[tac_plus] Re: Possible to get tac_plus to authenticate using pam_radius?

[john heasley]

Mon, Nov 12, 2007 at 05:15:47PM -0700, [SiN]:
> I seen that PAM can be used to authenticate users, but not sure where
> to start.  I tried to just set "login = PAM" to see if any errors
> would help determine where to get started (looking for missing config
> or something of that nature).  But, I get nothing.  Is it possible to
> use PAM to authenticate users to my current radius implementation?

I have not tried it, but it should be.  PAM (the library, not tacacs)
often refers to defaults when there is no specific setup for "tac_plus";
so you are unlikely to see errors.

> The only reason I even need authentication set up on tac_plus is due
> to some of our devices not supporting radius at all, for those I will
> need to authenticate using tac_plus - other then that everything is
> radius and id like to keep it that way if possible.
> 
> Mon Nov 12 17:05:56 2007 [3912]: pam_verify testing
> Mon Nov 12 17:05:56 2007 [3912]: pam_tacacs received 1 pam_messages
> Mon Nov 12 17:05:56 2007 [3912]: Error 10.248.18.17 tty2: PAM_PROMPT_ECHO_OFF
> Mon Nov 12 17:05:58 2007 [3912]: Password is incorrect
> 
> is all I see in the logs.  and nothing shows up in the radius logs so
> I know its not being sent off to radius
> 
> How can I get this set up to use the current PAM implementation on the
> system already?  Do I need to install something extra?

I'm no PAM expert, but you will need a PAM module that will make the
radius query when tac_plus calls PAM to authenticate the user and
configure PAM to use it when called/used by tac_plus.

> this is on solaris 10 using tac_plus version F4.0.4.14
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus