Community discussions

MikroTik App
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

[FEATURE REQUEST] Two Factor Authentication

Wed Oct 03, 2012 3:28 am

I've been trying to implement two factor everywhere and found the lowest common denominator that's safe is the Google Authenticator
It's safe, secure and completely offline. It doesn't use any proprietary anything and would be a perfect fit...

All you'd need is a module for login and the ability for us to set the secret not just use a random one.. That way all the servers I need can be on the same Secret and I won't need 50 different codes.

Attached is a bunch of implementations - If it can be done in JS i'm sure we can get a mikrotik module

Here's the code for the apps - https://code.google.com/p/google-authenticator/
Hers's a JS implementation - http://blog.tinisles.com/2011/10/google ... avascript/
Linux PAM Module install - http://www.howtogeek.com/121650/how-to- ... ntication/
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Oct 08, 2012 5:51 am

You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1370
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Oct 14, 2012 9:36 pm

I can see how this can be useful. I am with you buddy.
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
jsmelley
just joined
Posts: 1
Joined: Sat Jan 19, 2013 6:49 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat May 25, 2013 12:03 pm

What is the current status of this request? Has it been implemented or has anyone figured out how to implement the use of this for SSL connections? I too am looking for a good two factor, OTP solution.


James
 
brotherdust
Member Candidate
Member Candidate
Posts: 115
Joined: Tue Jun 05, 2007 1:31 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Jun 04, 2013 3:14 am

Sorry if this seems a non-sequitur, but I thought I would share some experiences I've had with OATH (the standard GAuth works on). I implemented OATH TOTP and HOTP in Ruby for fun a while ago, but never published the code. Anyway, I have a hypothesis that the scripting capabilities embedded into RouterOS could have the facilities to implement OATH. I've not done any research on it yet. Anyway, if it were possible to implement it, you'd be most of the way there. I don't know if it's possible, however, to hook into the auth process on the router. Just some stream-of-consciousness ramblings..
 
Netguy
just joined
Posts: 1
Joined: Mon Sep 30, 2013 12:11 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Sep 30, 2013 12:17 pm

I cannot imagine Mikrotik not implementing this.
It is good, easy and free.

I am looking forward to seeing GoogleAuthenticator-support in the next upgrade ;)
 
vdm
just joined
Posts: 2
Joined: Sun Mar 08, 2009 2:56 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Feb 08, 2014 11:09 am

I would really like to see this, so I can use it in addition to ssh client certificates. Gmail has trained people how to use it.

Duo is another open source option. It works great on Cisco ASAs and Active Directory already.

https://www.duosecurity.com/docs/duounix
 
shiny
just joined
Posts: 14
Joined: Tue Feb 19, 2013 3:19 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Feb 10, 2014 4:15 pm

I am using http://www.yubico.com/ for 2FA on several places, including some linux machines. Works good.
 
User avatar
hvdhelm
just joined
Posts: 17
Joined: Sat Aug 27, 2011 9:37 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Feb 15, 2014 10:14 pm

MultiOTP is a very nice freeware solution. Radius based, full support for Google Authenticator, OATH TOTP and HOTP.

Recently they have released a Raspberri Pi image.
 
michaeleino
just joined
Posts: 1
Joined: Thu Oct 09, 2014 1:16 am

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Oct 09, 2014 1:20 am

Hey all!
Is there a hope to implemet this feature ??? is this possible ?
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Oct 12, 2014 12:04 pm

2 factor auth would be nice. We also using the yubikey on a lot off systems. Even for VPN(ovpn) with radius authentication. Unfortunately for the http(s) logins the radius-authrequest does not include the cleartext password, therefore the radius server can split up the password into the actual password part and the yubikey token part. Otherwise we would have already a two factor auth for our routers. If mikrotik change such behavior i offer to write a tutorial how to setup a two factor auth with freeradius+yubikey.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
TheLittleDuke
just joined
Posts: 9
Joined: Mon Jan 05, 2015 7:22 pm

Re: [FEATURE REQUEST] Two Factor Authentication / Google Aut

Wed Jan 21, 2015 1:55 am

What would it take to get this on "sooner than later" roadmap?

In particular I'd like to see Google Auth support for the WebFig Login interface.

Is there a "bounty" that could be raised?

Let me know, I'm willing to chip in to see this implemented asap.

