Community discussions

MikroTik App
  4. Other topics
  5. The User Manager

[Augmented] Single user, multiple-entry

Post Reply
 
User avatar
senseivita
newbie
Topic Author
Posts: 35
Joined: Fri Jan 01, 2021 4:20 am

[Augmented] Single user, multiple-entry

Thu Sep 28, 2023 8:25 pm

I'd like for any single user that has multiple devices to be able to sign in their [single] user account while each of their devices gets its own static set (v4+v6) of IP addresses.

I know it's possible to assign pools of addresses to a group, or even to a user; however, to effectively target devices I need to use calling-station-id which seems to be available only once per user manager entry (be it user or group) and I guess I'd need to consider the calling properties too; for different types of connection using the same or different devices that would otherwise connect by different means, for instance; those devices that share a MAC address in their wired and wireless NICs and could also tunnel-in if needed.

To be honest, I haven't thought through all the details but that's because I'm not familiar enough with it yet. I've read the docs both v6 and v7, I understand it but the confusing part is not what's in it, but what's not, such as; if it can augment users like users can. While this is stated outright in users it's not in user manager but it's not disclaimed either, and being a RADIUS server this makes it ambiguous because RADIUS as we know it's a standard, and part of the standard is its ability to proxy requests to another RADIUS server. In NPS, not the most straightforward RADIUS server in the world I'd say, this is what Connection Request Policies do right from the beginning, and generally if Windows can do it, Linux can do it better. *fingerscrossed*

Last but definitely not least, could this user be taken (proxy RADIUS, LDAP sync, etc) from another server, the way the users facility does, so it only augments them with all of this data and they get to keep their credentials, and the admin is kept from knowing their credentials too? They already use these features with their AD credentials, it's not all from one RADIUS server though, and setting user devices involve messing with things deep in AD and other places, hence the reason I want to leave it behind, but it'd be a regression if users already were able to use a single set of credentials everywhere, and — from past experience — I know it will make users get sloppy with them, reverting to passwords from passphrases or worse.

That's it, guess. Hopefully it's doable.
Thanks.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest
  4. Other topics
  5. The User Manager