Transient Access offers temporary, secure credentials to remotely manage your MikroTik devices via the Management VPN. Whether you need WinBox or SSH access, Altostrat issues time-limited logins that automatically expire, ensuring minimal exposure.

Introduction

When you onboard a router into Altostrat, our system establishes a Management VPN. Transient Access leverages this VPN to grant short-lived credentials for direct router management. By default, credentials last a few hours, but you can customize them for your use case.

Key Features

  • Temporary Credentials Each login is unique and auto-revokes upon expiration.
  • Reduced Attack Surface No permanent open ports—transient sessions only exist as needed.
  • Easy Sharing Admins can create credentials for a teammate or a vendor, limiting risk.

How It Works

  1. Generate Credentials From a site’s Transient Access tab, click Add to create new logins.
  2. Select Permissions Choose whether users get full admin or read-only.
  3. Set Duration Define how long the credentials remain valid (e.g., 2 hours).
  4. Distribute or Use Copy the username, password, and endpoint into WinBox or an SSH client.

Express Onboarding vs. Manual

  • Express: Altostrat pre-configures your device for transient sessions automatically.
  • Manual: If you prefer granular control, ensure the router’s firewall and NAT are set up for Remote WinBox Login or Captive Portal Setup.

Prerequisites

  • A MikroTik router connected to Altostrat.
  • WinBox or SSH client installed on your local machine.
  • Sufficient privileges in the Altostrat portal to generate credentials.

Creating Transient Access

  1. Open Altostrat Portal Login at https://sdx.altostrat.app.
  2. Navigate to Sites Select the site with the router you want to access.
  3. Transient Access Tab Click Transient Access from the site’s overview.
  4. Add Credentials Specify Access Type (WinBox or SSH), define Access Duration, and set an IP whitelist if necessary.
  5. Copy or Share The generated username/password and endpoint can be shared or used immediately.

Revoking Credentials

In the same tab, locate the Active Sessions list. Click Revoke next to any session to invalidate those credentials before their expiry.

Revoking removes the session instantly. The user will lose router access if they’re still logged in.

Best Practices

  • Short Durations: Limit time frames to reduce risk.
  • Restricted IP Ranges: If possible, specify which IP or CIDR can use these credentials.
  • Regularly Check: Audit active sessions under Transient Access to ensure all are valid and necessary.

You can now create secure, time-bound sessions for behind-NAT MikroTik devices without permanently exposing your network. If you need further guidance, consult Remote WinBox Login or check the Management VPN page for deeper insights.

Was this page helpful?