Personal tools
You are here: Home Documentation & Support How Tos Using WiKID Strong Authentcation with TACACS+
What people are saying
Contact Us
WiKID Systems, Inc.
1350 Spring St.
Suite 300
Atlanta, Ga. 30309
866-244-1876
irc.freenode.net: #wikid
 

Using WiKID Strong Authentcation with TACACS+

How to configure a linux box with PAM and TACACS+ for WiKID Strong Authentication

These instructions are designed to help you configure and test using the WiKID TACACS+ protocol module via Linux PAM. I am much indebted to Eric Dobbs and his excellent how-to over at Freemode. I highly recommend you see his page - especially is you use Debian. These instructions are for Fedora/Redhat.

First, install pam_tacplus on the linux box. This box may be your OpenVPN server, for example, but it is a "network client" to the WiKID server.

You can download it here:
http://echelon.pl/pubs/pam_tacplus-1.2.9.tar.gz

You need to install pam-devel.

# yum install pam-devel
$ tar xvfz pam_tacplus-1.2.9.tar.gz'
'$ make'
# make install'

Edit your /etc/pam.d/tacacs file (remove debug if it works; '\' indicates the line wraps) : 

#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug server=wikidserver.yourdomain.com \
secret=MySecret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug server=wikidserver.yourdomain.com \
secret=MySecret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug server=wikidserver.yourdomain.com \
secret=MySecret encrypt service=shell protocol=ssh

Now, edit your /etc/pam.d/sshd file. Commenting out the system-auth line prevents a user from logging in with an account on the box: 

#%PAM-1.0
auth       required   pam_stack.so service=tacacs
#auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    sufficient   pam_stack.so service=tacacs
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    sufficient   pam_stack.so service=tacacs
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

You should now be able to log in using TACACS+. It's a good idea to test that now, without WiKID in the picture.

To configure the WiKID server:

Enable the TACACS+ protocol in the Configuration menu

Create a TACACS+ enabled domain

Create a network client for the Tacacs+ box you configured above

Make sure that Tacacs is listening on the WiKID server. If you're using the open source version, you may need to manually start it: 

#./tac_plus -C /opt/WiKID/private/tacacs.conf

That should do it!

The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.
Start using WiKID today
Got Questions? Get Answers.