Community discussions

MikroTik App
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

User access to RouterBoard

Wed Nov 07, 2018 12:29 am

Have just installed a hAP lite at a customer's site (a small fitness center).
Customer asked to get access to the unit in order to change the WPA2 key when needed (they are offering wifi access their members).
I'm hesitant to give them full admin access. Looked at the user setting, but didn't find a way to limit access to specific parts of the configuration.
Question: is it possible to limit user access (preferably by Winbox) to setting just the encryption keys and maybe a few other - non vital parts of the router?

-Olaf-
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: User access to RouterBoard

Wed Nov 07, 2018 12:32 am

One way would be to use the API, and make your own PHP webpage to change this one area.
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: User access to RouterBoard

Wed Nov 07, 2018 1:38 am

Another (much easier) way might be creating limited skin for webfig which will give access only to this setting. I do not have own experience but I saw several posts doing this. For example here is pretty nice tutorial

edit: just tried that, its extremely easy and amazing! few clicks and this is the result: https://www.screencast.com/t/TQziLeHW
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: User access to RouterBoard

Wed Nov 07, 2018 8:39 am

Can you lock that to a user, so the can not add the missing view?
Since you need a username and password to login to the web, can you prevent the same user from login using Winbox (mac-connection)?
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: User access to RouterBoard

Wed Nov 07, 2018 8:55 am

Can you lock that to a user, so the can not add the missing view?
Certainly you can! policy "sensitive" controls (among other features) whether user see or does not see the "design skin" button. (I just tested it myself)
Since you need a username and password to login to the web, can you prevent the same user from login using Winbox (mac-connection)?
Again - yes. All you need is to disable corresponding policies.

For my testing, i ended up with following user group:
/user group
add name=wireless policy="read,write,web,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp" skin=wireless
With this, user can't login via local console, ssh, winbox, telnet (including mac-winbox and mac-telnet) and others....
Only allowed is "web" service. User can read/write setting but thanks to limited skin, nothing except wireless password can be changed.

This method may not be 100% secure agains hackers but c'mon - all you need is hide stuff from common folks so they don't play with buttons they don't understand.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: User access to RouterBoard

Wed Nov 07, 2018 9:18 am

Thanks
Nice to know. I will test it out my self. :)
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Re: User access to RouterBoard

Wed Nov 07, 2018 1:12 pm

Thanks for good suggestions!
Haven't looked into Webfig yet, but will do soon.

If setting up Webfig with new skin on a router - is there a way to export or copy it to another unit - maybe with a (slightly) different configuration?''
 
sid5632
Long time Member
Long time Member
Posts: 553
Joined: Fri Feb 17, 2017 6:05 pm

Re: User access to RouterBoard

Wed Nov 07, 2018 8:22 pm

It's just a file in the skins folder, so you copy/move/delete it like any other file.
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Re: User access to RouterBoard

Sat Nov 10, 2018 7:09 pm

Thanks for the interesting info about Webfig.
Have tried to set up a new skin and have disabled access to several things. Have kept mainly the wireless settings, the logs and system (for upgrading software). Then added a new user and a new (limited) group and assigned the new skin to this user. When logging in as the limited user I still see all options - even those I tried to exclude. Guess I'm doing something wrong, but can't figure out what it is.

-Olaf-
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Re: User access to RouterBoard

Sun Nov 18, 2018 1:47 pm

Solved the problem.
Had messed up groups/users and Webfig profile.

Thanks for the help!
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: User access to RouterBoard

Mon Nov 19, 2018 6:37 am

Thanks for feedback and congrats that you made it working!

I couldn't figure out what you might get wrong as I don't really have much experience with webfig.
Just last piece of advice
- letting your customer to update software is risky. Especially last year, it is not uncommon that new versions come with issues and I wouldn't dare to upgrade, without reading changelog.
- even though you limited the access in webfig, keep in mind that it is HTTP server and it might have some unknown vulnerabilities (all of them have - mikrotik, cisco, tplink etc etc.. ). It is recommended to limit the access to the HTTP service as much as possible with firewall.
 
User avatar
omberli
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Tue Oct 22, 2013 7:53 pm
Location: Norway
Contact:

Re: User access to RouterBoard

Mon Nov 19, 2018 9:16 am

Thanks!
Yes, I'm aware of the risks related to using a web-based tool.
Have blocked all access to port 80 from the outside and also allowed the www service from addresses within the LAN. Hope this will be ok.

-Olaf-

Who is online

Users browsing this forum: Bing [Bot] and 29 guests