![]() ![]() ![]() We started troubleshooting and find out that the app had to be re-provisioned again with SMS. Please try again." This is very inconvenient and problematic for our customers. The message was "The OTP you entered could not be authenticated. It was random and they were unable to login in their homes and even when they come to the office. So we put Number of offline OTPs to be 100 and everything was good for a while.Īfter a bit of using the app started to have problems with OTP for some of our users. We were thinking that people will have 100 successful logins outside of the office and then they will have to go to the office and login there one time to restock OTP. Please use event-based (HOTP) option to use the offline mode." One of our main goals was having Two Factor Authentication outside of the office where you you login in offline mode and we chose to use HOTP (event-based OTP).Īs said in web console: "Note: Time-based (TOTP) mobile application or hard token OTPs do not work in offline mode. We already have internet security product on all of our customers and we are happy with it. This makes it so you can use a serial console cable to the device to regain access using the admin account in the event that the OTP code doesn't work but makes the admin account fail authenticate from anywhere else.Our organization chose ESET for Two Factor Authentication and it is using it and testing it for a while. In the script you will notice I set the admin login allowed addresses to 127.0.0.1. Make sure the OTP you enter is within the 30 second windows or you will fail authentication. In winbox or the web interface type your password and append the 6 digit OTP in your authenticator to the end of the password. I would imagine that any other app that allows you to manually paste the OTP will work as well. I have tested with Google Authenticator and Microsoft Authenticator and both work fine when manually adding the base32 OTP. user-manager router add address=127.0.0.1 name="Loopback" shared-secret=123 user-manager set certificate=*0 enabled=yes user-manager user add attributes=Mikrotik-Group:full name=(username) password=(password) otp-secret=(OTP YOU CONVERTED TO BASE32) shared-users=unlimited With RADIUS you could roll out 2FA today to all your remote devices with a single change in an afternoon instead of touching 1 n devices that are remote and possibly making a mistake in configuring a couple of them along the way.Ĭode: Select all /radius add address=127.0.0.1 service=login secret=123 As stated in point 3 management of 2 factor on discrete devices without RADIUS is a 1 n operation instead of a single change on a single authentication server (or config synced cluster).Then there is only one place to go to change and update credentials instead of 1(n) devices to make changes on. The settings can easily just be added to your initial setup template. Admin overhead for adding RADIUS is only at initial config then the mgmt is far less than individually managing credentials on n devices.One example would be an encrypted GRE tunnel, or just standard IPSEC (no tunnel mode). There are ways to encrypt the unencrypted portions of the RADIUS datagram.Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |