Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

2FA Configuration to Mikrotik router issue  [SOLVED]

Post Reply
 
Ladebrouille
just joined
Topic Author
Posts: 6
Joined: Tue Dec 12, 2023 12:29 pm

2FA Configuration to Mikrotik router issue

Mon May 27, 2024 1:41 pm

Hello everyone,

I need a help. I've configured 2FA of Google Authenticator to my Mikrotik router OS 7.14.3, but when, I'm testing I don't receive a 2FA ask. I share with you below a screenshot.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3715
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: 2FA Configuration to Mikrotik router issue

Mon May 27, 2024 5:00 pm

I could be wrong. But I believe you add the 2FA code after the password is how it work. There is no prompt.
Top
 
Ladebrouille
just joined
Topic Author
Posts: 6
Joined: Tue Dec 12, 2023 12:29 pm

Re: 2FA Configuration to Mikrotik router issue

Mon May 27, 2024 6:19 pm

I could be wrong. But I believe you add the 2FA code after the password is how it work. There is no prompt.
Thanks for your back. When I put my password without the 2FA code it's working. And when I put my password + code 2FA that's don't working.
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3715
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: 2FA Configuration to Mikrotik router issue

Mon May 27, 2024 8:38 pm

Did you see this thread? There are few places where this can go wrong...
viewtopic.php?p=911961&hilit=two+factor ... on#p984843

If you're talking about 2FA RouterOS login... I think you need to point the RouterOS's radius client to use user-manager server, explicitly in config. user-manager users are just RADIUS things, without some RADIUS client using them. See https://help.mikrotik.com/docs/display/ ... -RemoteAAA).
The RADIUS user database is consulted only if the required username is not found in the local user database.
So... Local users (/users/print) would not have any 2FA applied, since only via RADIUS server (i.e. user-manager) is that possible.

If you're talking hotspot, the user-manager docs cover that case pretty well.

I don't have this setup, but AFAIK that how this works.
Top
 
Ladebrouille
just joined
Topic Author
Posts: 6
Joined: Tue Dec 12, 2023 12:29 pm

Re: 2FA Configuration to Mikrotik router issue

Tue May 28, 2024 2:21 pm

Did you see this thread? There are few places where this can go wrong...
viewtopic.php?p=911961&hilit=two+factor ... on#p984843

If you're talking about 2FA RouterOS login... I think you need to point the RouterOS's radius client to use user-manager server, explicitly in config. user-manager users are just RADIUS things, without some RADIUS client using them. See https://help.mikrotik.com/docs/display/ ... -RemoteAAA).
The RADIUS user database is consulted only if the required username is not found in the local user database.
So... Local users (/users/print) would not have any 2FA applied, since only via RADIUS server (i.e. user-manager) is that possible.

If you're talking hotspot, the user-manager docs cover that case pretty well.

I don't have this setup, but AFAIK that how this works.
Hello dude,
If my comprehension is good, I can't use 2FA with local user account of router Mikotik ?
Top
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3715
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: 2FA Configuration to Mikrotik router issue  [SOLVED]

Tue May 28, 2024 7:37 pm

Correct, there is no way to add 2FA / MFA to a local user in RouterOS.

As I explained, you can you can setup RouterOS to query RADIUS for winbox/webfig/etc login, but it's a different account. But RADIUS RouterOS user can use whatever policy group, so they can be functionally same as a local one. The 2FA configuration for the user-manager be same (and TOPS need to be appended to password in winbox/webfig/etc. for a "RADIUS admin")

I think the config looks something like this – I don't have UM setup to test, but this should be close:
Code: Select all
# on user manager you point need to add the "Mikrotik-Group" attribute at least (perhaps more attributes?)
/user-manager user [find name="user-manager-admin-with-2fa-stuff-set"] attributes=Mikrotik-Group:write

# on routeros users, create a default group with no permissions as the default if Mikrotik-Group is not set
/user group add name=none

# tell routeros to use the radius server (user-manager)
/user/aaa/set use-radius=yes default-group=none 

# if desired, to prevent radius from create a full admin
/user/aaa/set exclude-groups=full
Top
 
abbio90
Member Candidate
Member Candidate
Posts: 293
Joined: Fri Aug 27, 2021 9:16 pm
Contact:
Contact abbio90

Re: 2FA Configuration to Mikrotik router issue

Wed May 29, 2024 9:23 am

hi, I use otp with various types of VPN, to make it work you have to enter password+otp or if you don't specify the password just use otp. I made a video demonstrating how it works.

https://foisfabio.it/index.php/2024/04/ ... k-otp-vpn/

so are you saying that you connect with only user and password without otp? It seems strange to me, I think there is some error in the generation of the OTP Key. how did you generate it?
Top
 
Ladebrouille
just joined
Topic Author
Posts: 6
Joined: Tue Dec 12, 2023 12:29 pm

Re: 2FA Configuration to Mikrotik router issue

Wed May 29, 2024 5:33 pm

hi, I use otp with various types of VPN, to make it work you have to enter password+otp or if you don't specify the password just use otp. I made a video demonstrating how it works.

https://foisfabio.it/index.php/2024/04/ ... k-otp-vpn/

so are you saying that you connect with only user and password without otp? It seems strange to me, I think there is some error in the generation of the OTP Key. how did you generate it?
Hi, I create a password and I convert it on encodage web site. After I add a encoded password in Google Authenticator. Now I obtain a OTP code each 10s in Google Authenticator.
Top
Post Reply

Who is online

Users browsing this forum: Miknelik and 16 guests
  4. RouterOS
  5. Beginner Basics