Community discussions

MikroTik App
 
elecx
just joined
Topic Author
Posts: 2
Joined: Wed Jun 15, 2016 5:01 am

Feature request: Allow local user only if RADIUS is down

Sun Jun 19, 2022 11:30 pm

Hello,

Would like to request a simple toggle where one can only use local users to access mikrotik (ssh, winbox, telnet) only if all login radius servers are down. This would greatly help in securing mikrotik since most of the time we have to share the local user password whenever there is a network outage preventing radius access, thus we can never disable the local account for this cases.

In other words, if a single login radius is up then reject any local user.
If all login radius are down then allow local user accounts.

Thanks!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Allow local user only if RADIUS is down

Thu Jul 07, 2022 2:58 pm

@elecx, do it with netwatch:
If RADIUS IP is not reachable, enable user "test",
when is reachable again, disable user "test".
Obviously if RADIUS is blocked, but the IP still reply to ping, the user "test" is not enabled.
Last edited by rextended on Fri Dec 09, 2022 12:18 am, edited 1 time in total.
 
elecx
just joined
Topic Author
Posts: 2
Joined: Wed Jun 15, 2016 5:01 am

Re: Feature request: Allow local user only if RADIUS is down

Thu Jul 14, 2022 5:48 pm

@rxtended testing the server instead of relying on the service being up is something I can live of with I think, thanks.
 
pontus
just joined
Posts: 4
Joined: Wed Dec 07, 2022 1:00 pm

Re: Feature request: Allow local user only if RADIUS is down

Wed Dec 07, 2022 1:08 pm

I tried to disable the admin user with a netwatch script but was unable to since the admin is the only local user for me. error message: "failure: the user is last one with full access permissions". Do you have any suggestion to enable this functionality with only the local admin user available?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Allow local user only if RADIUS is down

Fri Dec 09, 2022 12:22 am

On all OS I know, you can't disable the last admin.
On all OS I know, keep admin "admin" (or similar) user is for dummies.
Everytime must be created another user, the true admin, with not dummy names like root or superuser.
Often is better one unknow user than a verysuperstrong password...
 
pontus
just joined
Posts: 4
Joined: Wed Dec 07, 2022 1:00 pm

Re: Feature request: Allow local user only if RADIUS is down

Fri Dec 09, 2022 10:01 am

I understand the issues with disabling admin user, especially if it is the only local account. I am looking for a way to make the local users available only if RADIUS is down (down with ping or service not responding). This seems like a basic feature which is available on other platforms. Alternatively to use RADIUS first and try to authenticate and if RADIUS respond with deny och drop then use the local user database as last resort. I guess the best solution currently is to create another admin user and disable the default admin user to prevent login with user "admin" for the moment.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Allow local user only if RADIUS is down

Fri Dec 09, 2022 10:56 am

do not disable "user" but disable access services... ;)
 
pontus
just joined
Posts: 4
Joined: Wed Dec 07, 2022 1:00 pm

Re: Feature request: Allow local user only if RADIUS is down

Fri Dec 09, 2022 11:16 am

I am not quite sure what you mean. If I disable ssh/winbox service, I will not be able to login at all? right?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Feature request: Allow local user only if RADIUS is down

Fri Dec 09, 2022 11:22 am

you can configure on what IP/interface access services reply when the radius is available or not...
 
pontus
just joined
Posts: 4
Joined: Wed Dec 07, 2022 1:00 pm

Re: Feature request: Allow local user only if RADIUS is down

Fri Dec 09, 2022 1:15 pm

IP and interface reply will be the same with using radius or local user, so that does not make sense. I could however change the "Allowed Address" on the admin user to some dummy address like "0.0.0.0/32" when radius is reachable and remove it when not reachable using netwatch.
 
User avatar
barts
just joined
Posts: 8
Joined: Fri May 24, 2019 6:57 am

Re: Feature request: Allow local user only if RADIUS is down

Wed Jun 28, 2023 7:07 pm

as @pontus said: "This seems like a basic feature which is available on other platforms."

+1 for this feature
 
User avatar
spippan
Member
Member
Posts: 333
Joined: Wed Nov 12, 2014 1:00 pm
Location: Austria

Re: Feature request: Allow local user only if RADIUS is down

Mon Aug 07, 2023 10:38 pm

as @pontus said: "This seems like a basic feature which is available on other platforms."

+1 for this feature
+1 too

default behaviour in cisco and fs

Who is online

Users browsing this forum: No registered users and 26 guests