Community discussions

MikroTik App
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Sun Feb 20, 2011 12:08 pm

[FEATURE REQUEST] Two Factor Authentication

Wed Oct 03, 2012 3:28 am

I've been trying to implement two factor everywhere and found the lowest common denominator that's safe is the Google Authenticator
It's safe, secure and completely offline. It doesn't use any proprietary anything and would be a perfect fit...

All you'd need is a module for login and the ability for us to set the secret not just use a random one.. That way all the servers I need can be on the same Secret and I won't need 50 different codes.

Attached is a bunch of implementations - If it can be done in JS i'm sure we can get a mikrotik module

Here's the code for the apps - https://code.google.com/p/google-authenticator/
Hers's a JS implementation - http://blog.tinisles.com/2011/10/google ... avascript/
Linux PAM Module install - http://www.howtogeek.com/121650/how-to- ... ntication/
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Oct 08, 2012 5:51 am

You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1376
Joined: Mon Jan 05, 2009 6:23 pm
Location: bit.ly/the-qos
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Oct 14, 2012 9:36 pm

I can see how this can be useful. I am with you buddy.
 
jsmelley
just joined
Posts: 1
Joined: Sat Jan 19, 2013 6:49 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat May 25, 2013 12:03 pm

What is the current status of this request? Has it been implemented or has anyone figured out how to implement the use of this for SSL connections? I too am looking for a good two factor, OTP solution.


James
 
brotherdust
Member Candidate
Member Candidate
Posts: 130
Joined: Tue Jun 05, 2007 1:31 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Jun 04, 2013 3:14 am

Sorry if this seems a non-sequitur, but I thought I would share some experiences I've had with OATH (the standard GAuth works on). I implemented OATH TOTP and HOTP in Ruby for fun a while ago, but never published the code. Anyway, I have a hypothesis that the scripting capabilities embedded into RouterOS could have the facilities to implement OATH. I've not done any research on it yet. Anyway, if it were possible to implement it, you'd be most of the way there. I don't know if it's possible, however, to hook into the auth process on the router. Just some stream-of-consciousness ramblings..
 
Netguy
just joined
Posts: 1
Joined: Mon Sep 30, 2013 12:11 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Sep 30, 2013 12:17 pm

I cannot imagine Mikrotik not implementing this.
It is good, easy and free.

I am looking forward to seeing GoogleAuthenticator-support in the next upgrade ;)
 
vdm
just joined
Posts: 2
Joined: Sun Mar 08, 2009 2:56 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Feb 08, 2014 11:09 am

I would really like to see this, so I can use it in addition to ssh client certificates. Gmail has trained people how to use it.

Duo is another open source option. It works great on Cisco ASAs and Active Directory already.

https://www.duosecurity.com/docs/duounix
 
shiny
just joined
Posts: 14
Joined: Tue Feb 19, 2013 3:19 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Feb 10, 2014 4:15 pm

I am using http://www.yubico.com/ for 2FA on several places, including some linux machines. Works good.
 
User avatar
hvdhelm
just joined
Posts: 17
Joined: Sat Aug 27, 2011 9:37 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Feb 15, 2014 10:14 pm

MultiOTP is a very nice freeware solution. Radius based, full support for Google Authenticator, OATH TOTP and HOTP.

Recently they have released a Raspberri Pi image.
 
michaeleino
just joined
Posts: 1
Joined: Thu Oct 09, 2014 1:16 am

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Oct 09, 2014 1:20 am

Hey all!
Is there a hope to implemet this feature ??? is this possible ?
 
jaykay2342
Member
Member
Posts: 336
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Oct 12, 2014 12:04 pm

2 factor auth would be nice. We also using the yubikey on a lot off systems. Even for VPN(ovpn) with radius authentication. Unfortunately for the http(s) logins the radius-authrequest does not include the cleartext password, therefore the radius server can split up the password into the actual password part and the yubikey token part. Otherwise we would have already a two factor auth for our routers. If mikrotik change such behavior i offer to write a tutorial how to setup a two factor auth with freeradius+yubikey.
 
TheLittleDuke
just joined
Posts: 9
Joined: Mon Jan 05, 2015 7:22 pm

Re: [FEATURE REQUEST] Two Factor Authentication / Google Aut

Wed Jan 21, 2015 1:55 am

What would it take to get this on "sooner than later" roadmap?

In particular I'd like to see Google Auth support for the WebFig Login interface.

Is there a "bounty" that could be raised?

Let me know, I'm willing to chip in to see this implemented asap.

