MikroTik RouterOS router user facility manages the users connecting the router from any of the Management tools. The users are authenticated using either a local database or a designated RADIUS server. Each user is assigned to a user group, which denotes the rights of this user. A group policy is a combination of individual policy items.
In case the user authentication is performed using RADIUS, the RADIUS client should be previously configured.
The router user groups provide a convenient way to assign different permissions and access rights to different user classes.
|name (string; Default: )||The name of the user group|
|policy (local | telnet | ssh | ftp | reboot | read | write | policy | test | winbox | password | web | sniff | sensitive | api | romon | dude | tikapp; Default: none)||List of allowed policies:|
|skin (name; Default: default)||Used skin for WebFig|
There are three system groups that cannot be deleted:
Please note, that even the "read" group includes sensitive, reboot, and other important policies, meaning that this group should not be given to untrusted users. For truly limited groups, make a custom group, defining specific policies. All groups have access to file operations. Exclamation sign '!' just before policy item name means NOT.
Router user database stores the information such as username, password, allowed access addresses, and group about router management personnel.
|address (IP/mask | IPv6 prefix; Default: )||Host or network address from which the user is allowed to log in|
|group (string; Default: )||Name of the group the user belongs to|
|name (string; Default: )||User name. Although it must start with an alphanumeric character, it may contain "*", "_", "." and "@" symbols.|
|password (string; Default: )||User password. If not specified, it is left blank (hit [Enter] when logging in). It conforms to standard Unix characteristics of passwords and may contain letters, digits, "*" and "_" symbols.|
|last-logged-in (time and date; Default: "")||Read-only field. Last time and date when a user logged in.|
There is one predefined user with full access rights:
There always should be at least one user with full access rights. If the user with full access rights is the only one, it cannot be removed.
The command shows the currently active users along with respective statistics information.
All properties are read-only.
|address (IP/IPv6 address)||Host IP/IPv6 address from which the user is accessing the router. 0.0.0.0 means that the user is logged in locally|
|group (string)||A group that the user belongs to.|
|name (string)||User name.|
|radius (true | false)||Whether a user is authenticated by the RADIUS server.|
|via (local | telnet | ssh |winbox | api | web | tikapp | ftp | dude)||User's access method|
|when (time)||Time and date when the user logged in.|
Router user remote AAA enables router user authentication and accounting via a RADIUS server. The RADIUS user database is consulted only if the required username is not found in the local user database.
|accounting (yes | no; Default: yes)|
|exclude-groups (list of group names; Default: )||Exclude-groups consists of the groups that should not be allowed to be used|
for users authenticated by radius. If the radius server provides a group specified in this list, default-group will be used instead.
log in as admin.
|default-group (string; Default: read)||User group used by default for users authenticated via a RADIUS server.|
|interim-update (time; Default: 0s)||Interim-Update time interval|
|use-radius (yes |no; Default: no)||Enable user authentication via RADIUS|
If you are using RADIUS, you need to have CHAP support enabled in the RADIUS server for WinBox to work
This menu allows importing of public keys used for ssh authentication.
User is not allowed to login via ssh by password if ssh-keys for the user is added
|user (string; Default: )||username to which ssh key is assigned.|
When importing ssh key by
/user ssh-keys import the command you will be asked for two parameters:
This menu is used to import and list imported private keys. Private keys are used to verify the public keys of remote devices.
When importing ssh keys from this sub-menu using
/user ssh-keys private the import command you will be asked for three parameters: