From drew.weaver at thenap.com Mon Oct 7 14:51:49 2019 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 7 Oct 2019 14:51:49 +0000 Subject: [tac_plus] 2fa /w duo_unix Message-ID: Hello, I am wondering if anyone has gotten tacplus working via PAM with DUO 2fa? Since duo 2fa uses PAM also it should in theory work. However, I have been unable to figure out how to correctly configure the tac_plus pam profile in order to successfully send push notifications when users login via tacplus. The log message belows come from a linux system where DUO is integrated into system_auth.. Oct 7 10:35:41 c8 tac_plus[25566]: connect from 192.168.0.122 [192.168.0.122] Oct 7 10:35:43 c8 tac_plus[25566]: Error 192.168.0.122 unknown: Null reply packet, expecting CONTINUE Oct 7 10:35:43 c8 tac_plus[25566]: Aborted Duo login for 'drew': Error gathering user response Oct 7 10:35:43 c8 tac_plus[25566]: login failure: user=drew device=192.168.0.122 ip=192.168.0.122 port=unknown client=192.168.0.87 I believe the issue is that DUO is waiting for something to tell it what kind of challenge to send. DUO works okay with RADIUS because it has a proxy for radius but tacacs is better for our needs. I think the best way for this to work would be to integrate the duo auth directly into the tac_plus pam profile. Any ideas? -------------- next part -------------- An HTML attachment was scrubbed... URL: From drew.weaver at thenap.com Mon Oct 7 23:18:42 2019 From: drew.weaver at thenap.com (Drew Weaver) Date: Mon, 7 Oct 2019 23:18:42 +0000 Subject: [tac_plus] Duo 2fa /w tac plus Message-ID: <8b3e0f1172fe4bc3b7a4f7ba65ee8e95@EXCHANGE2K13.thenap.com> Has anyone figured out how you can use Duo (owned by Cisco) as part of pam during the tac+ auth process? We really would like 2fa for all logins that arent used for config backups or route lookup APIs. Any info would be most appreciated. -Drew -------------- next part -------------- An HTML attachment was scrubbed... URL: From heas at shrubbery.net Tue Oct 8 09:19:54 2019 From: heas at shrubbery.net (john heasley) Date: Tue, 8 Oct 2019 09:19:54 +0000 Subject: [tac_plus] Duo 2fa /w tac plus In-Reply-To: <8b3e0f1172fe4bc3b7a4f7ba65ee8e95@EXCHANGE2K13.thenap.com> References: <8b3e0f1172fe4bc3b7a4f7ba65ee8e95@EXCHANGE2K13.thenap.com> Message-ID: <20191008091954.GA5163@shrubbery.net> Mon, Oct 07, 2019 at 11:18:42PM +0000, Drew Weaver: > Has anyone figured out how you can use Duo (owned by Cisco) as part of pam during the tac+ auth process? We really would like 2fa for all logins that arent used for config backups or route lookup APIs. > > Any info would be most appreciated. I have not, but I would expect it to be no different from RSA SecureID. IIRC, there are notes in the tac_plus docs about using it. I'm not in a convenient place to look through those; feel free to email again if you do not locate it. From petrus.lt at gmail.com Tue Oct 8 12:44:36 2019 From: petrus.lt at gmail.com (Pierre Emeriaud) Date: Tue, 8 Oct 2019 14:44:36 +0200 Subject: [tac_plus] Duo 2fa /w tac plus In-Reply-To: <8b3e0f1172fe4bc3b7a4f7ba65ee8e95@EXCHANGE2K13.thenap.com> References: <8b3e0f1172fe4bc3b7a4f7ba65ee8e95@EXCHANGE2K13.thenap.com> Message-ID: Le mar. 8 oct. 2019 ? 10:36, Drew Weaver a ?crit : > > Has anyone figured out how you can use Duo (owned by Cisco) as part of pam during the tac+ auth process? We really would like 2fa for all logins that arent used for config backups or route lookup APIs. I've used google authenticator through pam for this. "auth requisite pam_google_authenticator.so forward_pass" in /etc/pam.d/tac_plus, and "login = PAM" in tacplus.conf. Setup google-authenticator as usual. IIRC it should be enough. Then use password+totp as password to login. From krux at thcnet.net Tue Oct 8 17:37:21 2019 From: krux at thcnet.net (krux) Date: Tue, 08 Oct 2019 10:37:21 -0700 Subject: [tac_plus] Duo 2fa /w tac plus In-Reply-To: <8b3e0f1172fe4bc3b7a4f7ba65ee8e95@EXCHANGE2K13.thenap.com> References: <8b3e0f1172fe4bc3b7a4f7ba65ee8e95@EXCHANGE2K13.thenap.com> Message-ID: <9d676bd96c2aff098be999ee635e1455@thcnet.net> Yea, you just tie it into PAM, either in /etc/pam.d/common-auth or /etc/pam.d/tac_plus Here's an example config using /etc/pam.d/common-auth, then /etc/pam.d/tac_plus is like any other service under PAM which includes common-auth https://pastebin.com/Fx80HyXk That example we also have Kerberos for centralized authentication so UIDs are all over 5000. Key points is that it requires both a valid Kerberos authentication and a valid DUO authentication in order to authenticate. And any time you mess with PAM, always always always do the following: 1. backups! 2. maintain a session as root at a shell and to your testing from a new session 3. test for successful authentications 4. test that you can sudo to root 5. test that authentication failures _actually fail_ Failure to do the above and you'll be practicing how to break into your system via single user mode. And as for your /etc/tacacs+/tac_plus.conf, standard way of getting TACACS to use PAM for authentication. user = username { member = SOME_GROUP login = PAM pap = PAM } Other notes, you have to be ready to authenticate via DUO when you login. Setting a TACACS timeout of about 30 seconds on your network devices seems to be the sweet spot for enough time for your admins to remember that oh they have to be expecting DUO to pop up on their device, and two not so long that if you need to get in with a local account in the event TACACS is unavailable, they are not in agony waiting for the server timeout. On 2019-10-07 16:18, Drew Weaver wrote: > Has anyone figured out how you can use Duo (owned by Cisco) as part of > pam during the tac+ auth process? We really would like 2fa for all > logins that arent used for config backups or route lookup APIs. > > Any info would be most appreciated. > > -Drew > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > _______________________________________________ > tac_plus mailing list > tac_plus at shrubbery.net > http://www.shrubbery.net/mailman/listinfo/tac_plus