Skip to content Skip to main navigation Skip to footer

Technician login via RADIUS

The Technician login via RADIUS feature allows you to manage technicians’ access to MikroTik routers from ISPadmin. This solution is useful because it makes your work easier. You do not have to create technician accounts for each router separately. Another good thing is that if one of your technicians leaves your company, you can easily remove all their access rights.

The feature is newly available as part of the NMM module (Network management and monitoring). Formerly, it was part of the RADIUS module.

FreeRADIUS server setup for ISPadmin

First of all, it is necessary to specify a password for communication with the MySQL database in the FreeRADIUS configuration file:

nano /etc/freeradius/3.0/mods-enabled/sql

In the file, look for the part dealing with the DB settings. See the following image:

Radius configuration
Radius configuration

As far as most installations are concerned, the database runs on the same machine as ISPadmin. In such cases, you have to specify a password only:

        server = "localhost"
        port = 3306
        login = "ispadmin"
        password = "database_password"

If the database runs on a different machine, though, you need to change the server, port and login settings too.

Restart FreeRADIUS after the change(s):

systemctl restart freeradius.service

Technician login setup in ISPadmin

RADIUS activation on the router

In the MikroTik router edit mode, activate RADIUS, fill in a password for communication and activate the Technician login via RADIUS feature:

Activate Radius login in router settings
Activate Radius login in router settings

RADIUS activation is one of those changes that require master reset. If you change the RADIUS settings in the form, a new button appears next to the Save button: Save and update router configuration.

When you click on the button, a message appears that informs you of the fact that master reset will be performed on the router:

Info about Router master-reset
Info about Router master-reset
/usr/local/script/ispadmin/bin/update_conf.pl master_reset <router ID>

If you click on the Save and update router button, the master reset will be automatically performed within 5 minutes. If you click on the Save only button, you will have to perform the master reset later from the console. Until it is performed, the router will not be set up correctly for communication with the RADIUS server.

Technician groups and access rights

Access rights for individual user groups can be set up in Settings / Administrators / Mikrotik login / Groups.

Permission settings for individual groups of users
Permission settings for individual groups of users

Groups with the “ml_ispadmin_” prefix are created on MikroTik routers:

Created groups of users on Mikrotik
Created groups of users on Mikrotik

When a group is added or modified, routers are marked for update. Changes are applied to the routers within a few minutes.

Technicians

Users can be set up in Settings / Administrators / Mikrotik login / Users:

List of created users for login to Mikrotik
List of created users for login to Mikrotik
Create user form for login to Mikrotik Router
Form for create user for login to Mikrotik Router

In the form, you have to fill in a username (it will be used for router login), a password (twice) and a group. The group selected specifies the user’s access rights. When the form is saved, database synchronization is automatically performed. From that moment on, the technician can log in to MikroTik routers. When you delete the user, their access rights to all routers are removed.