Hi,
For those struggling how to set the TOTP, here is the way (works with Google Authenticator):
Pick your top secret otc-code, for example “WowOtpSecret” (without quotes),
Convert the otc-code to base32 format, in our case it will be “K5XXOT3UOBJWKY3SMV2A====” (without quotes),
Set the otc-code for the target user in User-Manager
set [find name=user1] otp-secret="K5XXOT3UOBJWKY3SMV2A===="
Start Google Authenticator on your phone and add a new “Time Dependent Code”. When entering the code note that you have to enter the base32 value from above: “K5XXOT3UOBJWKY3SMV2A====” (without quotes).
You are now ready to login, however, the user1 password is now the combination of the original password and the six-digit number from the Google Authenticator. Therefore, the new password is +.
Note: the six-digit code is valid for only 30 seconds and the clocks on your mobile phone and mikroTik have to be in sync for having the correct process.
Thank you for clearing things up. Adding the 6 digit code to the end of the password does the trick.
Now if I can figure out how to give the user-manager user full permissions to the router I will have a viable solution to secure mikrotik device logins.
It appears that the radius user only has read only login permissions to the router and so far I have not found a way to change it.
Getting closer. When adding the user in user-manager under Attributes set Mikrotik-Group to full to give the radius user full permissions to the router.
Next problem is I am unable to disable the admin user because it says ‘the user is last one with full access permissions’.
I’m considering settings ‘Allowed Addresses’ for admin to a loopback address as an alternative since I am unable to disable it completely.
So for anyone else wanting to implement this I have a working solution after banging my head against a wall for awhile.
Make sure your router is syncing with some NTP server that has accurate atomic time. I would suggest pool.ntp.org servers. Time is crucial for the OTP to work correctly with your device.
Here is a copy/paste script that will get you going. Obviously change the secrets, name, and password to your own. I found an online converter to convert my OTP to base32 as suggested above using this site https://emn178.github.io/online-tools/base32_encode.html
/radius add address=127.0.0.1 service=login secret=123
/radius incoming set accept=yes
/user-manager user add attributes=Mikrotik-Group:full name=(username) password=(password) otp-secret=(OTP YOU CONVERTED TO BASE32) shared-users=unlimited
/user-manager set certificate=*0 enabled=yes
/user-manager router add address=127.0.0.1 name="Loopback" shared-secret=123
/user aaa set use-radius=yes
/user set [find name=admin] address=127.0.0.1
I have tested with Google Authenticator and Microsoft Authenticator and both work fine when manually adding the base32 OTP. I would imagine that any other app that allows you to manually paste the OTP will work as well.
In winbox or the web interface type your password and append the 6 digit OTP in your authenticator to the end of the password. Make sure the OTP you enter is within the 30 second windows or you will fail authentication.
In the script you will notice I set the admin login allowed addresses to 127.0.0.1. This makes it so you can use a serial console cable to the device to regain access using the admin account in the event that the OTP code doesn’t work but makes the admin account fail authenticate from anywhere else.
Normal login with Radius and User Manager works. (I had to configure the official IP, not 127.0.0.1)
Then I created a base32 encoded OTP secret and add it to the user. I configure the same base32 string in a TOTP client. I stick on the 6 digits to the password - but it always appears that the username and password are wrong.
I can’t find anything in the debug log.
Timesettings are proofed and correct.
Any idea what I can do?
Found the problem. I have two radius and two routers in user manager configured, one with 127.0.0.1 and one with the official IP. Seems they are doing auth overcross.
Disabling the 127.0.0.1 radius and router helps. What I not understand is why my official IP aka 123.123.123.123 is needed to authenticate ?
I have another problem. In Usermanager I can configure a Mikrotik-Group which can be a ppp profile for ppp vpn logins. That works for l2tp logins and the IP pool that is configured in the profile is used an a IP is assigned. But for opnvpn it does not work. The login is done, but a opnvpn user do not become an IP address.
I have implemented TOTP for vpn l2tp and opnvpn user this way. Works fine and gives OTP support for L2TP clients that does normally not have it, including mikrotik boxes (as vpn client). Great. Buts it is a little bit fiddly to stick the 6 digits to the password. For Mikrotik as an VPN client: does anyone have a mikrotik script that can generate an otp code and attach it to the password?
Hi Indnti and all memebers,
I’m trying to activate OTP for our l2tp vpn clients using authrnticator and it seens that you have found a way t do that with Mikrotik. Could you please confirm if this is feasable ? And share script if so.
Many thanks in advance
Does anyone have a solution to make the static-challenge setting work with OpenVPN? Or something that asks for the password and the OTP in 2 text fields?
+1
would also need that kind of setup for a client
EDIT: can be done quite easy with mikrotik user-manager (additional package) as local radius server and the OTP secret for a TTOP
This works, except when you go to terminal inside winbox, you have to login again with a new otp code because most of the time your 30 second window has already expired before you open the terminal window.