From my recent experiments and analysis, the answer is "no" for basic role-based separation using User Manager.
User Manager seems to only be useful for some WISPs and, otherwise, very simple setups. While it can send many different attributes based on profiles and groups, it doesn't seem capable of doing anything with attributes that a radius agent/client sends to UserManager... The only information that UM receives RADIUS for evaluation is is the calling user and/or calling device credential; no other external conditions are checked.
RouterOS can/will absolutely send all the needed information that a "normally capable" RADIUS server would/could for pretty advanced logic, including the independent RBAC to different resources.
I was disappointed too and it is not likely to be useful for any use-case I will likely ever be involved with... lol... but I'm sure it meets the needs of some!
User Manager seems to only be useful for some WISPs and, otherwise, very simple setups. While it can send many different attributes based on profiles and groups, it doesn't seem capable of doing anything with attributes that a radius agent/client sends to UserManager... The only information that UM receives RADIUS for evaluation is is the calling user and/or calling device credential; no other external conditions are checked.
RouterOS can/will absolutely send all the needed information that a "normally capable" RADIUS server would/could for pretty advanced logic, including the independent RBAC to different resources.
I was disappointed too and it is not likely to be useful for any use-case I will likely ever be involved with... lol... but I'm sure it meets the needs of some!
Statistics: Posted by goodbye — Tue Feb 06, 2024 5:47 am