MFA for MikroTik
MikroTik RouterOS shows up everywhere from branch offices to ISPs, handling VPN termination and router administration on a tight budget. RouterOS can authenticate users via RADIUS but has no MFA of its own, so a single credential guards the edge. Authnull becomes the RADIUS server RouterOS uses and enforces a factor on L2TP/IPSec and SSTP VPN logins as well as router login. You add Authnull under the RADIUS settings, enable it for the PPP and login services, and a factor is required before access.
MikroTik forwards the login; Authnull adds the factor.
RouterOS sends the login to Authnull over RADIUS; Authnull validates the credential, challenges for the factor, and returns Access-Accept. Increase the RADIUS timeout so push approval is not cut off.
Configure MFA for MikroTik
Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 15 minutes.
Add the RADIUS server
In RouterOS, add Authnull as a RADIUS server and enable it for the ppp and login services.
Enable RADIUS for PPP
Turn on RADIUS use for the PPP AAA so VPN logins authenticate through Authnull.
Enable RADIUS for router login
Allow RADIUS for management login so admin access is challenged too.
Test the VPN
Connect over L2TP/IPSec or SSTP with a test account and approve the factor; confirm the session in Authnull logs.
Closes the MFA gap auditors look for
Enforcing MFA on MikroTik gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.
Add MFA to MikroTik — free to start.
Spin up Authnull, point MikroTik at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.