-dvd
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Jan 21, 2015 11:49 am

I can only see a slight problem with the Google Authenticator bit... since the one-time codes are derived from clock time, there's going to be trouble when your Routerboard reboots and fails to sync clock time with NTP afterwards as no RB has a battery-buffered RTC included, leading to you being unable to log in as the time on the devices doesn't match.
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 201
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jan 22, 2015 12:48 pm

You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
Really you have troubles because of Mikrotik security policies? There are lots of strategies, think about using SSL certificates fro users.
Another issue is why 802.1x is not implemented in wired interfaces by Mikrotik.
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 2:29 am

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.

I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
 
TheLittleDuke
just joined
Posts: 9
Joined: Mon Jan 05, 2015 7:22 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 2:53 am

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.
Defense in Depth. I'm not going to add in a Radius server to manage my home router remotely :p

Even the SSHD should have a 2FA option.

The clock issue mentioned above is clearly problematic, though I wonder what NTP/USB/Battery options are available?

Quick search finds this: http://www.keylok.com/product/fortress-real-time-clock

A possible smart implementation could just detect the power fail and allow for an option to disable the Google Auth as a fail-safe mode.

For what it's worth, Google Auth does provide you with a set of "backup auth" codes that you can use in the event of clock skew.

You can ALSO deploy it in "counter mode" which doesn't rely on the clock.
I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
So what? Why "race to the bottom" when this could be a compelling differentiator!
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 3:41 am

My reason for pointing out the other vendors was only to answer the others above who said other vendors supported two-factor.

Good point on the single home router. Anything past one device would increase the administration quite a bit as there would be one entry in the app for every router. Centrally controlled is one entry to update.
 
ericholtzclaw
just joined
Posts: 2
Joined: Mon Jan 25, 2016 10:44 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Jan 25, 2016 10:53 pm

2FA can be done easy with https://duo.com/support/documentation/radius Proxy to Radius. (you need a server)

What MikroTik should do is add in support for Duo and become the proxy + Radius with less moving parts.

Duo has a lot of mobile apps baked with a lot of password managers.


Eric
 
Zorro
Long time Member
Long time Member
Posts: 675
Joined: Wed Apr 16, 2014 2:43 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jan 28, 2016 1:29 am

yeah, lack of EAPOL and 802.1x-2010 support on Wired interfaces is serious issue.
i guess its cause aged kernel used in past days, initially ?
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 23, 2016 3:30 am

Surely after nearly 4 Years since my Initial Request... It has to have been at least discussed at Mikrotik....

Can we get an official answer on this... 6.5k views on this thread, Can't be because it's a terrible idea.

At this point in time... not having 2F Login to the Tiks has become a serious issue... Especially with the number of Publicly facing CCRs i have.
I'm resistant to putting in a radius with 2F Just for logins, as this has significant admin overhead... not to mention we have hundreds of CPE tiks around Australia, I've never been a fan of Remote radius over the internet...
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 23, 2016 7:27 am

  1. Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN.
  2. There are ways to encrypt the unencrypted portions of the RADIUS datagram. One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode).
  3. Admin overhead for adding RADIUS is only at initial config then the mgmt is far less than individually managing credentials on n devices. The settings can easily just be added to your initial setup template. That's what we do. Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on.
  4. As stated in point 3 management of 2 factor on discrete devices without RADIUS is a 1n operation instead of a single change on a single authentication server (or config synced cluster). With RADIUS you could roll out 2FA today to all your remote devices with a single change in an afternoon instead of touching 1n devices that are remote and possibly making a mistake in configuring a couple of them along the way.
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 66
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Jun 24, 2016 6:49 am

Are you saying there is no merit to increasing local access security for a device which is used everywhere from DC,Wisp all the way down to Home and Travel routers, You must think about use cases other than your own.

Just because it can be done via Radius, Doesn't mean it should, and it doesn't negate the benefits of adding such a very simple mechanism in scenarios where Radius would be overkill.
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Jun 24, 2016 7:33 am

I am just saying that in all cases it's very low on the priority list of things that will give them a competitive advantage because there are already multiple solutions that will give your desired outcome (RADIUS, SSH keys, site-to-site VPN, and remote access VPN via OTP or client certificate based logins to name a few). The lack of this feature is not making Mikrotik loose sales to anyone and it probably won't gain any converts if they did have it. The solutions mentioned in this and previous posts will work too secure management logins (with and without RADIUS) for even the home/travel router with equal or greater benefits to 2FA.

