[tac_plus] 2fa /w duo_unix
Drew Weaver
drew.weaver at thenap.com
Mon Oct 7 14:51:49 UTC 2019
Hello,
I am wondering if anyone has gotten tacplus working via PAM with DUO 2fa?
Since duo 2fa uses PAM also it should in theory work. However, I have been unable to figure out how to correctly configure the tac_plus pam profile in order to successfully send push notifications when users login via tacplus.
The log message belows come from a linux system where DUO is integrated into system_auth..
Oct 7 10:35:41 c8 tac_plus[25566]: connect from 192.168.0.122 [192.168.0.122]
Oct 7 10:35:43 c8 tac_plus[25566]: Error 192.168.0.122 unknown: Null reply packet, expecting CONTINUE
Oct 7 10:35:43 c8 tac_plus[25566]: Aborted Duo login for 'drew': Error gathering user response
Oct 7 10:35:43 c8 tac_plus[25566]: login failure: user=drew device=192.168.0.122 ip=192.168.0.122 port=unknown client=192.168.0.87
I believe the issue is that DUO is waiting for something to tell it what kind of challenge to send.
DUO works okay with RADIUS because it has a proxy for radius but tacacs is better for our needs.
I think the best way for this to work would be to integrate the duo auth directly into the tac_plus pam profile.
Any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20191007/40d32ff5/attachment.html>
More information about the tac_plus
mailing list