Community discussions

MikroTik App
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

[FEATURE REQUEST] Two Factor Authentication

Wed Oct 03, 2012 3:28 am

I've been trying to implement two factor everywhere and found the lowest common denominator that's safe is the Google Authenticator
It's safe, secure and completely offline. It doesn't use any proprietary anything and would be a perfect fit...

All you'd need is a module for login and the ability for us to set the secret not just use a random one.. That way all the servers I need can be on the same Secret and I won't need 50 different codes.

Attached is a bunch of implementations - If it can be done in JS i'm sure we can get a mikrotik module

Here's the code for the apps - https://code.google.com/p/google-authenticator/
Hers's a JS implementation - http://blog.tinisles.com/2011/10/google ... avascript/
Linux PAM Module install - http://www.howtogeek.com/121650/how-to- ... ntication/
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Oct 08, 2012 5:51 am

You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
 
User avatar
NetworkPro
Forum Guru
Forum Guru
Posts: 1370
Joined: Mon Jan 05, 2009 6:23 pm
Location: Worldwide
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Oct 14, 2012 9:36 pm

I can see how this can be useful. I am with you buddy.
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service
 
jsmelley
just joined
Posts: 1
Joined: Sat Jan 19, 2013 6:49 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat May 25, 2013 12:03 pm

What is the current status of this request? Has it been implemented or has anyone figured out how to implement the use of this for SSL connections? I too am looking for a good two factor, OTP solution.


James
 
brotherdust
Member Candidate
Member Candidate
Posts: 114
Joined: Tue Jun 05, 2007 1:31 am

Re: [FEATURE REQUEST] Two Factor Authentication

Tue Jun 04, 2013 3:14 am

Sorry if this seems a non-sequitur, but I thought I would share some experiences I've had with OATH (the standard GAuth works on). I implemented OATH TOTP and HOTP in Ruby for fun a while ago, but never published the code. Anyway, I have a hypothesis that the scripting capabilities embedded into RouterOS could have the facilities to implement OATH. I've not done any research on it yet. Anyway, if it were possible to implement it, you'd be most of the way there. I don't know if it's possible, however, to hook into the auth process on the router. Just some stream-of-consciousness ramblings..
 
Netguy
just joined
Posts: 1
Joined: Mon Sep 30, 2013 12:11 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Sep 30, 2013 12:17 pm

I cannot imagine Mikrotik not implementing this.
It is good, easy and free.

I am looking forward to seeing GoogleAuthenticator-support in the next upgrade ;)
 
vdm
just joined
Posts: 2
Joined: Sun Mar 08, 2009 2:56 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Feb 08, 2014 11:09 am

I would really like to see this, so I can use it in addition to ssh client certificates. Gmail has trained people how to use it.

Duo is another open source option. It works great on Cisco ASAs and Active Directory already.

https://www.duosecurity.com/docs/duounix
 
shiny
just joined
Posts: 14
Joined: Tue Feb 19, 2013 3:19 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Feb 10, 2014 4:15 pm

I am using http://www.yubico.com/ for 2FA on several places, including some linux machines. Works good.
 
User avatar
hvdhelm
just joined
Posts: 17
Joined: Sat Aug 27, 2011 9:37 am

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Feb 15, 2014 10:14 pm

MultiOTP is a very nice freeware solution. Radius based, full support for Google Authenticator, OATH TOTP and HOTP.

Recently they have released a Raspberri Pi image.
 
michaeleino
just joined
Posts: 1
Joined: Thu Oct 09, 2014 1:16 am

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Oct 09, 2014 1:20 am

Hey all!
Is there a hope to implemet this feature ??? is this possible ?
 
jaykay2342
Member
Member
Posts: 335
Joined: Tue Dec 04, 2012 2:49 pm
Location: /Vigor/LocalGroup/Milky Way/Earth/Europe/Germany

Re: [FEATURE REQUEST] Two Factor Authentication

Sun Oct 12, 2014 12:04 pm

2 factor auth would be nice. We also using the yubikey on a lot off systems. Even for VPN(ovpn) with radius authentication. Unfortunately for the http(s) logins the radius-authrequest does not include the cleartext password, therefore the radius server can split up the password into the actual password part and the yubikey token part. Otherwise we would have already a two factor auth for our routers. If mikrotik change such behavior i offer to write a tutorial how to setup a two factor auth with freeradius+yubikey.
9-5 Job: Securityanalyst at a major MSSP.
Free time volunteer: Networkadmin and founder at a small non-profit WISP.
Certifications: ITILv3, GCIA
 
TheLittleDuke
just joined
Posts: 9
Joined: Mon Jan 05, 2015 7:22 pm

Re: [FEATURE REQUEST] Two Factor Authentication / Google Aut

Wed Jan 21, 2015 1:55 am

What would it take to get this on "sooner than later" roadmap?

In particular I'd like to see Google Auth support for the WebFig Login interface.

Is there a "bounty" that could be raised?

Let me know, I'm willing to chip in to see this implemented asap.

-dvd
"Those who abandon their dreams will discourage yours"
 
hedele
Member
Member
Posts: 338
Joined: Tue Feb 24, 2009 11:23 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Wed Jan 21, 2015 11:49 am

I can only see a slight problem with the Google Authenticator bit... since the one-time codes are derived from clock time, there's going to be trouble when your Routerboard reboots and fails to sync clock time with NTP afterwards as no RB has a battery-buffered RTC included, leading to you being unable to log in as the time on the devices doesn't match.
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 200
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jan 22, 2015 12:48 pm

You realise that most sites are getting serious about this sort of security... Currently you could do this through an external Radius solution...

