Hello everyone,
I need a help. I’ve configured 2FA of Google Authenticator to my Mikrotik router OS 7.14.3, but when, I’m testing I don’t receive a 2FA ask. I share with you below a screenshot.
I could be wrong. But I believe you add the 2FA code after the password is how it work. There is no prompt.
Thanks for your back. When I put my password without the 2FA code it’s working. And when I put my password + code 2FA that’s don’t working.
Did you see this thread? There are few places where this can go wrong…
http://forum.mikrotik.com/t/feature-request-two-factor-authentication/60077/38
If you’re talking about 2FA RouterOS login… I think you need to point the RouterOS’s radius client to use user-manager server, explicitly in config. user-manager users are just RADIUS things, without some RADIUS client using them. See https://help.mikrotik.com/docs/display/ROS/User#User-RemoteAAA).
The RADIUS user database is consulted only if the required username is not found in the local user database.
So… Local users (/users/print) would not have any 2FA applied, since only via RADIUS server (i.e. user-manager) is that possible.
If you’re talking hotspot, the user-manager docs cover that case pretty well.
I don’t have this setup, but AFAIK that how this works.
Hello dude,
If my comprehension is good, I can’t use 2FA with local user account of router Mikotik ?
Correct, there is no way to add 2FA / MFA to a local user in RouterOS.
As I explained, you can you can setup RouterOS to query RADIUS for winbox/webfig/etc login, but it’s a different account. But RADIUS RouterOS user can use whatever policy group, so they can be functionally same as a local one. The 2FA configuration for the user-manager be same (and TOPS need to be appended to password in winbox/webfig/etc. for a “RADIUS admin”)
I think the config looks something like this – I don’t have UM setup to test, but this should be close:
# on user manager you point need to add the "Mikrotik-Group" attribute at least (perhaps more attributes?)
/user-manager user [find name="user-manager-admin-with-2fa-stuff-set"] attributes=Mikrotik-Group:write
# on routeros users, create a default group with no permissions as the default if Mikrotik-Group is not set
/user group add name=none
# tell routeros to use the radius server (user-manager)
/user/aaa/set use-radius=yes default-group=none
# if desired, to prevent radius from create a full admin
/user/aaa/set exclude-groups=full
hi, I use otp with various types of VPN, to make it work you have to enter password+otp or if you don’t specify the password just use otp. I made a video demonstrating how it works.
https://foisfabio.it/index.php/2024/04/19/mikrotik-otp-vpn/
so are you saying that you connect with only user and password without otp? It seems strange to me, I think there is some error in the generation of the OTP Key. how did you generate it?
Hi, I create a password and I convert it on encodage web site. After I add a encoded password in Google Authenticator. Now I obtain a OTP code each 10s in Google Authenticator.