Agilicus Connector Install: MikroTik RouterOS
The MikroTik RB5009UG+S+IN is a small-form factor router. it is a good vantage point to run the Agilicus Connector. NOTE: this is an ARM-based device, not X86.
Other MikroTik devices may work as well, MikroTik has a broad family of devices. In order to be appropriate for the Agilicus Connector, they need to support:
- container package
- ARM or x86 processor
- 100MiB or more of storage space
- 256MiB or more of memory
The below instructions were tested on the CHR version of MikroTik (v7.8) and are believed to work on RB5009UG+S+IN with v7.8, specifically:
/system/resource/print uptime: 16h23m57s version: 7.8 (stable) build-time: Feb/24/2023 09:03:00 factory-software: 7.1 free-memory: 3830.4MiB total-memory: 3904.0MiB cpu: AMD cpu-count: 2 cpu-frequency: 2903MHz cpu-load: 0% free-hdd-space: 915.7MiB total-hdd-space: 980.0MiB write-sect-since-reboot: 301984 write-sect-total: 301984 architecture-name: x86_64 board-name: CHR platform: MikroTik
The below instructions were performed using the MikroTik CLI. They may also be performed via the Web GUI or the WinBox.
Detailed Installation Steps
Note: the first steps assume you have not enabled container-package and networking on the RouterOS device. If you have, skip ahead to the Setup config-volume step.
Step 1: Enable Container
For more information, see MikroTik Container Instructions.
After this is complete, confirm it is enabled:
system/device-mode/print mode: enterprise container: yes
If you are using the Web or WinBox configuration, you will see a package installed as below:
Confirm the container command exists:
/container/print count-only 0
Step 2: Setup container networking
Now we will enable a virtual Ethernet bridge (veth1) and assign it to the container use. If you wish, you may use direct interfaces without NAT by assigning a second IP, or, by assigning physical ports. Later when the Agilicus connector is installed, it will need to be able to resolve DNS and perform outbound connectivity to api.agilicus.com
/interface/veth/add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1 /interface/bridge/add name=dockers /ip/address/add address=172.17.0.1/24 interface=dockers /interface/bridge/port add bridge=dockers interface=veth1 /ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/24
Step 3: Confirm sufficient storage space
Note: Use the internal eMMC if it exists. You will need approximately 100MiB.
/system/resource/print ... free-hdd-space: 962.0MiB total-hdd-space: 980.0MiB ...
Step 4: Setup config-volume
We make a volume to hold the configuration we will create below.
The ‘smb shares add/remove’ is a method of directory-creation on RouterOS.
/container/mounts/add name=etc_agilicus src=/img/etc dst=/etc/agilicus/agent /container/envs/add name=env_agilicus key=TZ value="UTC" /ip smb shares add name=agilicus-etc directory=/img/etc disabled=yes /ip smb shares remove [find name=agilicus-etc] /ip smb shares add name=root directory=/img/client disabled=yes /ip smb shares remove [find name=root]
Step 5: Setup image registry
Note: the cr.agilicus.com/pub/images/agilicus-agent/client:stable image is multi-arch (AMD64, ARM64). If your MikroTik is not one of these, it will not function. If your MikroTik does not support multi-arch containers, you may substitute one of these two tag names:
/container/config/set registry-url=https://cr.agilicus.com tmpdir=/img/pull /container/add remote-image=pub/images/agilicus-agent/client:stable interface=veth1 root-dir=/img/client mounts=etc_agilicus envlist=env_agilicus start-on-boot=yes logging=yes comment=agilicus-connector
Now lets confirm:
/container/print detail 0 ;;; agilicus-connector name="fe4a1d62-95b4-479f-95b0-a6aede732c43" tag="pub/images/agilicus-agent/client:stable" os="linux" arch="amd64" interface=veth1 envlist="env_agilicus" root-dir=/img/client mounts=etc_agilicus dns="" start-on-boot=yes status=stopped
Step 6: Create the config file (on your desktop PC)
Create a connect as usual in the Resources/Connectors/New screen:
We will select the ‘Manual’ install and copy the command line. We will make some modifications to it before running.
Now, create a new empty ‘etc’ directory and cd into it.
mkdir etc cd etc
Paste the manual install command from above and edit it before hitting enter. The sample line will look like:
agilicus-agent[suffix] client --install/--kubernetes-install --oidc-issuer https://auth.dbt.agilicus.cloud --org-id XXXXX --agent-id XXXXX
Modify it to be something like below and then run it. There is no need to be admin/root, this will not install any software, merely create the configuration files. We are just changing the beginning of the command line to be “agilicus-agent client –local-install”, leave the –oidc-issuer onwards unchanged.
