30 June 2026

MikroTik router login 2FA — phone approval for WinBox and SSH

Require a phone approval for WinBox, WebFig and SSH logins to a MikroTik router: the same auth-proxy RADIUS setup, pointed at service=login.

If you followed our VPN 2FA with RADIUS guide, you already have everything needed to protect something else: logins to the router itself. WinBox, WebFig, SSH and the API can all authenticate over RADIUS, and since the Notakey auth-proxy is transparent RADIUS, pointing the router’s login service at it means every admin login needs a phone approval, not just a password.

The flow is identical to the VPN case:

Router login ──RADIUS──▶ Notakey auth-proxy ──RADIUS──▶ your RADIUS server

                                 └──▶ push notification ──▶ admin's phone

Only three things change on the router side, covered below.

Requirements

  • A working auth-proxy in front of a RADIUS server, set up exactly as in steps 1–3 of the VPN guide. Any downstream RADIUS works: FreeRADIUS, Microsoft NPS, MikroTik’s own User Manager, or the Notakey RADIUS plugin.
  • The admin’s username present in the downstream RADIUS server and in the Notakey service, with an onboarded phone; the proxy addresses the push by username.

Step 1: Decide which push message admins see

The proxy pushes the message from its own configuration: the same message_title / message_description used for VPN logins. You have two options:

  • Reuse the VPN proxy as-is. Fastest. Admin logins will show the VPN wording on the phone (e.g. “VPN authentication — allow john login?”). Perfectly workable for a small setup.
  • Run a second proxy instance with its own Notakey application and a message like “Router admin login as {0}?”. With the dockerized proxy this is just a second container listening on another port (say 18120), with a different NOTAKEY_ACCESS_ID; the appliance’s built-in proxy is a single instance, so the second one runs as a container next to it.

A dedicated message is worth the five minutes: an admin who sees “Router admin login” while not logging into a router knows immediately that something is wrong — and denies it.

Step 2: Add the proxy as a login RADIUS server

On the router, add the proxy as a RADIUS server for the login service:

/radius
add service=login address=<proxy-address> secret=secret_to_radius_server timeout=30s

This is the VPN guide’s /radius line with service=ppp swapped for service=login, and the same warning applies: MikroTik’s default RADIUS timeout is 300 milliseconds. A human approving a push needs at least 30 seconds, so timeout=30s is not optional. Without it every login fails before the phone even buzzes.

Step 3: Enable RADIUS for router users

/user aaa
set use-radius=yes default-group=full

That’s it. RouterOS now queries RADIUS (through the proxy) for any login whose username is not in the local /user database.

Two things to get right here:

Pick default-group deliberately. RADIUS-authenticated users get this group’s privileges (read, write or full) unless your RADIUS server returns a Mikrotik-Group vendor attribute per user (vendor ID 14988). If everyone coming through RADIUS is a full admin, default-group=full is fine; if not, set it to the least privilege that works and assign Mikrotik-Group from RADIUS for the exceptions.

Keep a local admin account. RouterOS checks the local user database first and only asks RADIUS for usernames it doesn’t know. That local admin is your fallback if the proxy, the RADIUS server or the Notakey service is ever unreachable. Without it, an outage locks you out of your own router. Give it a strong unique password, and consider restricting it to a management address with /user set <name> address=<mgmt-subnet>.

Test it, carefully

Do not close your working session yet. Open a second WinBox or SSH session and log in with a RADIUS username:

  • The login dialog waits; that’s the proxy holding the exchange open.
  • The push lands on the phone. Approve → you’re in, with the group’s privileges. Deny or ignore → the login fails after the timeout.
  • Confirm the local admin still gets in the normal way.

Only after both checks pass, close the original session.

If logins fail instantly even though the push arrives, recheck timeout=30s in /radius; the 300 ms default is the most common mistake. If no push arrives at all, the username almost certainly differs between RADIUS and the Notakey service.

Where this fits

One proxy, one RADIUS server, and now both the VPN and the router’s admin plane require a phone approval. The same pattern extends to anything else that speaks RADIUS.

← All posts

See your first passwordless login this week

A 30-minute call with an engineer, not a sales deck. We’ll map your VPN, SSO or Windows setup to a working pilot.