tacacs+ on mavis with AD and Google Authenticator
557 views
Skip to first unread message
James Ren
Apr 6, 2018, 1:58:44 PM4/6/18
to Event-Driven Servers
Dear Marc,
My name is James Ren and I’m a network engineer. I came across with your article on mavis (http://www.pro-bono-publico.de/projects/mavis.html) and I have successfully deployed our tacacs+ server with Microsoft AD as backend. However, I’d like to also implement MFA for the authentication leveraging Google Authenticator. I saw in Google Group that someone had deployed it with pam_ldap and pam_google_authenticator but I have not been able to find any available resources describing how to do it with mavis.
Would you please point me to the right direction how we could set it up for tacacs+ based on mavis authenticating with Microsoft AD and Google Authtenticator?
Many thanks in advance,
James Ren
Marc Huber
Apr 8, 2018, 4:16:06 AM4/8/18
to event-driv...@googlegroups.com
Hi James,
On 06.04.18 19:19, James Ren wrote:
> Would you please point me to the right direction how we could set it
> up for tacacs+ based on mavis authenticating with Microsoft AD and
> Google Authtenticator?
what exactly is "Google Authenticator"?
If it's an OATH implementation where the common secret is known to both
server and client then someone could write a script that verifies an
user given password by splitting it into the OTP part and the AD part
and checks whether both passwords are correct. )Adding a secondary query
for a verification code would be pointless as that would work with
multi-sequence implementations of the LOGIN authentication method only.)
Cheers,
Marc
On 06.04.18 19:19, James Ren wrote:
> Would you please point me to the right direction how we could set it
> up for tacacs+ based on mavis authenticating with Microsoft AD and
> Google Authtenticator?
If it's an OATH implementation where the common secret is known to both
server and client then someone could write a script that verifies an
user given password by splitting it into the OTP part and the AD part
and checks whether both passwords are correct. )Adding a secondary query
for a verification code would be pointless as that would work with
multi-sequence implementations of the LOGIN authentication method only.)
Cheers,
Marc
James Ren
Apr 21, 2018, 7:53:41 AM4/21/18
to Event-Driven Servers
Hi Marc,
Thank you for your time to look into this. The idea is to use the combination of the password from Microsoft AD, and a one time passcode from Google Authenticator Mobile App as the unique password when the user tries to log into the system. I have tried to use tacacs+ and mavis, which worked perfectly with Microsoft AD. Separately I tried to authenticate the user by its linux local account plus the Google Authenticator OTP, which also worked. I wonder if there is any available instruction for getting the two to work together.
Many thanks agian!
Regards,
James
Thank you for your time to look into this. The idea is to use the combination of the password from Microsoft AD, and a one time passcode from Google Authenticator Mobile App as the unique password when the user tries to log into the system. I have tried to use tacacs+ and mavis, which worked perfectly with Microsoft AD. Separately I tried to authenticate the user by its linux local account plus the Google Authenticator OTP, which also worked. I wonder if there is any available instruction for getting the two to work together.
Many thanks agian!
Regards,
James
Reply all
Reply to author
Forward
0 new messages