Community discussions

MikroTik App
 
kd7vea
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Dec 08, 2017 7:52 pm

what options for 2 factor authentication for VPN access

Thu Mar 10, 2022 5:25 pm

I have been looking at options for setting up 2-factor authentication when connecting to a Mikrotik VPN. I have seen Rublon and Miniorange as probably the most referenced options, but I'm wondering if anyone here has an open-source/free option that works. My organization is not against paying for a solution, but if there is an option that doesn't need to be paid for, that is always preferred. This is a mandatory item for Cyber security insurance, so I am just looking at all of my options. Yes we can self-host, and we do have our own SMS gateway if that's required. Thanks
 
404Network
Member Candidate
Member Candidate
Posts: 285
Joined: Wed Feb 16, 2022 2:04 pm

Re: what options for 2 factor authentication for VPN access

Thu Mar 10, 2022 6:56 pm

Hmm I wonder if hotspot, user manager etc........ could provide some sense of authenticated login.............
I am not aware of 2 factor authentication like a rolling code device, or popup on the smartphone or via any one of the popular apps for smart phones yet being available for RoS.

Read this thread for ideas!!!

viewtopic.php?p=911961&hilit=two+factor ... on#p911961
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: what options for 2 factor authentication for VPN access

Thu Mar 10, 2022 8:19 pm

Hotspot could be an option but it's not functioning correctly in ros7.
Should be fine with ros6.

I am interested in other options too...
 
kd7vea
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Dec 08, 2017 7:52 pm

Re: what options for 2 factor authentication for VPN access

Thu Mar 10, 2022 8:42 pm

Thanks, I will check out the article and look into Hotspot. I think this will be a fun project or at least a learning experience. I never know which one to expect.
 
User avatar
jprietove
Trainer
Trainer
Posts: 221
Joined: Fri Jun 03, 2016 3:00 pm
Location: Cádiz, Spain
Contact:

Re: what options for 2 factor authentication for VPN access

Thu Mar 10, 2022 8:58 pm

You can use Radius for authentication purpouse and enable any of the many 2FA plugins. Check, as an example, FreeRadius with Google Authenticator or Latch (from ElevenPath)
 
kd7vea
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Dec 08, 2017 7:52 pm

Re: what options for 2 factor authentication for VPN access

Thu Mar 10, 2022 9:19 pm

You can use Radius for authentication purpouse and enable any of the many 2FA plugins. Check, as an example, FreeRadius with Google Authenticator or Latch (from ElevenPath)
Thanks, This looks like it may be the way to. Ill do some research.
 
kreload
just joined
Posts: 20
Joined: Tue Sep 15, 2020 10:18 am

Re: what options for 2 factor authentication for VPN access

Fri Mar 11, 2022 4:56 am

2FA on mikrotik can be users-passwords + certificates. If you want MFA, probably external radius.
 
kd7vea
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Dec 08, 2017 7:52 pm

Re: what options for 2 factor authentication for VPN access

Wed Mar 16, 2022 4:06 pm

2FA on mikrotik can be users-passwords + certificates. If you want MFA, probably external radius.
We are using user passwords and certificates already, but the insurance company says that does not qualify as 2 factor (we had the same thought) We got radius working yesterday so today I am going to try to tackle Google authenticator. we spent a few hours running the freeradius debugger to find all the little pieces that aren't covered in the tutorials
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: what options for 2 factor authentication for VPN access

Wed Mar 16, 2022 5:44 pm

Good work! Keep us up to date on progress!!
 
PackElend
Member Candidate
Member Candidate
Posts: 273
Joined: Tue Sep 29, 2020 6:05 pm

Re: what options for 2 factor authentication for VPN access

Mon May 16, 2022 4:25 pm

we spent a few hours running the freeradius debugger to find all the little pieces that aren't covered in the tutorials
would be great if you share them.
By the way, using https://www.notakey.com/products/ might a less headache alternative, depending on the amount of users.
The tutorial is here: https://gintskirsteins.medium.com/free- ... 2b5ae6d2de

----
A different but related question, would it be possible to use WireGuard VPN, which lands the user on a Hotspot?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: what options for 2 factor authentication for VPN access

Mon May 16, 2022 4:30 pm

A different but related question, would it be possible to use WireGuard VPN, which lands the user on a Hotspot?
Theoretically: why not ? It's an interface carrying IP like so many other ones.
 
