Technician login via RADIUS
The Technician login via RADIUS feature allows you to manage technicians’ access to MikroTik routers from ISPadmin. This solution is useful because it makes your work easier. You do not have to create technician accounts for each router separately. Another good thing is that if one of your technicians leaves your company, you can easily remove all their access rights.
The feature is newly available as part of the NMM module (Network management and monitoring). Formerly, it was part of the RADIUS module.
FreeRADIUS server setup for ISPadmin
First of all, it is necessary to specify a password for communication with the MySQL database in the FreeRADIUS configuration file:
In the file, look for the part dealing with the DB settings. See the following image:
As far as most installations are concerned, the database runs on the same machine as ISPadmin. In such cases, you have to specify a password only:
server = "localhost" port = 3306 login = "ispadmin" password = "database_password"
If the database runs on a different machine, though, you need to change the server, port and login settings too.
Restart FreeRADIUS after the change(s):
systemctl restart freeradius.service
Technician login setup in ISPadmin
RADIUS activation on the router
In the MikroTik router edit mode, activate RADIUS, fill in a password for communication and activate the Technician login via RADIUS feature:
RADIUS activation is one of those changes that require master reset. If you change the RADIUS settings in the form, a new button appears next to the Save button: Save and update router configuration.
When you click on the button, a message appears that informs you of the fact that master reset will be performed on the router:
/usr/local/script/ispadmin/bin/update_conf.pl master_reset <router ID>
If you click on the Save and update router button, the master reset will be automatically performed within 5 minutes. If you click on the Save only button, you will have to perform the master reset later from the console. Until it is performed, the router will not be set up correctly for communication with the RADIUS server.
Technician groups and access rights
Access rights for individual user groups can be set up in Settings / Administrators / Mikrotik login / Groups.
Groups with the “ml_ispadmin_” prefix are created on MikroTik routers:
When a group is added or modified, routers are marked for update. Changes are applied to the routers within a few minutes.
Users can be set up in Settings / Administrators / Mikrotik login / Users:
In the form, you have to fill in a username (it will be used for router login), a password (twice) and a group. The group selected specifies the user’s access rights. When the form is saved, database synchronization is automatically performed. From that moment on, the technician can log in to MikroTik routers. When you delete the user, their access rights to all routers are removed.