Items like connection tracking sync, config sync, better management VRF support, fully isolated MPLS support, MSTP, and others are currently causing people to purchase other vendors when otherwise Mikrotik would work fine.
 
jerryroy1
Member Candidate
Member Candidate
Posts: 170
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 18, 2020 7:30 am

OK, so going on eight years since initial request and it should be past time that 2FA works with MT and google Auth or Duo. Can anyone share a working 2FA MT solution? Please sanitize and send config examples :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 18, 2020 7:57 am

Here is also something with a MikroTik documentation guide straight up on their main page (I think it's free for up to 25 users)
https://www.notakey.com/products/
 
neutronlaser
Member
Member
Posts: 445
Joined: Thu Jan 18, 2018 5:18 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Sep 19, 2020 9:46 pm

TikTok can access your Google Authenticator
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Sep 20, 2020 5:49 pm

Why the fornication for google products.
I want MS Authenticator
or
I want Authenticator App
or
I want Authy App
or
how bout
the RSA (a known trusted entity) token app.

As I expected none of this is trivial.
one needs ipsec working (and not the ikev2 but the other one........)
one needs to be running a separate radius server entity.

I would be interested in just smartphone to router (and access 3rd party provider to provide the 2F be it google, authy, RSA etc.....)
So that my IKEv2 setup would not change but I would have have one xtra step when connecting using the MK iphone App.
In other words, the router is already capable of doing the radius server bit (see Normis or posts) but that serves some but not all folks.
So the only work MK needs to do is integrate the third party option with the MK iphone or android apps!!
 
Buster2
newbie
Posts: 46
Joined: Sun Jan 06, 2013 9:04 pm
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Sep 21, 2020 8:07 pm

MikroTik devs might adopt libpam by Google, that works without network connection and with open-source authenticator apps like Aegis
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 9:38 am

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:
[emils@ez_pair7_r1] /user-manager> user/print 
Flags: X - disabled 
 0   name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes="" 
This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:
User-Name=emils
User-Password=test412342
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 2:25 pm

Emils, how is this integrated?
By that I mean as per
viewtopic.php?f=1&t=166418
Is it integrated with the Mikrotik App?
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 3:02 pm

It is not integrated with the MikroTik App. You have to use Google Authenticator on your phone to generate the code from secret. As the main audition for OTP are VPN/HotSpot users, they should not even be aware of MikroTik App to connect to a VPN server that uses RouterOS RADIUS server.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21893
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 7:45 pm

Your answer holds the key.
Mikrotik Radius Server.
I was not aware that MT routerOS had an internal radius server.

So, instead of using IKEV2 and my MK Iphone Application to access my router or home LAN, as I do know,
I would it do it another way if I wanted to add 2 factor authentication?

Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???
 
mada3k
Forum Veteran
Forum Veteran
Posts: 741
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 9:07 pm

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:
[emils@ez_pair7_r1] /user-manager> user/print 
Flags: X - disabled 
 0   name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes="" 
This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:
User-Name=emils
User-Password=test412342
That's fantastic. That could probably replace a lot of propretary expensive solutions.
 
User avatar
emils
Forum Veteran
Forum Veteran
Posts: 906
Joined: Thu Dec 11, 2014 8:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Sep 23, 2020 12:14 pm

Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???
Using IKEv2 with EAP and v7 User Manager. I personally have been using such setup together with Lets Encrypt certificate for some time already and it works good for home setup. I do not think the OTP secret can be called true 2FA authentication, because the calculated token still needs to be typed into the user's password field instead of a second authentication step, but it definitely can be a tool to increase security.
 
Buster2
newbie
Posts: 46
Joined: Sun Jan 06, 2013 9:04 pm
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Sep 24, 2020 3:06 am

It is 2FA. You need knowledge (the password) and the 2nd factor - the one-time-password generated by the authenticator app. It's the users responsibility to not have the authenticator app installed on the same system.

If you need the authenticator app on the same system, where you want to login to MikroTik router, you could use a password manager like KeePass with OTP plugin.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 587
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Nov 15, 2020 7:16 pm

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:
[emils@ez_pair7_r1] /user-manager> user/print 
Flags: X - disabled 
 0   name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes="" 
This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:
User-Name=emils
User-Password=test412342
That`s pretty cool. Gonna try it. Thanks Mikrotik effort on this.
 
bbs2web
Member Candidate
Member Candidate
Posts: 234
Joined: Sun Apr 22, 2012 6:25 pm
Location: Johannesburg, South Africa
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Jun 14, 2021 2:49 pm

Herewith a link to a start to finish guide on setting up a Debian host to provide MikroTik compatible (MS-CHAPv2) two factor (aka multi factor authentication or MFA) using Yubico Yubikey together with security group memberships on an Active Directory server:
http://lists.freeradius.org/pipermail/f ... 99521.html
 
hkusulja
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri Apr 13, 2012 1:14 am

