I've been trying to implement two factor everywhere and found the lowest common denominator that's safe is the Google Authenticator
It's safe, secure and completely offline. It doesn't use any proprietary anything and would be a perfect fit...

All you'd need is a module for login and the ability for us to set the secret not just use a random one.. That way all the servers I need can be on the same Secret and I won't need 50 different codes.

Attached is a bunch of implementations - If it can be done in JS i'm sure we can get a mikrotik module

Here's the code for the apps -https://code.google.com/p/google-authenticator/
Hers's a JS implementation -http://blog.tinisles.com/2011/10/google ... avascript/
Linux PAM Module install -http://www.howtogeek.com/121650/how-to- ... ntication/

你会意识到,大多数网站越来越严重的about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..

I can see how this can be useful. I am with you buddy.

What is the current status of this request? Has it been implemented or has anyone figured out how to implement the use of this for SSL connections? I too am looking for a good two factor, OTP solution.


James

Sorry if this seems a non-sequitur, but I thought I would share some experiences I've had with OATH (the standard GAuth works on). I implemented OATH TOTP and HOTP in Ruby for fun a while ago, but never published the code. Anyway, I have a hypothesis that the scripting capabilities embedded into RouterOS could have the facilities to implement OATH. I've not done any research on it yet. Anyway, if it were possible to implement it, you'd be most of the way there. I don't know if it's possible, however, to hook into the auth process on the router. Just some stream-of-consciousness ramblings..

I cannot imagine Mikrotik not implementing this.
It is good, easy and free.

I am looking forward to seeing GoogleAuthenticator-support in the next upgrade

我真的很想看到这个,所以我可以使用它n addition to ssh client certificates. Gmail has trained people how to use it.

Duo is another open source option. It works great on Cisco ASAs and Active Directory already.

https://www.duosecurity.com/docs/duounix

I am usinghttp://www.yubico.com/for 2FA on several places, including some linux machines. Works good.

MultiOTP is a very nice freeware solution. Radius based, full support for Google Authenticator, OATH TOTP and HOTP.

Recently they have released a Raspberri Pi image.

Hey all!
Is there a hope to implemet this feature ??? is this possible ?

2 factor auth would be nice. We also using the yubikey on a lot off systems. Even for VPN(ovpn) with radius authentication. Unfortunately for the http(s) logins the radius-authrequest does not include the cleartext password, therefore the radius server can split up the password into the actual password part and the yubikey token part. Otherwise we would have already a two factor auth for our routers. If mikrotik change such behavior i offer to write a tutorial how to setup a two factor auth with freeradius+yubikey.

What would it take to get this on "sooner than later" roadmap?

In particular I'd like to see Google Auth support for the WebFig Login interface.

Is there a "bounty" that could be raised?

Let me know, I'm willing to chip in to see this implemented asap.

-dvd

I can only see a slight problem with the Google Authenticator bit... since the one-time codes are derived from clock time, there's going to be trouble when your Routerboard reboots and fails to sync clock time with NTP afterwards as no RB has a battery-buffered RTC included, leading to you being unable to log in as the time on the devices doesn't match.

你会意识到,大多数网站越来越严重的about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..

Really you have troubles because of Mikrotik security policies? There are lots of strategies, think about using SSL certificates fro users.
Another issue is why 802.1x is not implemented in wired interfaces by Mikrotik.

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding onGoogle Auth to FreeRADIUSis pretty simple way to get this done today.

I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding onGoogle Auth to FreeRADIUSis pretty simple way to get this done today.

Defense in Depth. I'm not going to add in a Radius server to manage my home router remotely :p

Even the SSHD should have a 2FA option.

The clock issue mentioned above is clearly problematic, though I wonder what NTP/USB/Battery options are available?

Quick search finds this:http://www.keylok.com/product/fortress-real-time-clock

A possible smart implementation could just detect the power fail and allow for an option to disable the Google Auth as a fail-safe mode.

For what it's worth, Google Auth does provide you with a set of "backup auth" codes that you can use in the event of clock skew.

You can ALSO deploy it in "counter mode" which doesn't rely on the clock.

I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.

So what? Why "race to the bottom" when this could be a compelling differentiator!

My reason for pointing out the other vendors was only to answer the others above who said other vendors supported two-factor.

Good point on the single home router. Anything past one device would increase the administration quite a bit as there would be one entry in the app for every router. Centrally controlled is one entry to update.

2FA can be done easy withhttps://duo.com/support/documentation/radiusProxy to Radius. (you need a server)

What MikroTik should do is add in support for Duo and become the proxy + Radius with less moving parts.

Duo has a lot of mobile apps baked with a lot of password managers.


Eric

yeah, lack of EAPOL and 802.1x-2010 support on Wired interfaces is serious issue.
i guess its cause aged kernel used in past days, initially ?

Surely after nearly 4 Years since my Initial Request... It has to have been at least discussed at Mikrotik....

Can we get an official answer on this... 6.5k views on this thread, Can't be because it's a terrible idea.

