Previously I have written the article about Install tacacs+ on debian that support for multiple network devices, this now In order to secure remote access connection to several network devices such as Cisco NX-OS, HPE Comware-7, Juniper and Aruba Switch, I will enable two-factor authentication on tacacs configuration
Requirements :
- tacacs+
- libpam-google-authenticator
- google authenticator apps (on smartphone)
Package Installation
apt-get install tacacs+ libpam-google-authenticator -y
Tacacs Configuration
host = 192.168.1.11 { key = !!4dm1n!! enable = des ciscoios } host = 192.168.1.12 { key = !!4dm1n!!enable = des junos } host = 192.168.1.13 { key = !!4dm1n!! enable = des aruba } host = 192.168.1.14 { key = !!4dm1n!!* enable = des hpe-comware } host = 192.168.1.15 { key = !!4dm1n!! enable = des nxos } group = Administrator { default service = permit login = PAM service = exec { priv-lvl = 15 } pap = PAM enable = file /etc/passwd } group = operator { default service = deny login = PAM service = exec { priv-lvl = 15 } pap = PAM enable = file /etc/passwd cmd = show { permit .* } cmd = write { permit .* } cmd = copy { permit .* } cmd = exit { permit .* } cmd = display { permit .* } cmd = ping { permit .* } cmd = traceroute { permit .* } cmd = ssh2 { permit .* } cmd = telnet { permit .* } cmd = tracert { permit .* } } user = rohmat { member = administrator service = junos-exec { local-user-name = remote-admin }}
Create tac_plus file on directory /etc/pam.d
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so try_first_pass
The following step how to create a user on tacacs server manually
- Create user account on linux ( tacacs server )
- Create user on /etc/tacacs+/tac_plus.conf
- Generate OTP on server
- Open your One Time Password (OTP) app (e.g. Google Authenticator )
- Change ownership .google_authenticator file on each home directory user ( e.g /home/rohmat/.google_authenticator )
- Restart tacacsplus service
Create user account on linux
useradd -m rohmat -p $(openssl passwd -1 ‘SampleP@sssw0rd!@#’)
Create user on /etc/tacacs+/tac_plus.conf
user = rohmat { member = netadmin service = junos-exec { local-user-name = remote-admin }}
Generate OTP
By default, the PAM module looks for the secret file in the .google_authenticator file within the home of the user logging in.
Put the command “google-authenticator -s /home/rohmat/.google_authenticator”, that will create .google_authenticator file on directory /home/rohmat/
Scan QR Code using google authenticator apps
Change ownership .google_authenticator file
When you log in using user root please change ownership with a user that just created
chown -R rohmat:rohmat /home/rohmat/.google_authenticator file
Restart tacacs service
systemctl restart tacacs_plus.service
ssh login format
username: your_username
password : your_password + OTP