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Feb 10, 2022 8:33 am

So, now in RouterOS 7.1 stable we do have under /user-manager user , new otp-secret parameter.
But can somebody provide any reference or documentation on how to use the parameter, or generate value for it?
I have Google Authenticator app ready to add additional account on my phone device.
 
jrosetto
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Feb 19, 2016 9:15 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Tue May 17, 2022 9:21 pm

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:
[emils@ez_pair7_r1] /user-manager> user/print 
Flags: X - disabled 
 0   name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes="" 
This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:
User-Name=emils
User-Password=test412342
This is great news. I installed user manager and setup a radius user with the otp code but I can't seem to find a way to authenticate. Is winbox and the web interface still in the works to prompt for the otp code? Any eta?
 
kevinds
Long time Member
Long time Member
Posts: 657
Joined: Wed Jan 14, 2015 8:41 am

Re: [FEATURE REQUEST] Two Factor Authentication

Wed May 25, 2022 8:16 pm

This is great news. I installed user manager and setup a radius user with the otp code but I can't seem to find a way to authenticate. Is winbox and the web interface still in the works to prompt for the otp code? Any eta?
Your RADIUS client would need to prompt for the TOTP before sending it to the RADIUS server, is my understanding.

RADIUS server will respond with approve/deny.

How to format the TOTP to Mikrotik's RADIUS server, that I don't know.
 
zristic
just joined
Posts: 2
Joined: Wed Nov 30, 2022 1:36 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Nov 30, 2022 1:50 pm

Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager
set [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="
- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is <original password>+<six digit code from Google Authenticator>.

Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.
 
jrosetto
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Feb 19, 2016 9:15 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Feb 16, 2023 5:20 pm

Thank you for clearing things up. Adding the 6 digit code to the end of the password does the trick.

Now if I can figure out how to give the user-manager user full permissions to the router I will have a viable solution to secure mikrotik device logins.
It appears that the radius user only has read only login permissions to the router and so far I have not found a way to change it.
Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager
set [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="
- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is <original password>+<six digit code from Google Authenticator>.

Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.
 
jrosetto
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Feb 19, 2016 9:15 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Feb 16, 2023 5:47 pm

Getting closer. When adding the user in user-manager under Attributes set Mikrotik-Group to full to give the radius user full permissions to the router.

Next problem is I am unable to disable the admin user because it says 'the user is last one with full access permissions'.
I'm considering settings 'Allowed Addresses' for admin to a loopback address as an alternative since I am unable to disable it completely.

If anyone has any other ideas let me know.
Thank you for clearing things up. Adding the 6 digit code to the end of the password does the trick.

Now if I can figure out how to give the user-manager user full permissions to the router I will have a viable solution to secure mikrotik device logins.
It appears that the radius user only has read only login permissions to the router and so far I have not found a way to change it.
Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager
set [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="
- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is <original password>+<six digit code from Google Authenticator>.

Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.
 
jrosetto
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Fri Feb 19, 2016 9:15 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Feb 16, 2023 9:21 pm

So for anyone else wanting to implement this I have a working solution after banging my head against a wall for awhile.

Make sure your router is syncing with some NTP server that has accurate atomic time. I would suggest pool.ntp.org servers. Time is crucial for the OTP to work correctly with your device.

Here is a copy/paste script that will get you going. Obviously change the secrets, name, and password to your own. I found an online converter to convert my OTP to base32 as suggested above using this site https://emn178.github.io/online-tools/b ... ncode.html
/radius add address=127.0.0.1 service=login secret=123
/radius incoming set accept=yes

/user-manager user add attributes=Mikrotik-Group:full name=(username) password=(password) otp-secret=(OTP YOU CONVERTED TO BASE32) shared-users=unlimited
/user-manager set certificate=*0 enabled=yes
/user-manager router add address=127.0.0.1 name="Loopback" shared-secret=123

/user aaa set use-radius=yes

/user set [find name=admin] address=127.0.0.1
I have tested with Google Authenticator and Microsoft Authenticator and both work fine when manually adding the base32 OTP. I would imagine that any other app that allows you to manually paste the OTP will work as well.

In winbox or the web interface type your password and append the 6 digit OTP in your authenticator to the end of the password. Make sure the OTP you enter is within the 30 second windows or you will fail authentication.

In the script you will notice I set the admin login allowed addresses to 127.0.0.1. This makes it so you can use a serial console cable to the device to regain access using the admin account in the event that the OTP code doesn't work but makes the admin account fail authenticate from anywhere else.

Hope this saves someone some time.
 
User avatar
indnti
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Thu Nov 09, 2006 11:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Mar 24, 2023 5:05 am

Great guide. Unfortunately I still can't get it.