At this point in time... not having 2F Login to the Tiks has become a serious issue... Especially with the number of Publicly facing CCRs i have.
I'm resistant to putting in a radius with 2F Just for logins, as this has significant admin overhead... not to mention we have hundreds of CPE tiks around Australia, I've never been a fan of Remote radius over the internet...

1. Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN.
2. There are ways to encrypt the unencrypted portions of the RADIUS datagram. One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode).
3. Admin overhead for adding RADIUS is only at initial config then the mgmt is far less than individually managing credentials onndevices. The settings can easily just be added to your initial setup template. That's what we do. Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on.
4. As stated in point 3 management of 2 factor on discrete devices without RADIUS is a 1noperation instead of a single change on a single authentication server (or config synced cluster). With RADIUS you could roll out 2FA today to all your remote devices with a single change in an afternoon instead of touching 1ndevices that are remote and possibly making a mistake in configuring a couple of them along the way.

Are you saying there is no merit to increasing local access security for a device which is used everywhere from DC,Wisp all the way down to Home and Travel routers, You must think about use cases other than your own.

Just because it can be done via Radius, Doesn't mean it should, and it doesn't negate the benefits of adding such a very simple mechanism in scenarios where Radius would be overkill.

I am just saying that in all cases it's very low on the priority list of things that will give them a competitive advantage because there are already multiple solutions that will give your desired outcome (RADIUS, SSH keys, site-to-site VPN, and remote access VPN via OTP or client certificate based logins to name a few). The lack of this feature is not making Mikrotik loose sales to anyone and it probably won't gain any converts if they did have it. The solutions mentioned in this and previous posts will work too secure management logins (with and without RADIUS) for even the home/travel router with equal or greater benefits to 2FA.

Items like connection tracking sync, config sync, better management VRF support, fully isolated MPLS support, MSTP, and others are currently causing people to purchase other vendors when otherwise Mikrotik would work fine.

OK, so going on eight years since initial request and it should be past time that 2FA works with MT and google Auth or Duo. Can anyone share a working 2FA MT solution? Please sanitize and send config examples

Here is also something with a MikroTik documentation guide straight up on their main page (I think it's free for up to 25 users)
https://www.notakey.com/products/

TikTok can access your Google Authenticator

Why the fornication for google products.
I want MS Authenticator
or
I want Authenticator App
or
I want Authy App
or
how bout
the RSA (a known trusted entity) token app.

As I expected none of this is trivial.
one needs ipsec working (and not the ikev2 but the other one........)
一个人需要be running a separate radius server entity.

I would be interested in just smartphone to router (and access 3rd party provider to provide the 2F be it google, authy, RSA etc.....)
So that my IKEv2 setup would not change but I would have have one xtra step when connecting using the MK iphone App.
In other words, the router is already capable of doing the radius server bit (see Normis or posts) but that serves some but not all folks.
So the only work MK needs to do is integrate the third party option with the MK iphone or android apps!!

MikroTik devs might adoptlibpam by Google, that works without network connection and with open-source authenticator apps likeAegis

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:

埃米尔,这是集成吗?
By that I mean as per
viewtopic.php?f=1&t=166418
Is it integrated with the Mikrotik App?

It is not integrated with the MikroTik App. You have to use Google Authenticator on your phone to generate the code from secret. As the main audition for OTP are VPN/HotSpot users, they should not even be aware of MikroTik App to connect to a VPN server that uses RouterOS RADIUS server.

Your answer holds the key.
Mikrotik Radius Server.
I was not aware that MT routerOS had an internal radius server.

So, instead of using IKEV2 and my MK Iphone Application to access my router or home LAN, as I do know,
I would it do it another way if I wanted to add 2 factor authentication?

Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:

Code:Select all

[emils@ez_pair7_r1] /user-manager> user/print Flags: X - disabled 0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""

This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:

Code:Select all

User-Name=emils User-Password=test412342

这太棒了。可能会取代a lotof propretary expensive solutions.

Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???

Using IKEv2 with EAP and v7 User Manager. I personally have been using such setup together with Lets Encrypt certificate for some time already and it works good for home setup. I do not think the OTP secret can be called true 2FA authentication, because the calculated token still needs to be typed into the user's password field instead of a second authentication step, but it definitely can be a tool to increase security.

It is 2FA. You need knowledge (the password) and the 2nd factor - the one-time-password generated by the authenticator app. It's the users responsibility to not have the authenticator app installed on the same system.

If you need the authenticator app on the same system, where you want to login to MikroTik router, you could use a password manager likeKeePasswith OTP plugin.

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:

Code:Select all

[emils@ez_pair7_r1] /user-manager> user/print Flags: X - disabled 0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""

This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:

Code:Select all

User-Name=emils User-Password=test412342

That`s pretty cool. Gonna try it. Thanks Mikrotik effort on this.

Herewith a link to a start to finish guide on setting up a Debian host to provide MikroTik compatible (MS-CHAPv2) two factor (aka multi factor authentication or MFA) using Yubico Yubikey together with security group memberships on an Active Directory server:
http://lists.freeradius.org/pipermail/f ... 99521.html

So, now in RouterOS 7.1 stable we do have under /user-manager user , new otp-secret parameter.
But can somebody provide any reference or documentation on how to use the parameter, or generate value for it?
I have Google Authenticator app ready to add additional account on my phone device.

