Last updated on February 6, 2025
Overview of MFA for MikroTik Router Management Tools
Multi-Factor Authentication (MFA) for MikroTik Router Management Tools is an additional layer of security that requires users to provide two authentication factors to gain access to the MikroTik admin panel. This includes entering an Active Directory / RADIUS username and password for the first factor, followed by secondary authentication, such as Mobile Push or Email link. Upon completion of both factors, the user will have access to the resource. Enabling MFA is an effective measure to prevent hackers from gaining access to the resource, even if they have obtained the user’s login credentials.
Supported Authentication Methods
| Authentication Method | Supported | Comments |
| Mobile Push | ✔ | N/A |
| WebAuthn/U2F Security Key | – | N/A |
| Passcode | ✔ | N/A |
| SMS Passcode | – | N/A |
| SMS Link | ✔ | N/A |
| Phone Call | ✔ | N/A |
| QR Code | – | N/A |
| Email Link | ✔ | N/A |
| YubiKey OTP Security Key | ✔ | N/A |
Before you start
You need to install and configure Rublon Authentication Proxy before configuring MikroTik to work with it. Read Rublon Authentication Proxy and follow the steps in the Installation and Configuration sections. Afterward, follow the Configuration section in this document.
Note
Ensure you have prepared your RADIUS server for the Rublon Authentication Proxy.
Afterward, add the following line to your config.json file (in the RADIUS section):
"email_attribute": "User-Email"
Note
Contrary to VPN logins, router management logins in MikroTik impose the authentication protocol used while authenticating to RADIUS. Logging in via Console authenticates to RADIUS using PAP. Logging in via Webfig or Winbox authenticates to RADIUS using CHAP. You cannot change that. If you want to enable CHAP in the Rublon Authentication Proxy, refer to Non-PAP protocol for RADIUS communication.
You will need a MikroTik RouterOS management tool of your choice, e.g. Winbox, Webfig. This tutorial shows the configuration using Webfig.
Configuration of MFA for MikroTik Router Management Tools
1. Open Webfig.
2. Navigate to the menu on the left, and select the RADIUS tab.
3. Click Add New to configure your Rublon Authentication Proxy as a RADIUS server.
4. Check login in the Service section.
5. Enter the address of your Rublon Authentication Proxy in the Address field.
6. Set Protocol to udp.
7. Enter the RADIUS Secret from Rublon Authentication Proxy in the Secret field.
8. Change the default timeout to 30000 ms.
9. Click OK to save the changes.
10. Go to System → Users and click AAA.
11. Check Use RADIUS and click OK.
Note
Ensure you do not have users added to both the router’s local database (System → Users in Webfig / Winbox) and your RADIUS server database. When logging in, MikroTik first looks for a user in the router’s local database, and if and only if the user is not found there, MikroTik looks for the user in the RADIUS server database. If you add the user locally, then MikroTik is going to log in the user and disregard Rublon 2FA.
12. Your configuration is complete.
Log in to Router Management using MFA for MikroTik Router Management Tools
This example portrays logging in to MikroTik Router Management via Webfig. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).
1. Open Webfig in your browser.
2. Provide your username and password and click Login.
3. You will be sent an automatic push notification on your phone.
4. Tap APPROVE.
5. You will be logged in to Webfig.
Troubleshooting
Blast-RADIUS Vulnerability Protection
RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.
The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.
If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.
If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.
If you encounter any issues with your Rublon integration, please contact Rublon Support.
