Has anyone done something like Mikrotik OpenVPN with double authentication without radius with usermannager?
I mean something where the user connects to the VPN with the password of his own username, and then the router sends him a second one-time-use password by e-mail.
Has anyone done this before?
I have such a solution for password generation:
:set pwd [pick ([/certificate scep-server otp generate minutes-valid=1 as-value]->“password”) 0 12] Could this be used for this somehow?
When thinking about it, I would separate it into two domains:
Authentication
Authorization
In your case, connecting the VPN tunnel deals with the authentication of your physical machine/device.
Now that you are connected to the network, the next question becomes: what resources do you have authorization to access on the network? To answer this, we need to establish and verify your identity as the person using the authenticated device.
There are endless options here, such as OAuth2, OTPs, etc.
Here’s some inspiration:
Add a PPP script so that when the VPN client connects, their IP is added to an address list called “quarantine.” Apply forwarding rules in the firewall so that users in quarantine can only access resources that support the second authentication (authorization). Assuming they’ll communicate with some external system to perform secondary authentication.
If the secondary authorization succeeds, use the API or SSH to remove the IP from the address list, thus removing the user from quarantine.
You can go really deep here. For example, move them from quarantine to a restricted address list that controls access to only a subset of servers. You could infer this from scopes in the access token coming back from an OAuth2 flow.
The point here is: would I try to do this on a MikroTik alone without external systems? Hard no. There is no reason to either, that’ll just be like picking the wrong tools on purpose.
If you are not about to start writing software, here’s a viable option: use auth0.com. Create an authentication flow with a post-auth script that hits the REST API on your Tik. You’ll need a little bit of JavaScript / jsnode, which GPT can handle. Auth0.com will integrate with most mainstream IDPs off the shelf, and it’s cheap as chips.