Tacacs+ with PAM two-factor Google authentication?

Question

I'm working on a tacacs+ server for my campus network, and I have been wondering how I could set up a tacacs+ server to communicate to PAM running google's two-factor authentication. I've done quite a bit of googling, found some useful information, but I haven't found a clear 'road map' and a lot of steps seem fuzzy at best. I've got an Ubuntu tacacs+ test bed running right now with no switches or routers configured yet.

Has anyone done something like this? I found a relatively good guide in a redhat e-mail chain here: https://www.redhat.com/archives/pam-list/2014-March/msg00008.html

I don't know exactly where to go next, or how this system works. Are there any examples I can follow or some suggestions anyone's got? I feel a bit like I'm in trial and error mode right now.

EDIT: Specifically, right now, I'm staring at example PAM configuration files in /etc/pam.d/(tac_plus? whatever it's called) and I'm not sure exactly what needs to go there. Is that Google authenticator stuff or tacacs+ stuff? My example looks something like the code posted below, but I'm not sure what goes here:

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     optional      pam_ldap.so

There's also a config for tacacs which looks very straightforward, but like everything else, I've never seen it before, so I'm not too sure. It looks like this:

# admin group
group = admins {
        default service = permit
        login = PAM
        service = exec {
             priv-lvl = 15
        }
}

Answer 1

Breaking this into two pieces, the pam directory is for your authentication for services: tac_plus. The tac_plus configuration file is for the the service: tacacs+

PAM

Pam is your pluggable authentication, this is where you are going to configure user/password authentication with google auth, since google auth is very commonly used for services like RADIUSD and SSHD then I'll steal some public code for that.

#1 google result is Supertech Guy whom I've actually gone and written a rebuke on some of his security practices Here but essentially:

Add this to your auth section of pam.d/tac_plus

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

You can modify the location of google auth keys if you want to feed users from ldap and pregenerate their BASE32 keys instead of using the google-auth tool. More about google_auth pam module

TACACS++

tac_plus is a service, when you authenticate with this service it will use the pam module for tac_plus, same as radiusd and sshd.

There's a ton of guides on how to configure that, http://www.shrubbery.net/tac_plus/ for example, sadly I have not configured tac_plus personally.

READ

When you authenticate with google auth forward_pass your password is password&googleauth

password: MyPassword

google totp: 222555

resulting password you enter: MyPassword222555