-dvd
"Those who abandon their dreams will discourage yours"
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Jan 21, 2015 11:49 am

I can only see a slight problem with the Google Authenticator bit... since the one-time codes are derived from clock time, there's going to be trouble when your Routerboard reboots and fails to sync clock time with NTP afterwards as no RB has a battery-buffered RTC included, leading to you being unable to log in as the time on the devices doesn't match.
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 200
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jan 22, 2015 12:48 pm

You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
Really you have troubles because of Mikrotik security policies? There are lots of strategies, think about using SSL certificates fro users.
Another issue is why 802.1x is not implemented in wired interfaces by Mikrotik.
ImageImage
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 2:29 am

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.

I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
 
TheLittleDuke
just joined
Posts: 9
Joined: Mon Jan 05, 2015 7:22 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 2:53 am

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.
Defense in Depth. I'm not going to add in a Radius server to manage my home router remotely :p

Even the SSHD should have a 2FA option.

The clock issue mentioned above is clearly problematic, though I wonder what NTP/USB/Battery options are available?

Quick search finds this: http://www.keylok.com/product/fortress-real-time-clock

A possible smart implementation could just detect the power fail and allow for an option to disable the Google Auth as a fail-safe mode.

For what it's worth, Google Auth does provide you with a set of "backup auth" codes that you can use in the event of clock skew.

You can ALSO deploy it in "counter mode" which doesn't rely on the clock.
I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
So what? Why "race to the bottom" when this could be a compelling differentiator!
"Those who abandon their dreams will discourage yours"
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 3:41 am

My reason for pointing out the other vendors was only to answer the others above who said other vendors supported two-factor.

Good point on the single home router. Anything past one device would increase the administration quite a bit as there would be one entry in the app for every router. Centrally controlled is one entry to update.
 
ericholtzclaw
just joined
Posts: 2
Joined: Mon Jan 25, 2016 10:44 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Jan 25, 2016 10:53 pm

2FA can be done easy with https://duo.com/support/documentation/radius Proxy to Radius. (you need a server)

What MikroTik should do is add in support for Duo and become the proxy + Radius with less moving parts.

Duo has a lot of mobile apps baked with a lot of password managers.


Eric
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jan 28, 2016 1:29 am

yeah, lack of EAPOL and 802.1x-2010 support on Wired interfaces is serious issue.
i guess its cause aged kernel used in past days, initially ?
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 23, 2016 3:30 am

Surely after nearly 4 Years since my Initial Request... It has to have been at least discussed at Mikrotik....

Can we get an official answer on this... 6.5k views on this thread, Can't be because it's a terrible idea.

At this point in time... not having 2F Login to the Tiks has become a serious issue... Especially with the number of Publicly facing CCRs i have.
I'm resistant to putting in a radius with 2F Just for logins, as this has significant admin overhead... not to mention we have hundreds of CPE tiks around Australia, I've never been a fan of Remote radius over the internet...
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 23, 2016 7:27 am

  1. Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN.
  2. There are ways to encrypt the unencrypted portions of the RADIUS datagram. One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode).
  3. Admin overhead for adding RADIUS is only at initial config then the mgmt is far less than individually managing credentials on n devices. The settings can easily just be added to your initial setup template. That's what we do. Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on.
  4. As stated in point 3 management of 2 factor on discrete devices without RADIUS is a 1n operation instead of a single change on a single authentication server (or config synced cluster). With RADIUS you could roll out 2FA today to all your remote devices with a single change in an afternoon instead of touching 1n devices that are remote and possibly making a mistake in configuring a couple of them along the way.
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Jun 24, 2016 6:49 am

Are you saying there is no merit to increasing local access security for a device which is used everywhere from DC,Wisp all the way down to Home and Travel routers, You must think about use cases other than your own.

Just because it can be done via Radius, Doesn't mean it should, and it doesn't negate the benefits of adding such a very simple mechanism in scenarios where Radius would be overkill.
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Jun 24, 2016 7:33 am

I am just saying that in all cases it's very low on the priority list of things that will give them a competitive advantage because there are already multiple solutions that will give your desired outcome (RADIUS, SSH keys, site-to-site VPN, and remote access VPN via OTP or client certificate based logins to name a few). The lack of this feature is not making Mikrotik loose sales to anyone and it probably won't gain any converts if they did have it. The solutions mentioned in this and previous posts will work too secure management logins (with and without RADIUS) for even the home/travel router with equal or greater benefits to 2FA.

Items like connection tracking sync, config sync, better management VRF support, fully isolated MPLS support, MSTP, and others are currently causing people to purchase other vendors when otherwise Mikrotik would work fine.
 
jerryroy1
Member Candidate
Member Candidate
Posts: 134
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 18, 2020 7:30 am

OK, so going on eight years since initial request and it should be past time that 2FA works with MT and google Auth or Duo. Can anyone share a working 2FA MT solution? Please sanitize and send config examples :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24724
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 18, 2020 7:57 am

Here is also something with a MikroTik documentation guide straight up on their main page (I think it's free for up to 25 users)
https://www.notakey.com/products/
No answer to your question? How to write posts
 
MichalRublon
just joined
Posts: 1
Joined: Thu Sep 17, 2020 1:42 am
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Sep 17, 2020 10:48 am

Rublon enables 2FA for MikroTik using the RADIUS authentication protocol.