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:

Code:Select all

[emils@ez_pair7_r1] /user-manager> user/print Flags: X - disabled 0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""

This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:

Code:Select all

User-Name=emils User-Password=test412342

This is great news. I installed user manager and setup a radius user with the otp code but I can't seem to find a way to authenticate. Is winbox and the web interface still in the works to prompt for the otp code? Any eta?

This is great news. I installed user manager and setup a radius user with the otp code but I can't seem to find a way to authenticate. Is winbox and the web interface still in the works to prompt for the otp code? Any eta?

Your RADIUS client would need to prompt for the TOTP before sending it to the RADIUS server, is my understanding.

RADIUS server will respond with approve/deny.

How to format the TOTP to Mikrotik's RADIUS server, that I don't know.

Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is +.

Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.

Thank you for clearing things up. Adding the 6 digit code to the end of the password does the trick.

Now if I can figure out how to give the user-manager user full permissions to the router I will have a viable solution to secure mikrotik device logins.
It appears that the radius user only has read only login permissions to the router and so far I have not found a way to change it.

Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager

Code:Select all

set [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="

- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is +.

Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.

Getting closer. When adding the user in user-manager under Attributes set Mikrotik-Group to full to give the radius user full permissions to the router.

Next problem is I am unable to disable the admin user because it says 'the user is last one with full access permissions'.
I'm considering settings 'Allowed Addresses' for admin to a loopback address as an alternative since I am unable to disable it completely.

If anyone has any other ideas let me know.

Thank you for clearing things up. Adding the 6 digit code to the end of the password does the trick.

Now if I can figure out how to give the user-manager user full permissions to the router I will have a viable solution to secure mikrotik device logins.
It appears that the radius user only has read only login permissions to the router and so far I have not found a way to change it.

Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
- Pick your top secret otc-code, for example "WowOtpSecret" (without quotes),
- Convert the otc-code to base32 format, in our case it will be "K5XXOT3UOBJWKY3SMV2A====" (without quotes),
- Set the otc-code for the target user in User-Manager

Code:Select all

set [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="

- Start Google Authenticator on your phone and add a new "Time Dependent Code". When entering the code note that you have to enter the base32 value from above: "K5XXOT3UOBJWKY3SMV2A====" (without quotes).
- You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is +.

Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.

So for anyone else wanting to implement this I have a working solution after banging my head against a wall for awhile.

Make sure your router is syncing with some NTP server that has accurate atomic time. I would suggest pool.ntp.org servers. Time is crucial for the OTP to work correctly with your device.

Here is a copy/paste script that will get you going. Obviously change the secrets, name, and password to your own. I found an online converter to convert my OTP to base32 as suggested above using this sitehttps://emn178.github.io/online-tools/b ... ncode.html
I have tested with Google Authenticator and Microsoft Authenticator and both work fine when manually adding the base32 OTP. I would imagine that any other app that allows you to manually paste the OTP will work as well.

In winbox or the web interface type your password and append the 6 digit OTP in your authenticator to the end of the password. Make sure the OTP you enter is within the 30 second windows or you will fail authentication.

In the script you will notice I set the admin login allowed addresses to 127.0.0.1. This makes it so you can use a serial console cable to the device to regain access using the admin account in the event that the OTP code doesn't work but makes the admin account fail authenticate from anywhere else.

Hope this saves someone some time.

Great guide. Unfortunately I still can't get it.

Normal login with Radius and User Manager works. (I had to configure the official IP, not 127.0.0.1)

Then I created a base32 encoded OTP secret and add it to the user. I configure the same base32 string in a TOTP client. I stick on the 6 digits to the password - but it always appears that the username and password are wrong.
I can't find anything in the debug log.
Timesettings are proofed and correct.
Any idea what I can do?

Normal login with Radius and User Manager works. (I had to configure the official IP, not 127.0.0.1)

发现这个问题。I have two radius and two routers in user manager configured, one with 127.0.0.1 and one with the official IP. Seems they are doing auth overcross.
Disabling the 127.0.0.1 radius and router helps. What I not understand is why my official IP aka 123.123.123.123 is needed to authenticate ?

I have another problem. In Usermanager I can configure a Mikrotik-Group which can be a ppp profile for ppp vpn logins. That works for l2tp logins and the IP pool that is configured in the profile is used an a IP is assigned. But for opnvpn it does not work. The login is done, but a opnvpn user do not become an IP address.

I have tested with Google Authenticator and Microsoft Authenticator and both work fine when manually adding the base32 OTP. I would imagine that any other app that allows you to manually paste the OTP will work as well.

I have implemented TOTP for vpn l2tp and opnvpn user this way. Works fine and gives OTP support for L2TP clients that does normally not have it, including mikrotik boxes (as vpn client). Great. Buts it is a little bit fiddly to stick the 6 digits to the password. For Mikrotik as an VPN client: does anyone have a mikrotik script that can generate an otp code and attach it to the password?