Community discussions

 
ok1mgj
just joined
Topic Author
Posts: 4
Joined: Wed Jan 24, 2018 9:13 am

disable local login accounts when radius is reachable and responding

Wed Jan 24, 2018 9:32 am

Hi all.
we are using radius server only for login via ssh/winbox.

is there any way, how to disable local acocunts, when radius server is reachable and is answering?
so:
when network admins are trying to log into RB, use radius and when (and only when) radius is not responding try to use local admin account. So in standard environment is local admin acc unusable. When something on network fails and radius is not reachable or not answering, RB can be accessed via local admin acc.
We are using this scheme on 3com/HP/Cisco switches and now i`m trying to set this on mikrotik, but without sucess.
 
rememberme
just joined
Posts: 19
Joined: Fri Nov 13, 2015 10:13 pm
Location: Chicago, USA

Re: disable local login accounts when radius is reachable and responding

Wed Apr 25, 2018 7:52 pm

+ 1
 
User avatar
doneware
Trainer
Trainer
Posts: 483
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: disable local login accounts when radius is reachable and responding

Wed Apr 25, 2018 11:50 pm

you can use a script based workaround, like i did.
run this every minute from scheduler. it is quite lame, works only with a single local user and a single RADIUS server.
whenever it detects outgoing requests with timeouts/bad replies, it will enable the specified local user.
if it responds again, it will disable it.
       :local username "test";
       :local radius [/radius monitor 0 once as-value ];   
       :local valid (($radius->"accepts") + ($radius->"rejects"));
       :local invalid (($radius->"bad-replies") + ($radius->"timeouts"));
       :local requests (($radius->"requests"))
       :local userenabled (![/user get $username disabled])
       :local lradiusup;
       
       :if ($requests > 0) do={
       
       :if ($valid = 0) do={ \
           :if ($invalid > 0) do={ :set lradiusup false; } else={ :set lradiusup true; } } else={ :set lradiusup true; }
       
       :if ($userenabled != !$lradiusup) do={ \
           :if ($lradiusup = true) \
                do={ /user disable $username; :log info "RADIUS working, disabling local user $username" } \
                else={ /user enable $username; :log info "RADIUS down, enabling local user $username" }; 
           }
       }
       
       /radius reset-counters
#TR0359
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 2946
Joined: Tue Feb 25, 2014 12:49 pm
Location: Capalbio, Tuscany, Italy

Re: disable local login accounts when radius is reachable and responding

Thu Apr 26, 2018 8:17 pm

Instead of meshing with complexity, you can use RADIUS Authentication alone.
I think your RADIUS server in remote location, so you are getting issues.
You can also install your own RADIUS server, and directly connect with your Router. Now a days any normal Desktop computer is more than enough to install RADIUS server.

If you want a Professional RADIUS, Billing, Customer Management try [REDACTED]
But did you join the forum just to advertise?

What you have write do nothing with "disable local login accounts when radius is reachable and responding"
I'm Italian, not English. Sorry for my imperfect grammar.
 
danklod
just joined
Posts: 5
Joined: Thu Feb 08, 2018 2:33 pm

Re: disable local login accounts when radius is reachable and responding

Tue Aug 06, 2019 3:05 pm

Hi all,
I want to do same things. I use Radius server with AD Authentication and want to stop local users when Radius responding. Is there some way to do this on RouterOS version 6.43 or newer?
Kind Regards
Danail

Who is online

Users browsing this forum: No registered users and 24 guests