[tac_plus] Re: Possible to get tac_plus to authenticate using pam_radius?
heas at shrubbery.net
Wed Nov 14 00:03:15 UTC 2007
Mon, Nov 12, 2007 at 05:15:47PM -0700, [SiN]:
> I seen that PAM can be used to authenticate users, but not sure where
> to start. I tried to just set "login = PAM" to see if any errors
> would help determine where to get started (looking for missing config
> or something of that nature). But, I get nothing. Is it possible to
> use PAM to authenticate users to my current radius implementation?
I have not tried it, but it should be. PAM (the library, not tacacs)
often refers to defaults when there is no specific setup for "tac_plus";
so you are unlikely to see errors.
> The only reason I even need authentication set up on tac_plus is due
> to some of our devices not supporting radius at all, for those I will
> need to authenticate using tac_plus - other then that everything is
> radius and id like to keep it that way if possible.
> Mon Nov 12 17:05:56 2007 : pam_verify testing
> Mon Nov 12 17:05:56 2007 : pam_tacacs received 1 pam_messages
> Mon Nov 12 17:05:56 2007 : Error 10.248.18.17 tty2: PAM_PROMPT_ECHO_OFF
> Mon Nov 12 17:05:58 2007 : Password is incorrect
> is all I see in the logs. and nothing shows up in the radius logs so
> I know its not being sent off to radius
> How can I get this set up to use the current PAM implementation on the
> system already? Do I need to install something extra?
I'm no PAM expert, but you will need a PAM module that will make the
radius query when tac_plus calls PAM to authenticate the user and
configure PAM to use it when called/used by tac_plus.
> this is on solaris 10 using tac_plus version F126.96.36.199
> tac_plus mailing list
> tac_plus at shrubbery.net
More information about the tac_plus