PAM Tacacs Authentications

From: Brian E. Seppanen (seppanen_at_chartermi.net)
Date: 08/23/04 

Date: Mon, 23 Aug 2004 13:11:01 -0400

I am working on using pam_tacplus to authenticate a linux host and
several solaris hosts to a CiscoSecure ACS Server. In the current
configuration I can authenticate if the tacacs server is down -- but the
network connectivity to the host has to be available or authentication
times out. Here is a sample sshd configuration from /etc/pam.conf

sshd auth required pam_nologin.so
 

sshd auth [ success=done new_authtok_reqd=done authinfo_unavail=reset
default=reset ] pam_tacplus.so first_hit server=192.168.1.1
server=192.168.1.2 secret=secret encrypt
sshd auth [ success=done new_authtok_reqd=done ignore=ignore default=die
] pam_unix2.so use_first_pass

sshd auth required pam_deny.so
 

sshd account required pam_permit.so
 

sshd session required pam_limits.so
 

sshd session required pam_permit.so

In this test configuration 192.168.1.1 is not up, because I want to test
fall through. I want it to attempt tacacs+ auth against 192.168.1.1
and 2, and fall through to using local authentication.

In the case of 192.168.1.1 and 192.168.1.2 not being up, it will not
fall through to local authentication.

In the case of 192.168.1.1 being set to 192.168.1.3, which is up but
does not run a tacacs+ server, authentication will fall through.
Therefore, I have something that I'm missing in my configuration that
should tell the tacacs authentication that it should reset if one or
both of the servers are down.

Any suggestions appreciated. Now that I've posted for the world, I
think the solution should occur to me in five minutes...

Thanks,
Brian Seppanen
 

Relevant Pages

  • Slow sftp transfer speed vs ftp
    ... with Solaris 9) I am transfering at 300 kb/sec. ... on both client and server. ... # The sshd shipped in this release of Solaris has support for major versions ... # Banner to be printed before authentication starts. ...
    (SunManagers)
  • Re: Outlook -> remote exchange -> always wants a password
    ... I have my server set to use Integrated Windows authentication over SSL. ... almost certainly "break" your existing users if the client setup does not ... Close out of these configuration dialogs, ...
    (microsoft.public.windows.server.sbs)
  • Re: Help on SMTP setting, loosing my hairs
    ... to email server and I type in the mail server as: ... Thats it for the configuration of CEICW that I have done ... which is a different account as my ISP which give the outside line. ... you authentication. ...
    (microsoft.public.windows.server.sbs)
  • RE: IIS 6.0,ASP.NET 1.1 and confiig error
    ... "On" Always display custom messages. ... on the local Web server. ... This section sets the authentication policies of the application. ... configuration file located in the root directory of the current web ...
    (microsoft.public.windows.server.general)
  • Re: Client access to Win2k3 web server requiring authentication
    ... Setting the authentication method of the target web server to Basic only did ... this is not an approved configuration and I would love to hear if ... > I assume that your client machine is behind an ISA and the ...
    (microsoft.public.isa)