How to enable Two Factor Authentication on Tacacs configuration

Previously I have written the article about Install tacacs+ on debian that support for multiple network devices, this now In order to secure remote access connection to several network devices such as Cisco NX-OS, HPE Comware-7, Juniper and Aruba Switch, I will enable two-factor authentication on tacacs configuration

Requirements :

  • tacacs+
  • libpam-google-authenticator
  • google authenticator apps (on smartphone)

Package Installation

apt-get install tacacs+ libpam-google-authenticator -y

Tacacs Configuration

host = 192.168.1.11 { key = !!4dm1n!! enable = des ciscoios }
host = 192.168.1.12 { key = !!4dm1n!!enable = des junos }
host = 192.168.1.13 { key = !!4dm1n!! enable = des aruba }
host = 192.168.1.14 { key = !!4dm1n!!* enable = des hpe-comware }
host = 192.168.1.15 { key = !!4dm1n!! enable = des nxos }


group = Administrator {
 default service = permit
 login = PAM
 service = exec {
 priv-lvl = 15
}
 pap = PAM
 enable = file /etc/passwd
}

group = operator  {	
 default service = deny
 login = PAM
 service = exec { 
 priv-lvl = 15
}
 pap = PAM
 enable = file /etc/passwd
 cmd = show {
 permit .*
 }
 cmd = write {
 permit .*
 }
 cmd = copy {
 permit .*
 }
 cmd = exit {
 permit .*
 }
 cmd = display {
 permit .*
 }
 cmd = ping {
 permit .*
 }
 cmd = traceroute {
 permit .*
 }
 cmd = ssh2 {
 permit .*
 }
 cmd = telnet {
 permit .*
 }
 cmd = tracert {
 permit .*
 }
}

user = rohmat { member = administrator service = junos-exec { local-user-name = remote-admin }}

Create tac_plus file on directory /etc/pam.d

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so try_first_pass

The following step how to create a user on tacacs server manually

  • Create user account on linux ( tacacs server )
  • Create user on /etc/tacacs+/tac_plus.conf
  • Generate OTP on server
  • Open your One Time Password (OTP) app (e.g. Google Authenticator )
  • Change ownership .google_authenticator file on each home directory user ( e.g /home/rohmat/.google_authenticator )
  • Restart tacacsplus service

Create user account on linux

useradd -m rohmat -p $(openssl passwd -1 ‘SampleP@sssw0rd!@#’)

Create user on /etc/tacacs+/tac_plus.conf

user = rohmat { member = netadmin service = junos-exec { local-user-name = remote-admin }}

Generate OTP

By default, the PAM module looks for the secret file in the .google_authenticator file within the home of the user logging in.

Put the command “google-authenticator -s /home/rohmat/.google_authenticator”, that will create .google_authenticator file on directory /home/rohmat/

Scan QR Code using google authenticator apps

Change ownership .google_authenticator file

When you log in using user root please change ownership with a user that just created

chown -R rohmat:rohmat /home/rohmat/.google_authenticator file

Restart tacacs service

systemctl restart tacacs_plus.service

ssh login format

username: your_username
password : your_password + OTP

Leave a Reply

Your email address will not be published. Required fields are marked *