Reference Guide
Multi-Factor Authentication
Using MFA for TACACS+ Manager
1 min
mfa can be used with the tacacs+ manager to activate mfa for tacacs+ manager pre requisite admin and users have the qr code, installed the single connect mobile app, scanned the qr code with the mobile app, and mfa is enabled for the user group that will be using mfa for tacacs+ connections (see sections https //app archbee com/docs/jsymind0w sxaymlkgomr/rtcz2lmpnnq5cvcc0c0qe docid\ n5h8lvfjlvnlnbg1lxfs6 , docid\ myq5n bfc pn84wbrvmal , docid\ u2oncfg32vjondgob1t5r connect to single connect cli from the ssh client as a single connect admin user stop the tacacs+ function with the command below (do not close the ssh session) systemctl stop pam tacacs log in to the single connect web gui navigate to administration > tacacs management click the search button and from the options menu, delete the configuration in the ssh session, edit the kron tacacs conf file with the command vi /u01/kron/etc/kron tacacs conf check the configuration file to see if the parameter below is already configured in it if not, add the lines below if there is a hash (#) sign in front of the parameters, delete the hash (#) sign to activate the parameter if the parameter value is “false”, change it to “true” to type or add anything in the vi editor, first press the insert button on the keyboard, then type in the necessary line press esc to exit typing mode to save the file press esc, then colon ( ), type in wq! and press enter if you do not want to save the changes to the file, press esc, then colon ( ), then type in q! and press enter the red text red text below may need to be changed for the purposes of single connect installation if the default values are acceptable for the installation, the red text does not need to be added at all otp { enabled = 1; host = otp endpoint webserver ip otp endpoint webserver ip ; port = otp endpoint webserver port, default value 80 otp endpoint webserver port, default value 80 ; cache interval = 300; num digits = 6; ssl = 1 if the otp endpoint webserver is working on https, default value 0 1 if the otp endpoint webserver is working on https, default value 0 ; path status = path of the otpstatus service, default value /twofactorauth ui/rest/tfa/otpstatus; path of the otpstatus service, default value /twofactorauth ui/rest/tfa/otpstatus; path valid = path of the otpvalid service, default value /twofactorauth ui/rest/tfa/otpvalid path of the otpvalid service, default value /twofactorauth ui/rest/tfa/otpvalid ; } restart the tacacs+ function systemctl restart pam tacacs