Normal login with Radius and User Manager works. (I had to configure the official IP, not 127.0.0.1)

Then I created a base32 encoded OTP secret and add it to the user. I configure the same base32 string in a TOTP client. I stick on the 6 digits to the password - but it always appears that the username and password are wrong.
I can't find anything in the debug log.
Timesettings are proofed and correct.
Any idea what I can do?
 
User avatar
indnti
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Thu Nov 09, 2006 11:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Mar 24, 2023 9:10 pm

Normal login with Radius and User Manager works. (I had to configure the official IP, not 127.0.0.1)
Found the problem. I have two radius and two routers in user manager configured, one with 127.0.0.1 and one with the official IP. Seems they are doing auth overcross.
Disabling the 127.0.0.1 radius and router helps. What I not understand is why my official IP aka 123.123.123.123 is needed to authenticate ?

I have another problem. In Usermanager I can configure a Mikrotik-Group which can be a ppp profile for ppp vpn logins. That works for l2tp logins and the IP pool that is configured in the profile is used an a IP is assigned. But for opnvpn it does not work. The login is done, but a opnvpn user do not become an IP address.
Last edited by indnti on Fri Mar 24, 2023 9:33 pm, edited 1 time in total.
 
User avatar
indnti
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Thu Nov 09, 2006 11:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Mar 24, 2023 9:33 pm

I have tested with Google Authenticator and Microsoft Authenticator and both work fine when manually adding the base32 OTP. I would imagine that any other app that allows you to manually paste the OTP will work as well.
I have implemented TOTP for vpn l2tp and opnvpn user this way. Works fine and gives OTP support for L2TP clients that does normally not have it, including mikrotik boxes (as vpn client). Great. Buts it is a little bit fiddly to stick the 6 digits to the password. For Mikrotik as an VPN client: does anyone have a mikrotik script that can generate an otp code and attach it to the password?
 
Josefbr
just joined
Posts: 1
Joined: Sat Feb 10, 2024 2:32 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Apr 23, 2024 11:03 pm

Hi Indnti and all memebers,
I'm trying to activate OTP for our l2tp vpn clients using authrnticator and it seens that you have found a way t do that with Mikrotik. Could you please confirm if this is feasable ? And share script if so.
Many thanks in advance
Last edited by Josefbr on Tue Apr 23, 2024 11:04 pm, edited 1 time in total.
 
djvabe
just joined
Posts: 21
Joined: Mon Jan 30, 2023 9:51 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Tue May 21, 2024 12:38 am

Does anyone have a solution to make the static-challenge setting work with OpenVPN? Or something that asks for the password and the OTP in 2 text fields?
 
User avatar
abbio90
Member
Member
Posts: 441
Joined: Fri Aug 27, 2021 9:16 pm
Location: Oristano
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jul 20, 2024 4:09 pm

Hi Indnti and all memebers,
I'm trying to activate OTP for our l2tp vpn clients using authrnticator and it seens that you have found a way t do that with Mikrotik. Could you please confirm if this is feasable ? And share script if so.
Many thanks in advance
I made an ad hoc video https://foisfabio.it/index.php/2024/04/ ... k-otp-vpn/
 
User avatar
spippan
Member
Member
Posts: 464
Joined: Wed Nov 12, 2014 1:00 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Jul 23, 2024 1:58 pm

Does anyone have a solution to make the static-challenge setting work with OpenVPN? Or something that asks for the password and the OTP in 2 text fields?
+1
would also need that kind of setup for a client
EDIT: can be done quite easy with mikrotik user-manager (additional package) as local radius server and the OTP secret for a TTOP
Last edited by spippan on Thu Aug 29, 2024 3:59 pm, edited 1 time in total.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26912
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Jul 23, 2024 2:11 pm

Unfortunately none of these softwares have a separate OTP field, this is why the solution is to append it to the end of the password. It works fine
 
jayooo
newbie
Posts: 37
Joined: Mon Sep 27, 2021 6:18 am

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Oct 09, 2024 1:31 am

This works, except when you go to terminal inside winbox, you have to login again with a new otp code because most of the time your 30 second window has already expired before you open the terminal window.
 
User avatar
spippan
Member
Member
Posts: 464
Joined: Wed Nov 12, 2014 1:00 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Oct 09, 2024 3:28 pm

This works, except when you go to terminal inside winbox, you have to login again with a new otp code because most of the time your 30 second window has already expired before you open the terminal window.
the whole point of TOTP

add a local user which is only allowed from 127.0.0.1 and use that user for a new terminal

Who is online

Users browsing this forum: ismets, kot2905, sindy and 28 guests