I am working on using pam_tacplus to authenticate a linux host and
several solaris hosts to a CiscoSecure ACS Server. In the current
configuration I can authenticate if the tacacs server is down -- but the
network connectivity to the host has to be available or authentication
times out. Here is a sample sshd configuration from /etc/pam.conf

sshd auth required pam_nologin.so


sshd auth [ success=done new_authtok_reqd=done authinfo_unavail=reset
default=reset ] pam_tacplus.so first_hit server=192.168.1.1
server=192.168.1.2 secret=secret encrypt
sshd auth [ success=done new_authtok_reqd=done ignore=ignore default=die
] pam_unix2.so use_first_pass

sshd auth required pam_deny.so


sshd account required pam_permit.so


sshd session required pam_limits.so


sshd session required pam_permit.so


In this test configuration 192.168.1.1 is not up, because I want to test
fall through. I want it to attempt tacacs+ auth against 192.168.1.1
and 2, and fall through to using local authentication.

In the case of 192.168.1.1 and 192.168.1.2 not being up, it will not
fall through to local authentication.

In the case of 192.168.1.1 being set to 192.168.1.3, which is up but
does not run a tacacs+ server, authentication will fall through.
Therefore, I have something that I'm missing in my configuration that
should tell the tacacs authentication that it should reset if one or
both of the servers are down.

Any suggestions appreciated. Now that I've posted for the world, I
think the solution should occur to me in five minutes...

Thanks,
Brian Seppanen