• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Company · Blog · Newsletter · Events · Partner Program

Downloads      Support      Security     Admin Login
Rublon

Rublon

Secure Remote Access

  • Product
    • Regulatory Compliance
    • Use Cases
    • Rublon Reviews
    • Authentication Basics
    • What is MFA?
    • Importance of MFA
    • User Experience
    • Authentication Methods
    • Rublon Authenticator
    • Remembered Devices
    • Logs
    • Single Sign-On
    • Access Policies
    • Directory Sync
  • Solutions
    • MFA for Remote Desktop
    • MFA for Remote Access Software
    • MFA for Windows Logon
    • MFA for Linux
    • MFA for Active Directory
    • MFA for LDAP
    • MFA for RADIUS
    • MFA for SAML
    • MFA for RemoteApp
    • MFA for Workgroup Accounts
    • MFA for Entra ID
  • Customers
  • Industries
    • Financial Services
    • Investment Funds
    • Retail
    • Technology
    • Healthcare
    • Legal
    • Education
    • Government
  • Pricing
  • Docs
Contact Sales Free Trial

Multi-Factor Authentication (2FA/MFA) for MikroTik Router Management Tools

Multi-Factor (MFA) and Two-Factor Authentication (2FA) for MikroTik Router Management Tools (WebFig, WinBox, Console)

February 8, 2021 By Rublon Authors

Last updated on February 6, 2025

Overview of MFA for MikroTik Router Management Tools

Multi-Factor Authentication (MFA) for MikroTik Router Management Tools is an additional layer of security that requires users to provide two authentication factors to gain access to the MikroTik admin panel. This includes entering an Active Directory / RADIUS username and password for the first factor, followed by secondary authentication, such as Mobile Push or Email link. Upon completion of both factors, the user will have access to the resource. Enabling MFA is an effective measure to prevent hackers from gaining access to the resource, even if they have obtained the user’s login credentials.

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push ✔ N/A
WebAuthn/U2F Security Key – N/A
Passcode ✔ N/A
SMS Passcode – N/A
SMS Link ✔ N/A
Phone Call ✔ N/A
QR Code – N/A
Email Link ✔ N/A
YubiKey OTP Security Key ✔ N/A

Before you start

You need to install and configure Rublon Authentication Proxy before configuring MikroTik to work with it. Read Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.

Note

Ensure you have prepared your RADIUS server for the Rublon Authentication Proxy.

Afterward, add the following line to your config.json file (in the RADIUS section):

"email_attribute": "User-Email"

Note

Contrary to VPN logins, router management logins in MikroTik impose the authentication protocol used while authenticating to RADIUS. Logging in via Console authenticates to RADIUS using PAP. Logging in via Webfig or Winbox authenticates to RADIUS using CHAP. You cannot change that. If you want to enable CHAP in the Rublon Authentication Proxy, refer to Non-PAP protocol for RADIUS communication.

You will need a MikroTik RouterOS management tool of your choice, e.g. Winbox, Webfig. This tutorial shows the configuration using Webfig.

Configuration of MFA for MikroTik Router Management Tools

1. Open Webfig.

2. Navigate to the menu on the left, and select the RADIUS tab.

3. Click Add New to configure your Rublon Authentication Proxy as a RADIUS server.

4. Check login in the Service section.

5. Enter the address of your Rublon Authentication Proxy in the Address field.

6. Set Protocol to udp.

7. Enter the RADIUS Secret from Rublon Authentication Proxy in the Secret field.

8. Change the default timeout to 30000 ms.

9. Click OK to save the changes.

10. Go to System → Users and click AAA.

11. Check Use RADIUS and click OK.

Note

Ensure you do not have users added to both the router’s local database (System → Users in Webfig / Winbox) and your RADIUS server database. When logging in, MikroTik first looks for a user in the router’s local database, and if and only if the user is not found there, MikroTik looks for the user in the RADIUS server database. If you add the user locally, then MikroTik is going to log in the user and disregard Rublon 2FA.

12. Your configuration is complete.

Log in to Router Management using MFA for MikroTik Router Management Tools

This example portrays logging in to MikroTik Router Management via Webfig. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Open Webfig in your browser.

2. Provide your username and password and click Login.

3. You will be sent an automatic push notification on your phone.

4. Tap APPROVE.

5. You will be logged in to Webfig.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations

Filed Under: Documentation Tagged With: MikroTik, RAP, Rublon Authentication Proxy

Primary Sidebar

Contents

  • Overview of MFA for MikroTik Router Management Tools
  • Supported Authentication Methods
  • Before you start
  • Configuration of MFA for MikroTik Router Management Tools
  • Log in to Router Management using MFA for MikroTik Router Management Tools
  • Troubleshooting
  • Related Posts
Try Rublon for Free
Start your 30-day Rublon Trial to secure your employees using multi-factor authentication.
No Credit Card Required


Footer

Product

  • Regulatory Compliance
  • Use Cases
  • Rublon Reviews
  • Authentication Basics
  • What is MFA?
  • Importance of MFA
  • User Experience
  • Authentication Methods
  • Rublon Authenticator
  • Remembered Devices
  • Logs
  • Single Sign-On
  • Access Policies
  • Directory Sync

Solutions

  • MFA for Remote Desktop
  • MFA for Windows Logon
  • MFA for Remote Access Software
  • MFA for Linux
  • MFA for Active Directory
  • MFA for LDAP
  • MFA for RADIUS
  • MFA for SAML
  • MFA for RemoteApp
  • MFA for Workgroup Accounts
  • MFA for Entra ID

Industries

  • Financial Services
  • Investment Funds
  • Retail
  • Technology
  • Healthcare
  • Legal
  • Education
  • Government

Documentation

  • 2FA for Windows & RDP
  • 2FA for RDS
  • 2FA for RD Gateway
  • 2FA for RD Web Access
  • 2FA for SSH
  • 2FA for OpenVPN
  • 2FA for SonicWall VPN
  • 2FA for Cisco VPN
  • 2FA for Office 365

Support

  • Knowledge Base
  • FAQ
  • System Status

About

  • About Us
  • Blog
  • Events
  • Co-funded by the European Union
  • Contact Us

  • Facebook
  • GitHub
  • LinkedIn
  • Twitter
  • YouTube

© 2025 Rublon · Imprint · Legal & Privacy · Security

  • English