Two-Factor Authentication with Google Auth or WIKID

243 views
Skip to first unread message

Imran Haider

unread,
Jul 4, 2017, 1:31:28 PM7/4/17
to Event-Driven Servers
Hi All,

I've setup tac_plus with AD auth and everything seems to be working just fine, I just wanted to know if it's possible to add 2nd authentication method(google authentication or wikid). My config is given below. Another problem I'm facing is that ldaps doesn't seem to be working for me, maybe because of self-signed AD certificate, is there any method to skip certificate validation or maybe it's some other problem as I get, SSL handshake has read 4431 bytes and written 370 bytes.Verification error: unable to verify the first certificate. read:errno=104. When I try to run openssl s_client -connect 192.168.1.10:636

#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = { port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
         access log = /var/log/tac_plus/access/%Y%m%d.log
         accounting log = /var/log/tac_plus/acct/%Y%m%d.log

        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "172.17.5.1:389 172.17.5.2:389"
                setenv LDAP_BASE = "OU=Test,DC=example,DC=com"
                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
                setenv LDAP_USER = "lda...@example.com"
                setenv LDAP_PASSWD = "Abcd98798798"
                setenv AD_GROUP_PREFIX = "Network Management Team"
                #setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = world {
                address = ::/0
                prompt = "TACACS+ Authentication Server"
                enable 15 = clear abcd123456
                key = cisco
        }

        group = admin {
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        group = guest {
                default service = permit
                enable = deny
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 1
                }
        }

        user = cisco {
                password = clear cisco
                member = admin
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }

        user = example.user {
                member = admin
        }
        user = another.user {
               member = admin
        }
        user = another.user1 {
               member = admin
        }
        user = another.user2 {


        }
}

Shin Sterneck

unread,
Jul 15, 2017, 7:00:34 AM7/15/17
to Event-Driven Servers
Hi Imran,

regarding MFA (Multi Factor Authentication), I am also planning to implement this. I am thinking of implementing this by concatenating the primary password with the 2nd factor password (e.g TOTP or HOTP) and then separating them before checking them. But I haven't really worked on this yet, so its just a basic idea/approach so far. 

Regarding the certificate check, the below page might help you. You basically have to trust your self signed cert by adding your CA to the trust chain:


Regards,
Shin

Imran Haider

unread,
Jul 18, 2017, 9:50:02 AM7/18/17
to Event-Driven Servers
Thanks Shin, I'll look into it.

Imran Haider

unread,
Aug 3, 2017, 4:24:19 PM8/3/17
to Event-Driven Servers
I've got the setup working finally but not with pro bono implementation but since this also supports PAM auth, I guess it'll work fine. I'm using two PAM modules in conjunction, the pam_ldap.so module and pam_google_authenticator.so module. Please let me know if anyone needs it. I'll redact the config and post it here.

SimonS

unread,
Nov 28, 2017, 5:02:48 AM11/28/17
to Event-Driven Servers
Hi Imran could you share your configs for tacacs dual factor please.

James Ren

unread,
Apr 6, 2018, 1:58:44 PM4/6/18
to Event-Driven Servers
Hi Imran,

Would you please share the configs for the tacacs+ with AD and Google Authenticator?

Thanks in advance,

James

paul priber

unread,
Jul 27, 2025, 2:59:12 PMJul 27
to Event-Driven Servers
Please show the steps involved this setting this up.  Would be super helpful.
Reply all
Reply to author
Forward
0 new messages