Community discussions

 
omberli
newbie
Topic Author
Posts: 35
Joined: Tue Oct 22, 2013 7:53 pm

User access to RouterBoard

Wed Nov 07, 2018 12:29 am

Have just installed a hAP lite at a customer's site (a small fitness center).
Customer asked to get access to the unit in order to change the WPA2 key when needed (they are offering wifi access their members).
I'm hesitant to give them full admin access. Looked at the user setting, but didn't find a way to limit access to specific parts of the configuration.
Question: is it possible to limit user access (preferably by Winbox) to setting just the encryption keys and maybe a few other - non vital parts of the router?

-Olaf-
 
User avatar
pcunite
Long time Member
Long time Member
Posts: 630
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: User access to RouterBoard

Wed Nov 07, 2018 12:32 am

One way would be to use the API, and make your own PHP webpage to change this one area.
 
User avatar
vecernik87
Member
Member
Posts: 311
Joined: Fri Nov 10, 2017 8:19 am

Re: User access to RouterBoard

Wed Nov 07, 2018 1:38 am

Another (much easier) way might be creating limited skin for webfig which will give access only to this setting. I do not have own experience but I saw several posts doing this. For example here is pretty nice tutorial

edit: just tried that, its extremely easy and amazing! few clicks and this is the result: https://www.screencast.com/t/TQziLeHW
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: User access to RouterBoard

Wed Nov 07, 2018 8:39 am

Can you lock that to a user, so the can not add the missing view?
Since you need a username and password to login to the web, can you prevent the same user from login using Winbox (mac-connection)?
 
User avatar
vecernik87
Member
Member
Posts: 311
Joined: Fri Nov 10, 2017 8:19 am

Re: User access to RouterBoard

Wed Nov 07, 2018 8:55 am

Can you lock that to a user, so the can not add the missing view?
Certainly you can! policy "sensitive" controls (among other features) whether user see or does not see the "design skin" button. (I just tested it myself)
Since you need a username and password to login to the web, can you prevent the same user from login using Winbox (mac-connection)?
Again - yes. All you need is to disable corresponding policies.

For my testing, i ended up with following user group:
/user group
add name=wireless policy="read,write,web,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!winbox,!password,!sniff,!sensitive,!api,!romon,!dude,!tikapp" skin=wireless
With this, user can't login via local console, ssh, winbox, telnet (including mac-winbox and mac-telnet) and others....
Only allowed is "web" service. User can read/write setting but thanks to limited skin, nothing except wireless password can be changed.

This method may not be 100% secure agains hackers but c'mon - all you need is hide stuff from common folks so they don't play with buttons they don't understand.
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 590
Joined: Sat Dec 24, 2016 11:17 am

Re: User access to RouterBoard

Wed Nov 07, 2018 9:18 am

Thanks
Nice to know. I will test it out my self. :)
 
omberli
newbie
Topic Author
Posts: 35
Joined: Tue Oct 22, 2013 7:53 pm

Re: User access to RouterBoard

Wed Nov 07, 2018 1:12 pm

Thanks for good suggestions!
Haven't looked into Webfig yet, but will do soon.

If setting up Webfig with new skin on a router - is there a way to export or copy it to another unit - maybe with a (slightly) different configuration?''
 
sid5632
Member Candidate
Member Candidate
Posts: 262
Joined: Fri Feb 17, 2017 6:05 pm

Re: User access to RouterBoard

Wed Nov 07, 2018 8:22 pm

It's just a file in the skins folder, so you copy/move/delete it like any other file.
 
omberli
newbie
Topic Author
Posts: 35
Joined: Tue Oct 22, 2013 7:53 pm

Re: User access to RouterBoard

Sat Nov 10, 2018 7:09 pm

Thanks for the interesting info about Webfig.
Have tried to set up a new skin and have disabled access to several things. Have kept mainly the wireless settings, the logs and system (for upgrading software). Then added a new user and a new (limited) group and assigned the new skin to this user. When logging in as the limited user I still see all options - even those I tried to exclude. Guess I'm doing something wrong, but can't figure out what it is.

-Olaf-
 
omberli
newbie
Topic Author
Posts: 35
Joined: Tue Oct 22, 2013 7:53 pm

Re: User access to RouterBoard

Sun Nov 18, 2018 1:47 pm

Solved the problem.
Had messed up groups/users and Webfig profile.

Thanks for the help!
 
User avatar
vecernik87
Member
Member
Posts: 311
Joined: Fri Nov 10, 2017 8:19 am

Re: User access to RouterBoard

Mon Nov 19, 2018 6:37 am

Thanks for feedback and congrats that you made it working!

I couldn't figure out what you might get wrong as I don't really have much experience with webfig.
Just last piece of advice
- letting your customer to update software is risky. Especially last year, it is not uncommon that new versions come with issues and I wouldn't dare to upgrade, without reading changelog.
- even though you limited the access in webfig, keep in mind that it is HTTP server and it might have some unknown vulnerabilities (all of them have - mikrotik, cisco, tplink etc etc.. ). It is recommended to limit the access to the HTTP service as much as possible with firewall.
 
omberli
newbie
Topic Author
Posts: 35
Joined: Tue Oct 22, 2013 7:53 pm

Re: User access to RouterBoard

Mon Nov 19, 2018 9:16 am

Thanks!
Yes, I'm aware of the risks related to using a web-based tool.
Have blocked all access to port 80 from the outside and also allowed the www service from addresses within the LAN. Hope this will be ok.

-Olaf-

Who is online

Users browsing this forum: mkx, RizONE and 13 guests