Demo video: https://youtu.be/mtUCmmiWFuo

Users authenticate using Mobile Push (Rublon Authenticator app required) or Email Link for 2FA.

Rublon is free for up to 10 users.
 
neutronlaser
Member
Member
Posts: 411
Joined: Thu Jan 18, 2018 5:18 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Sep 19, 2020 9:46 pm

TikTok can access your Google Authenticator
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Sep 20, 2020 5:49 pm

Why the fornication for google products.
I want MS Authenticator
or
I want Authenticator App
or
I want Authy App
or
how bout
the RSA (a known trusted entity) token app.

As I expected none of this is trivial.
one needs ipsec working (and not the ikev2 but the other one........)
one needs to be running a separate radius server entity.

I would be interested in just smartphone to router (and access 3rd party provider to provide the 2F be it google, authy, RSA etc.....)
So that my IKEv2 setup would not change but I would have have one xtra step when connecting using the MK iphone App.
In other words, the router is already capable of doing the radius server bit (see Normis or posts) but that serves some but not all folks.
So the only work MK needs to do is integrate the third party option with the MK iphone or android apps!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Buster2
newbie
Posts: 38
Joined: Sun Jan 06, 2013 9:04 pm
Location: Germany, Dresden
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Sep 21, 2020 8:07 pm

MikroTik devs might adopt libpam by Google, that works without network connection and with open-source authenticator apps like Aegis
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 653
Joined: Thu Dec 11, 2014 8:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 9:38 am

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:
[emils@ez_pair7_r1] /user-manager> user/print 
Flags: X - disabled 
 0   name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes="" 
This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:
User-Name=emils
User-Password=test412342
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 2:25 pm

Emils, how is this integrated?
By that I mean as per
viewtopic.php?f=1&t=166418
Is it integrated with the Mikrotik App?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 653
Joined: Thu Dec 11, 2014 8:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 3:02 pm

It is not integrated with the MikroTik App. You have to use Google Authenticator on your phone to generate the code from secret. As the main audition for OTP are VPN/HotSpot users, they should not even be aware of MikroTik App to connect to a VPN server that uses RouterOS RADIUS server.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5129
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 7:45 pm

Your answer holds the key.
Mikrotik Radius Server.
I was not aware that MT routerOS had an internal radius server.

So, instead of using IKEV2 and my MK Iphone Application to access my router or home LAN, as I do know,
I would it do it another way if I wanted to add 2 factor authentication?

Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mada3k
Member Candidate
Member Candidate
Posts: 266
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Sep 22, 2020 9:07 pm

Google Authenticator is already available in the RouterOS v7 User Manager for testing purposes:
[emils@ez_pair7_r1] /user-manager> user/print 
Flags: X - disabled 
 0   name="emils" password="test" otp-secret="JBSWY3DPEHPK3PXP" group=default shared-users=1 attributes="" 
This will allow authentication for user with the second part of the password changing every 30 seconds according to Google's Libpam:
User-Name=emils
User-Password=test412342
That's fantastic. That could probably replace a lot of propretary expensive solutions.
Manages some CCR's, RB750Gr3, RB922 and wAP's
 
User avatar
emils
MikroTik Support
MikroTik Support
Posts: 653
Joined: Thu Dec 11, 2014 8:53 am

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Sep 23, 2020 12:14 pm

Requirement: Ipsec and 2FA from my iphone to my router or to my lan on the router. I dont have external servers is the limitation here.
HOW???
Using IKEv2 with EAP and v7 User Manager. I personally have been using such setup together with Lets Encrypt certificate for some time already and it works good for home setup. I do not think the OTP secret can be called true 2FA authentication, because the calculated token still needs to be typed into the user's password field instead of a second authentication step, but it definitely can be a tool to increase security.
 
Buster2
newbie
Posts: 38
Joined: Sun Jan 06, 2013 9:04 pm
Location: Germany, Dresden
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Sep 24, 2020 3:06 am

It is 2FA. You need knowledge (the password) and the 2nd factor - the one-time-password generated by the authenticator app. It's the users responsibility to not have the authenticator app installed on the same system.

If you need the authenticator app on the same system, where you want to login to MikroTik router, you could use a password manager like KeePass with OTP plugin.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], mylos, ThomasPK and 85 guests