Hello everyone,
I need a help. I've configured 2FA of Google Authenticator to my Mikrotik router OS 7.14.3, but when, I'm testing I don't receive a 2FA ask. I share with you below a screenshot.
Thanks for your back. When I put my password without the 2FA code it's working. And when I put my password + code 2FA that's don't working.I could be wrong. But I believe you add the 2FA code after the password is how it work. There is no prompt.
So... Local users (/users/print) would not have any 2FA applied, since only via RADIUS server (i.e. user-manager) is that possible.The RADIUS user database is consulted only if the required username is not found in the local user database.
Hello dude,Did you see this thread? There are few places where this can go wrong...
viewtopic.php?p=911961&hilit=two+factor ... on#p984843
If you're talking about 2FA RouterOS login... I think you need to point the RouterOS's radius client to use user-manager server, explicitly in config. user-manager users are just RADIUS things, without some RADIUS client using them. See https://help.mikrotik.com/docs/display/ ... -RemoteAAA).So... Local users (/users/print) would not have any 2FA applied, since only via RADIUS server (i.e. user-manager) is that possible.The RADIUS user database is consulted only if the required username is not found in the local user database.
If you're talking hotspot, the user-manager docs cover that case pretty well.
I don't have this setup, but AFAIK that how this works.
# on user manager you point need to add the "Mikrotik-Group" attribute at least (perhaps more attributes?)
/user-manager user [find name="user-manager-admin-with-2fa-stuff-set"] attributes=Mikrotik-Group:write
# on routeros users, create a default group with no permissions as the default if Mikrotik-Group is not set
/user group add name=none
# tell routeros to use the radius server (user-manager)
/user/aaa/set use-radius=yes default-group=none
# if desired, to prevent radius from create a full admin
/user/aaa/set exclude-groups=full
Hi, I create a password and I convert it on encodage web site. After I add a encoded password in Google Authenticator. Now I obtain a OTP code each 10s in Google Authenticator.hi, I use otp with various types of VPN, to make it work you have to enter password+otp or if you don't specify the password just use otp. I made a video demonstrating how it works.
https://foisfabio.it/index.php/2024/04/ ... k-otp-vpn/
so are you saying that you connect with only user and password without otp? It seems strange to me, I think there is some error in the generation of the OTP Key. how did you generate it?