mavis_tacplus_sms.pl for sms

[codcodoe]

Dears,

  This might be a silly question, but it has been bothering me.

  How to config tacacs+ server to retrieve challenge in phase 1, it always get 49 AUTH

# Test input: Phase 1: Retrieve challenge
# 0 TACPLUS
# 4 $USER
# 14 1.2.3.4
# 49 CHAL
# =
#
# Test input: Phase 2: Authenticate
# 0 TACPLUS
# 4 $USER
# 8 $PASS
# 14 1.2.3.4
# 49 AUTH
# =

[Marc Huber]

Hi,

"login backend = mavis chalresp", but it's 15 years that I've last
tested that.

Cheers,

Marc

> --
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/2ac8071e-fc3d-4704-92ea-a7890422abf0n%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/2ac8071e-fc3d-4704-92ea-a7890422abf0n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[codcodoe]

Hi Marc.

I tried setting "login backend = mavis chalresp", and it works correctly for some network devices. After the user enters their username, the mavis backend receives the challenge (chal), at which point an OTP can be sent, and the user can log in using the OTP and password. However, for some other network devices, it seems that after the user enters their username, nothing is sent to the mavis backend until the user also enters their password, at which point the mavis backend receives the challenge. Is there still a possibility to implement OTP for this type of device?

Marc Huber 在 2024年8月23日 星期五晚上7:38:22 [UTC+8] 的信中寫道：

[Marc Huber]

Hi,

no, there's no way to implement SMS authentication for single-step
logins (such as PAP). I'd suggest to use one of the OTP or PUSH based
authenticators for that (e.g. MS or Google Authentication, or Cisco
DUO), with the external-mt backend using ldapmavis-mt.

Cheers,

Marc