But Mikrotik should really take notice as many others have started offering it.. I'm having trouble selling Mikrotik to Enterprises because of security policies..
Really you have troubles because of Mikrotik security policies? There are lots of strategies, think about using SSL certificates fro users.
Another issue is why 802.1x is not implemented in wired interfaces by Mikrotik.
ImageImage
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 2:29 am

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.

I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
 
TheLittleDuke
just joined
Posts: 9
Joined: Mon Jan 05, 2015 7:22 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 2:53 am

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today.
Defense in Depth. I'm not going to add in a Radius server to manage my home router remotely :p

Even the SSHD should have a 2FA option.

The clock issue mentioned above is clearly problematic, though I wonder what NTP/USB/Battery options are available?

Quick search finds this: http://www.keylok.com/product/fortress-real-time-clock

A possible smart implementation could just detect the power fail and allow for an option to disable the Google Auth as a fail-safe mode.

For what it's worth, Google Auth does provide you with a set of "backup auth" codes that you can use in the event of clock skew.

You can ALSO deploy it in "counter mode" which doesn't rely on the clock.
I can't think of any competing products that offer OTP on the switch or router its all done via add-on's to TACACS+ or RADIUS servers.
So what? Why "race to the bottom" when this could be a compelling differentiator!
"Those who abandon their dreams will discourage yours"
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Sat Jan 24, 2015 3:41 am

My reason for pointing out the other vendors was only to answer the others above who said other vendors supported two-factor.

Good point on the single home router. Anything past one device would increase the administration quite a bit as there would be one entry in the app for every router. Centrally controlled is one entry to update.
 
ericholtzclaw
just joined
Posts: 2
Joined: Mon Jan 25, 2016 10:44 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Mon Jan 25, 2016 10:53 pm

2FA can be done easy with https://duo.com/support/documentation/radius Proxy to Radius. (you need a server)

What MikroTik should do is add in support for Duo and become the proxy + Radius with less moving parts.

Duo has a lot of mobile apps baked with a lot of password managers.


Eric
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jan 28, 2016 1:29 am

yeah, lack of EAPOL and 802.1x-2010 support on Wired interfaces is serious issue.
i guess its cause aged kernel used in past days, initially ?
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 23, 2016 3:30 am

Surely after nearly 4 Years since my Initial Request... It has to have been at least discussed at Mikrotik....

Can we get an official answer on this... 6.5k views on this thread, Can't be because it's a terrible idea.

At this point in time... not having 2F Login to the Tiks has become a serious issue... Especially with the number of Publicly facing CCRs i have.
I'm resistant to putting in a radius with 2F Just for logins, as this has significant admin overhead... not to mention we have hundreds of CPE tiks around Australia, I've never been a fan of Remote radius over the internet...
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 23, 2016 7:27 am

  1. Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN.
  2. There are ways to encrypt the unencrypted portions of the RADIUS datagram. One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode).
  3. Admin overhead for adding RADIUS is only at initial config then the mgmt is far less than individually managing credentials on n devices. The settings can easily just be added to your initial setup template. That's what we do. Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on.
  4. As stated in point 3 management of 2 factor on discrete devices without RADIUS is a 1n operation instead of a single change on a single authentication server (or config synced cluster). With RADIUS you could roll out 2FA today to all your remote devices with a single change in an afternoon instead of touching 1n devices that are remote and possibly making a mistake in configuring a couple of them along the way.
 
artie11
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Sun Feb 20, 2011 12:08 pm

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Jun 24, 2016 6:49 am

Are you saying there is no merit to increasing local access security for a device which is used everywhere from DC,Wisp all the way down to Home and Travel routers, You must think about use cases other than your own.

Just because it can be done via Radius, Doesn't mean it should, and it doesn't negate the benefits of adding such a very simple mechanism in scenarios where Radius would be overkill.
 
jkarras
Member Candidate
Member Candidate
Posts: 224
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: [FEATURE REQUEST] Two Factor Authentication

Fri Jun 24, 2016 7:33 am

I am just saying that in all cases it's very low on the priority list of things that will give them a competitive advantage because there are already multiple solutions that will give your desired outcome (RADIUS, SSH keys, site-to-site VPN, and remote access VPN via OTP or client certificate based logins to name a few). The lack of this feature is not making Mikrotik loose sales to anyone and it probably won't gain any converts if they did have it. The solutions mentioned in this and previous posts will work too secure management logins (with and without RADIUS) for even the home/travel router with equal or greater benefits to 2FA.

Items like connection tracking sync, config sync, better management VRF support, fully isolated MPLS support, MSTP, and others are currently causing people to purchase other vendors when otherwise Mikrotik would work fine.
 
jerryroy1
Member Candidate
Member Candidate
Posts: 122
Joined: Sat Mar 17, 2007 4:55 am
Location: LA and OC USA
Contact:

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 18, 2020 7:30 am

OK, so going on eight years since initial request and it should be past time that 2FA works with MT and google Auth or Duo. Can anyone share a working 2FA MT solution? Please sanitize and send config examples :)
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24663
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: [FEATURE REQUEST] Two Factor Authentication

Thu Jun 18, 2020 7:57 am

Here is also something with a MikroTik documentation guide straight up on their main page (I think it's free for up to 25 users)
https://www.notakey.com/products/
No answer to your question? How to write posts

Who is online

Users browsing this forum: Erickson, LogicalNZ, Znevna and 139 guests