value should match the name of one of the groups available on Mikrotik device.
nest, thank you very much for excellent guidance and troubleshooting tips.
To summarize, the following values worked:
Vendor code: 14988
Under "Configure Attribute’:
Vendor-assigned attribute number: 3
Attribute format: String
Attribute value: full (or any other group name available on Mikrotik)
Thanks - I have edited my post to show the correct method.