Reference Guide
Multi-Factor Authentication

Using MFA for TACACS+ Manager

1min

MFA can be used with the TACACS+ Manager. To activate MFA for TACACS+ Manager:

  1. Pre-requisite: Admin and users have the QR code, installed the Single Connect mobile app, scanned the QR code with the mobile app, and MFA is enabled for the user group that will be using MFA for TACACS+ connections. (See sections Sending MFA QR Code to Users, Creating a Connection Between Single Connect and the Single Connect Mobile Application, Enabling Multi Factor Authentication (MFA)
  2. Connect to Single Connect CLI from the SSH client as a Single Connect admin user.
  3. Stop the TACACS+ function with the command below (do not close the SSH session) systemctl stop pam-tacacs
  4. Log in to the Single Connect Web GUI.
  5. Navigate to Administration > TACACS Management.
  6. Click the search button and from the Options menu, delete the configuration.
Delete TACACS Management Configuration
Delete TACACS Management Configuration

  • In the SSH session, edit the kron_tacacs.conf file with the command: vi /u01/kron/etc/kron_tacacs.conf Check the configuration file to see if the parameter below is already configured in it. If not, add the lines below. If there is a hash (#) sign in front of the parameters, delete the hash (#) sign to activate the parameter. If the parameter value is “false”, change it to “true”. To type or add anything in the vi editor, first press the Insert button on the keyboard, then type in the necessary line. Press Esc to exit typing mode. To save the file press Esc, then colon (:), type in wq! and press Enter. If you do not want to save the changes to the file, press Esc, then colon (:), then type in q! and press Enter. The red text below may need to be changed for the purposes of Single Connect installation. If the default values are acceptable for the installation, the red text does not need to be added at all. otp { enabled = 1; host = OTP endpoint webserver ip; port = OTP endpoint webserver port, default value: 80; cache_interval = 300; num_digits = 6; ssl = 1 if the OTP endpoint webserver is working on HTTPS, default value: 0; path_status = path of the otpStatus service, default value: /twofactorauth-ui/rest/tfa/otpStatus; path_valid = path of the otpValid service, default value: /twofactorauth-ui/rest/tfa/otpValid; }
  • Restart the TACACS+ function systemctl restart pam-tacacs