MFA with TACACS+, OpenLDAP, and Google Authenticator
Multi-factor authentication is neat. It adds a level of security, and we should all be concerned about security–especially with regards to our critical infrastructure elements.
tac_plus daemon is the approach I decided to take.
I utilize its PAM capabilities to enable MFA with OpenLDAP and
Ansible is my preferred framework for automation. I wrote an Ansible role
google-authenticator for me because doing
anything more than once is pretty boring.
You’ll need to clone the repository and place the
folder in your
Next, you’ll want to update the variables in
/etc/ansible/roles/tacacs/vars/main.yml to match your environment.
Note: I use Ansible to control my
tac_plusconfiguration file, which uses the variables in
/etc/ansible/roles/tacacs/vars/main.yml. I’ve only tested for Junos. If you modify this for another vendor, please open a pull request to make this role better!
Once you’ve done that, you can just add the
tacacs role to a playbook.
If you don’t have one or if you’re just getting started with Ansible, here’s
You’ll need to generate your Google Authenticator token. Type
google-authenticator on the server you just installed it on. I just answered
yes to everything, but feel free to configure it to your liking. The output
should include instructions on how to set your phone up as well (usually a QR
code). You can look here, though, if it doesn’t.
Note: To increase redundancy, you should copy
$HOME/.google_authenticatorto a second server with
google-authenticatorinstalled. It should be the same file with the same path (i.e.,
Obviously, my role is missing a few things. The Red Hat-specific packages aren’t there, and some of the paths should be modified for Red Hat installations. I welcome the pull requests.
There’s also a way to allow roles to be installed via
ansible-galaxy. I need
to get around to adapting for that as well.
This Ansible role will set you up the TACACS+, but you’ll still need to do some
of the other setup. You can find a halfway decent guide to setting up
tac_plus on my legacy site here.
It will be migrated to this domain eventually. Promise.
Thanks for reading. Please open issues on the GitHub page. If you want to contribute, please open pull requests.
This post is part of the #30in30 challenge.