Just going to drop this in here ...

If you are looking for something a little more upbeat 

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

On Sep 22, 2023, at 16:00, Mike Lewinski via NANOG <nanog@nanog.org> wrote:


We are using Okta's RADIUS service for 2fa to network gear currently,
but looking to switch to tacacs+ for many reasons. Would prefer to
implement tacacs+ with two-factor if possible.

tac_plus-ng from https://www.pro-bono-publico.de/projects/tac_plus-ng.html has LDAP and PAM backends, among others, so I believe you can implement 2FA through them. I haven't implemented this yet but it's on my to-do list (and I'm also warily watching passkey developments and wondering how much effort I should put into something that likely won't be best practice in another year or two).

I see Marc Huber is also promoting/supporting tacacs+ extension for SSH public key auth

https://github.com/MarcJHuber/event-driven-servers/wiki/TACACS_PLUS---SSH-Public-Key-Authentication