- Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN.
- There are ways to encrypt the unencrypted portions of the RADIUS datagram. One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode).
- Admin overhead for adding RADIUS is only at initial config then the mgmt is far less than individually managing credentials on n devices. The settings can easily just be added to your initial setup template. That’s what we do. Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on.
- As stated in point 3 management of 2 factor on discrete devices without RADIUS is a 1_n_ operation instead of a single change on a single authentication server (or config synced cluster). With RADIUS you could roll out 2FA today to all your remote devices with a single change in an afternoon instead of touching 1_n_ devices that are remote and possibly making a mistake in configuring a couple of them along the way.
Are you saying there is no merit to increasing local access security for a device which is used everywhere from DC,Wisp all the way down to Home and Travel routers, You must think about use cases other than your own.
Just because it can be done via Radius, Doesn’t mean it should, and it doesn’t negate the benefits of adding such a very simple mechanism in scenarios where Radius would be overkill.
I am just saying that in all cases it’s very low on the priority list of things that will give them a competitive advantage because there are already multiple solutions that will give your desired outcome (RADIUS, SSH keys, site-to-site VPN, and remote access VPN via OTP or client certificate based logins to name a few). The lack of this feature is not making Mikrotik loose sales to anyone and it probably won’t gain any converts if they did have it. The solutions mentioned in this and previous posts will work too secure management logins (with and without RADIUS) for even the home/travel router with equal or greater benefits to 2FA.
Items like connection tracking sync, config sync, better management VRF support, fully isolated MPLS support, MSTP, and others are currently causing people to purchase other vendors when otherwise Mikrotik would work fine.
OK, so going on eight years since initial request and it should be past time that 2FA works with MT and google Auth or Duo. Can anyone share a working 2FA MT solution? Please sanitize and send config examples 
Here is also something with a MikroTik documentation guide straight up on their main page (I think it’s free for up to 25 users)
https://www.notakey.com/products/
TikTok can access your Google Authenticator
Why the fornication for google products.
I want MS Authenticator
or
I want Authenticator App
or
I want Authy App
or
how bout
the RSA (a known trusted entity) token app.
As I expected none of this is trivial.
one needs ipsec working (and not the ikev2 but the other one…)
one needs to be running a separate radius server entity.
I would be interested in just smartphone to router (and access 3rd party provider to provide the 2F be it google, authy, RSA etc…)
So that my IKEv2 setup would not change but I would have have one xtra step when connecting using the MK iphone App.
In other words, the router is already capable of doing the radius server bit (see Normis or posts) but that serves some but not all folks.
So the only work MK needs to do is integrate the third party option with the MK iphone or android apps!!
MikroTik devs might adopt libpam by Google, that works without network connection and with open-source authenticator apps like Aegis
Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:
[emils@ez_pair7_r1] /user-manager> user/print
Flags: X - disabled
0 name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes=""
This will allow authentication for user with the second part of the password changing every 30 seconds according to Google’s Libpam:
User-Name=emils
User-Password=test412342
Emils, how is this integrated?
By that I mean as per
http://forum.mikrotik.com/t/mikrotik-mobile-app-2-factor-authentication/143150/1
Is it integrated with the Mikrotik App?
It is not integrated with the MikroTik App. You have to use Google Authenticator on your phone to generate the code from secret. As the main audition for OTP are VPN/HotSpot users, they should not even be aware of MikroTik App to connect to a VPN server that uses RouterOS RADIUS server.
Your answer holds the key.
Mikrotik Radius Server.
I was not aware that MT routerOS had an internal radius server.
So, instead of using IKEV2 and my MK Iphone Application to access my router or home LAN, as I do know,
I would it do it another way if I wanted to add 2 factor authentication?
Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???
That’s fantastic. That could probably replace a lot of propretary expensive solutions.
Using IKEv2 with EAP and v7 User Manager. I personally have been using such setup together with Lets Encrypt certificate for some time already and it works good for home setup. I do not think the OTP secret can be called true 2FA authentication, because the calculated token still needs to be typed into the user’s password field instead of a second authentication step, but it definitely can be a tool to increase security.
It is 2FA. You need knowledge (the password) and the 2nd factor - the one-time-password generated by the authenticator app. It’s the users responsibility to not have the authenticator app installed on the same system.
If you need the authenticator app on the same system, where you want to login to MikroTik router, you could use a password manager like KeePass with OTP plugin.
Herewith a link to a start to finish guide on setting up a Debian host to provide MikroTik compatible (MS-CHAPv2) two factor (aka multi factor authentication or MFA) using Yubico Yubikey together with security group memberships on an Active Directory server:
http://lists.freeradius.org/pipermail/freeradius-users/2021-February/099521.html
So, now in RouterOS 7.1 stable we do have under /user-manager user , new otp-secret parameter.
But can somebody provide any reference or documentation on how to use the parameter, or generate value for it?
I have Google Authenticator app ready to add additional account on my phone device.
This is great news. I installed user manager and setup a radius user with the otp code but I can’t seem to find a way to authenticate. Is winbox and the web interface still in the works to prompt for the otp code? Any eta?
Your RADIUS client would need to prompt for the TOTP before sending it to the RADIUS server, is my understanding.
RADIUS server will respond with approve/deny.
How to format the TOTP to Mikrotik’s RADIUS server, that I don’t know.