Two-Factor Authentication with Google Auth or WIKID
245 views
Skip to first unread message
Imran Haider
Jul 4, 2017, 1:31:28 PM7/4/17
to Event-Driven Servers
Hi All,
I've setup tac_plus with AD auth and everything seems to be working just fine, I just wanted to know if it's possible to add 2nd authentication method(google authentication or wikid). My config is given below. Another problem I'm facing is that ldaps doesn't seem to be working for me, maybe because of self-signed AD certificate, is there any method to skip certificate validation or maybe it's some other problem as I get, SSL handshake has read 4431 bytes and written 370 bytes.Verification error: unable to verify the first certificate. read:errno=104. When I try to run openssl s_client -connect 192.168.1.10:636
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "172.17.5.1:389 172.17.5.2:389"
setenv LDAP_BASE = "OU=Test,DC=example,DC=com"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "lda...@example.com"
setenv LDAP_PASSWD = "Abcd98798798"
setenv AD_GROUP_PREFIX = "Network Management Team"
#setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = world {
address = ::/0
prompt = "TACACS+ Authentication Server"
enable 15 = clear abcd123456
key = cisco
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}
user = cisco {
password = clear cisco
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = example.user {
member = admin
}
user = another.user {
member = admin
}
user = another.user1 {
member = admin
}
user = another.user2 {
}
}
I've setup tac_plus with AD auth and everything seems to be working just fine, I just wanted to know if it's possible to add 2nd authentication method(google authentication or wikid). My config is given below. Another problem I'm facing is that ldaps doesn't seem to be working for me, maybe because of self-signed AD certificate, is there any method to skip certificate validation or maybe it's some other problem as I get, SSL handshake has read 4431 bytes and written 370 bytes.Verification error: unable to verify the first certificate. read:errno=104. When I try to run openssl s_client -connect 192.168.1.10:636
#!/usr/local/sbin/tac_plus
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y%m%d.log
accounting log = /var/log/tac_plus/acct/%Y%m%d.log
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "172.17.5.1:389 172.17.5.2:389"
setenv LDAP_BASE = "OU=Test,DC=example,DC=com"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "lda...@example.com"
setenv LDAP_PASSWD = "Abcd98798798"
setenv AD_GROUP_PREFIX = "Network Management Team"
#setenv REQUIRE_TACACS_GROUP_PREFIX = 1
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = world {
address = ::/0
prompt = "TACACS+ Authentication Server"
enable 15 = clear abcd123456
key = cisco
}
group = admin {
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
}
user = cisco {
password = clear cisco
member = admin
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
}
user = example.user {
member = admin
}
user = another.user {
member = admin
}
user = another.user1 {
member = admin
}
user = another.user2 {
}
}
Shin Sterneck
Jul 15, 2017, 7:00:34 AM7/15/17
to Event-Driven Servers
Hi Imran,
regarding MFA (Multi Factor Authentication), I am also planning to implement this. I am thinking of implementing this by concatenating the primary password with the 2nd factor password (e.g TOTP or HOTP) and then separating them before checking them. But I haven't really worked on this yet, so its just a basic idea/approach so far.
Regarding the certificate check, the below page might help you. You basically have to trust your self signed cert by adding your CA to the trust chain:
Regards,
Shin
Imran Haider
Jul 18, 2017, 9:50:02 AM7/18/17
to Event-Driven Servers
Thanks Shin, I'll look into it.
Imran Haider
Aug 3, 2017, 4:24:19 PM8/3/17
to Event-Driven Servers
I've got the setup working finally but not with pro bono implementation but since this also supports PAM auth, I guess it'll work fine. I'm using two PAM modules in conjunction, the pam_ldap.so module and pam_google_authenticator.so module. Please let me know if anyone needs it. I'll redact the config and post it here.
SimonS
Nov 28, 2017, 5:02:48 AM11/28/17
to Event-Driven Servers
Hi Imran could you share your configs for tacacs dual factor please.
James Ren
Apr 6, 2018, 1:58:44 PM4/6/18
to Event-Driven Servers
Hi Imran,
Would you please share the configs for the tacacs+ with AD and Google Authenticator?
Thanks in advance,
James
Would you please share the configs for the tacacs+ with AD and Google Authenticator?
Thanks in advance,
James
paul priber
Jul 27, 2025, 2:59:12 PMJul 27
to Event-Driven Servers
Please show the steps involved this setting this up. Would be super helpful.
Reply all
Reply to author
Forward
0 new messages