PackElend
Member Candidate
Member Candidate
Posts: 273
Joined: Tue Sep 29, 2020 6:05 pm

Re: what options for 2 factor authentication for VPN access

Mon May 16, 2022 4:44 pm

A different but related question, would it be possible to use WireGuard VPN, which lands the user on a Hotspot?
Theoretically: why not ? It's an interface carrying IP like so many other ones.
Theoretically :lol:
I haven't done a WireGuard setup yet and I'm still a hotspot newbie, despite viewtopic.php?p=933317#p933317.
I was hoping to find instructions on how to do it properly.
 
jcortega
just joined
Posts: 7
Joined: Mon Dec 18, 2017 6:53 pm

Re: what options for 2 factor authentication for VPN access

Tue May 17, 2022 1:29 pm

You can use the user-manager package in ROS7.
You can add users with their pass and the OTP parameter in order to use it with Google Authenticator
Last edited by jcortega on Tue May 17, 2022 2:01 pm, edited 1 time in total.
 
pandreozzi
just joined
Posts: 17
Joined: Fri Jul 09, 2021 2:41 am

Re: what options for 2 factor authentication for VPN access

Mon Aug 15, 2022 5:07 pm

I love Mikrotik. The answers always seem to be Hmmmm or it should work.

Why don't they have definitive answers.

That's why people use Juniper and Cisco. More money for sure but at least you know it will work.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: what options for 2 factor authentication for VPN access

Mon Aug 15, 2022 7:28 pm

Sounds like you also fornicate with your juniper and crisco devices.
If you want someone to hold your hand, look elsewhere.
 
kingslavcho
just joined
Posts: 2
Joined: Fri Feb 03, 2023 1:52 am

Re: what options for 2 factor authentication for VPN access

Fri Feb 03, 2023 9:34 pm

As i understood here, there is no free option to use 2FA for Mikrotik routers!?!? If i want a free radius to validate my logins i will have to run it on a server and forward the router to that server!?
 
kwade
newbie
Posts: 28
Joined: Tue Apr 12, 2016 5:21 am

Re: what options for 2 factor authentication for VPN access  [SOLVED]

Wed Apr 10, 2024 6:57 am

As i understood here, there is no free option to use 2FA for Mikrotik routers!?!? If i want a free radius to validate my logins i will have to run it on a server and forward the router to that server!?
No. It looks like ROS 7's User Manager package is a Radius server which has TOTP capabilities.
https://help.mikrotik.com/docs/display/ ... entication
 
User avatar
abbio90
Member
Member
Posts: 441
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Re: what options for 2 factor authentication for VPN access

Wed Apr 10, 2024 7:08 am

I confirm, usermanager works with Google Authenticator. tested and working perfectly.
https://foisfabio.it/index.php/2024/04/ ... ik-otp-vpn
 
djvabe
just joined
Posts: 21
Joined: Mon Jan 30, 2023 9:51 pm

Re: what options for 2 factor authentication for VPN access

Tue May 21, 2024 12:39 am

Does anyone have a solution to make the static-challenge setting work with OpenVPN? Or something that asks for the password and the OTP in 2 text fields?
 
User avatar
BrianHiggins
Forum Veteran
Forum Veteran
Posts: 720
Joined: Mon Jan 16, 2006 6:07 am
Location: Norwalk, CT
Contact:

Re: what options for 2 factor authentication for VPN access

Wed May 22, 2024 12:29 am

Duo has a great solution that works really well for 2FA with MT and other solutions. Using it in a lot of places and it's worked great for several years
 
holvoetn
Forum Guru
Forum Guru
Posts: 6753
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: what options for 2 factor authentication for VPN access

Wed May 22, 2024 8:13 am

Any details on the process ?
 
User avatar
spippan
Member
Member
Posts: 464
Joined: Wed Nov 12, 2014 1:00 pm

Re: what options for 2 factor authentication for VPN access

Tue Jul 23, 2024 1:56 pm

I confirm, usermanager works with Google Authenticator. tested and working perfectly.
https://foisfabio.it/index.php/2024/04/ ... ik-otp-vpn
confirming this also.
tested it also as "login" provider - so AAA users for device login (e.g. a network admin) working without issues

Who is online

Users browsing this forum: gkoleff, gnolnos, johnson73, robertkjonesjr, smirgo, xrlls and 37 guests