Note: you will need a local copy of the software on your desktop to create the config file. It does not need to be installed. If you do not have this, you can download the Linux Binary, or the Windows Binary.
agilicus-agent client --local-install --oidc-issuer https://auth.YOURISSUER --org-id XXXX --agent-id XXX
A browser will open to create the Service Account and credentials. The output will look like:
INFO[2023-03-17T20:14:28-04:00] Starting client - version v0.172.3 You have **2** methods to provide your authentication. Use the most convenient. 1. You may see a browser open. If you sign in to it, this flow will complete automatically, and ignore the url below/paste. 2. You will see a URL appear here. Cut and paste that into a browser you are signed-into. It will then give you a code to paste here. Typically #1 is used if you are signed into this machine directly, and #2 for ssh or remote desktop or embedded devices. If a browser did not open automatically, please open this link in your desktop browser to retrieve the authentication code, and paste below: https://auth.MYDOMAIN/auth?client_id=XXXXX Enter verification code: INFO[2023-03-17T20:14:35-04:00] Will install into directory /pub/samples/routeros/etc INFO[2023-03-17T20:14:35-04:00] Download public key file INFO[2023-03-17T20:14:35-04:00] Fetch agent configuration INFO[2023-03-17T20:14:35-04:00] Write agent configuration file in temp directory INFO[2023-03-17T20:14:37-04:00] Create connector instance INFO[2023-03-17T20:14:37-04:00] creating connector instance INFO[2023-03-17T20:14:38-04:00] Join a connector cluster INFO[2023-03-17T20:14:38-04:00] Local installation successful INFO[2023-03-17T20:14:38-04:00] Run ./agilicus-agent client --cfg-file ./agent.conf.enc.yaml
At this stage, there should be 4 files in this directory:
agent.conf.enc.yaml public_key.json pubring.gpg secring.gpg
Step 7: Copy the files to the router-os volume from step 4:
scp * firstname.lastname@example.org:/img/etc/
Step 8: Start the Agilicus Connector container
Step 9: Complete, Checks
At this stage we are complete. We can perform some diagnostic checks:
/container/print 0 ;;; agilicus-connector name="fe4a1d62-95b4-479f-95b0-a6aede732c43" tag="pub/images/agilicus-agent/client:stable" os="linux" arch="amd64" interface=veth1 envlist="env_agilicus" root-dir=/img/client mounts=etc_agilicus dns="" start-on-boot=yes status=running
You can see the logging and output with the ‘/log/print’ command.
Return to Product Configuration
- Agilicus Connector – Microsoft Windows
- Sign-In Errors
- Time Synchronisation
- Locked-Down Networks Certificate Revocation
- Signup: Firewall Configuration
- Geo-Location-Based Access Control
- Agent Connector Sign-In
- Resources – Overview, Concepts
- Connect to VTScada – Adding a Web Application
- Web Application Security
- Administrative Users
- Define Application: Proxy
- Authorisation rules
- Real VNC & Raspberry Pi
- Agent Connector Install: Raspberry Pi
- Kubernetes Agent Connector Install
- Linux, FreeBSD, Embedded Agent Connector Install
- Agent Connector Install: Ubiquity EdgeRouter X
- Audit Destinations
- Agent Connector Install: Netgate SG-1100 pfSense
- Agilicus Connector Install: MikroTik RouterOS
- Identity Group Mapping
- Auto-Create Users From Specific Domain With Google Workplace
- Authentication Audit
- Authentication Issuer – Custom Identity
- Microsoft ClickOnce
- Agilicus Agent Windows Cluster
- Usage Metrics
- Service Accounts
- Identity & Authentication Methods
- Content Security Policy
- Sign-In Theming
- Sign in With Apple
- Azure Active Directory
- Sign in With Microsoft
- Agilicus Agent (Desktop)
- Zero-Trust SSH Access
- Theory of Operation: CNAME + DOMAIN
- Zero-Trust Desktop Access
- Command Line API Access
- Multi-Factor Authentication
- Authentication Rules
- Application Request Access
- OpenWRT Agent Connector Install
- Synology Agent Connector Install
- Authentication Clients
- Authentication Rules
- Resource Permissions
- Resource Groups
- Legacy Active Directory