Just going to drop this in here ...If you are looking for something a little more upbeat
--
J. Hellenthal
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.On Sep 22, 2023, at 16:00, Mike Lewinski via NANOG <nanog@nanog.org> wrote:
We are using Okta's RADIUS service for 2fa to network gear currently,
but looking to switch to tacacs+ for many reasons. Would prefer to
implement tacacs+ with two-factor if possible.
tac_plus-ng from https://www.pro-bono-publico.de/projects/tac_plus-ng.html has LDAP and PAM backends, among others, so I believe you can implement 2FA through them. I haven't implemented this yet but it's on my to-do list (and I'm also warily watching passkey developments and wondering how much effort I should put into something that likely won't be best practice in another year or two).I see Marc Huber is also promoting/supporting tacacs+ extension for SSH public key authhttps://github.com/MarcJHuber/event-driven-servers/wiki/TACACS_PLUS---SSH-Public-Key-Authentication