Really you have troubles because of Mikrotik security policies? There are lots of strategies, think about using SSL certificates fro users.You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...
But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
Defense in Depth. I'm not going to add in a Radius server to manage my home router remotely :pLike has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.
So what? Why "race to the bottom" when this could be a compelling differentiator!I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
[emils@ez_pair7_r1] /user-manager> user/print
Flags: X - disabled
0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""
User-Name=emils
User-Password=test412342
That's fantastic. That could probably replace a lot of propretary expensive solutions.Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:Code: Select all[emils@ez_pair7_r1] /user-manager> user/print Flags: X - disabled 0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""
Code: Select allUser-Name=emils User-Password=test412342
Using IKEv2 with EAP and v7 User Manager. I personally have been using such setup together with Lets Encrypt certificate for some time already and it works good for home setup. I do not think the OTP secret can be called true 2FA authentication, because the calculated token still needs to be typed into the user's password field instead of a second authentication step, but it definitely can be a tool to increase security.Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???
That`s pretty cool. Gonna try it. Thanks Mikrotik effort on this.Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:Code: Select all[emils@ez_pair7_r1] /user-manager> user/print Flags: X - disabled 0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""
Code: Select allUser-Name=emils User-Password=test412342
This is great news. I installed user manager and setup a radius user with the otp code but I can't seem to find a way to authenticate. Is winbox and the web interface still in the works to prompt for the otp code? Any eta?Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:Code: Select all[emils@ez_pair7_r1] /user-manager> user/print Flags: X - disabled 0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""
Code: Select allUser-Name=emils User-Password=test412342
Your RADIUS client would need to prompt for the TOTP before sending it to the RADIUS server, is my understanding.This is great news. I installed user manager and setup a radius user with the otp code but I can't seem to find a way to authenticate. Is winbox and the web interface still in the works to prompt for the otp code? Any eta?
set [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="
Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).Code: Select allset [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is <original password>+<six digit code from Google Authenticator>.
Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.
Thank you for clearing things up. Adding the 6 digit code to the end of the password does the trick.
Now if I can figure out how to give the user-manager user full permissions to the router I will have a viable solution to secure mikrotik device logins.
It appears that the radius user only has read only login permissions to the router and so far I have not found a way to change it.
Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).Code: Select allset [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is <original password>+<six digit code from Google Authenticator>.
Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.
/radius add address=127.0.0.1 service=login secret=123
/radius incoming set accept=yes
/user-manager user add attributes=Mikrotik-Group:full name=(username) password=(password) otp-secret=(OTP YOU CONVERTED TO BASE32) shared-users=unlimited
/user-manager set certificate=*0 enabled=yes
/user-manager router add address=127.0.0.1 name="Loopback" shared-secret=123
/user aaa set use-radius=yes
/user set [find name=admin] address=127.0.0.1
Found the problem. I have two radius and two routers in user manager configured, one with 127.0.0.1 and one with the official IP. Seems they are doing auth overcross.Normal login with Radius and User Manager works. (I had to configure the official IP, not 127.0.0.1)
I have implemented TOTP for vpn l2tp and opnvpn user this way. Works fine and gives OTP support for L2TP clients that does normally not have it, including mikrotik boxes (as vpn client). Great. Buts it is a little bit fiddly to stick the 6 digits to the password. For Mikrotik as an VPN client: does anyone have a mikrotik script that can generate an otp code and attach it to the password?I have tested with Google Authenticator and Microsoft Authenticator and both work fine when manually adding the base32 OTP. I would imagine that any other app that allows you to manually paste the OTP will work as well.
I made an ad hoc video https://foisfabio.it/index.php/2024/04/ ... k-otp-vpn/Hi Indnti and all memebers,
I'm trying to activate OTP for our l2tp vpn clients using authrnticator and it seens that you have found a way t do that with Mikrotik. Could you please confirm if this is feasable ? And share script if so.
Many thanks in advance
+1Does anyone have a solution to make the static-challenge setting work with OpenVPN? Or something that asks for the password and the OTP in 2 text fields?
the whole point of TOTPThis works, except when you go to terminal inside winbox, you have to login again with a new otp code because most of the time your 30 second window has already expired before you open the terminal window.