Solved

tacacs.net - Active Directory / LDAP setup for authentication and authorization

Posted on 2014-03-19
5
4,484 Views
Last Modified: 2014-03-30
I am trying to implement tacacs authentication for our network equipment by using the tacacs.net software package installed on our Win2012 domain controller. I am looking for assistance setting up the connection/configuration. tacacs.net software is configured via .xml documents. The error I am seeing is "User does not belong to specified group". I am relatively new to Active Directory and LDAP, any help with this would be great. I can post my configs if necessary.
0
Comment
Question by:farroar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 39941795
I've never used the server, but I do know AD / LDAP very well. Can you share the config files? I'm sure we can find a way to get it working if you haven't already :)

Cheers,

Chris
0
 

Author Comment

by:farroar
ID: 39946765
Great. I think it is just a config issue. I'm more of a networking person :)

There are a few different xml files that drive the connection. The first one is the authentication.xml file. It is here that the users are authenticated off of the active directory. Here is some of the code that pertains to AD:

-----------------------------------------------------------------------------------------------------------------
<!--This is an example is of a Windows Active Directory group. This group will authenticate using a Windows Domain Controller. LDAPUserDirectorySubtree is the distinguished name of the subtree that contains all users. The LDAPGroupName should point to the name of the AD group. LDAPAccessUserName and LDAPAccessUserPassword are optional elements and should be specified if the active directory server does not allow anonymous access to the active directory for authentication. This username must have read/write access to Active Directory. To see the user directory subtree name, you can execute the following dsquery command on windows server: Note: The command DSQUERY is only available on Windows Server. C:\>dsquery user -samid USERNAME To see the list of AD groups the user belongs to, use: C:\>dsquery user -samid USERNAME | dsget user -memberof -expand You can use the complete DN of the group or just the AD name of the group in the LDAPGroupName configuration parameter. -->

<UserGroup>
<Name>Network Admins</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>127.0.0.1:389</LDAPServer>
<LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>
<LDAPGroupName>Domain Users</LDAPGroupName>
<LDAPAccessUserName>tacacs</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="xxxxxxx" DES="xxxxxxx"></LDAPAccessUserPassword>

</UserGroup>
--------------------------------------------------------------------------------------------------------

I believe this is the only portion of the configuration that pertains to the AD connection. The documents explain that you find the info you need to enter into the config. I am a user on the domain so I am using my username to gather the information. Here is the output from the query commands it mentions:

dsquery user -samid nathan.farrar:
"CN=Nathan Farrar,OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com"

dsquery user -samid nathan.farrar | dsget user -memberof -expand:

"CN=Network Admins,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Tech_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Alerts_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Domain Users,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Clients,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Common,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=TS Gateway Users,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Users,CN=Builtin,DC=ad,DC=xssentials,DC=com"

When I run the file the application comes with to test the connection by specifying my username and password, I get a return of "User does not belong to specified group". I've tried different names and groups. It seems to connect fine but I know I'm missing something.

The one thing I notice that is different is that on our AD we have the OU= item. Their example file shows CN=. I'm not sure if this is significant but it is the only difference I can see.

Thoughts?

Thanks!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 39949763
The CN / OU thing is critical. Some LDAP directories define folders in the structure using CN, others use OU. MS AD uses OU for all but a very small number of cases.

Whatever happens, you should trust the responses you get from dsquery and use those values, so if we start to go through the configuration:

> <LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

Should be:

<LDAPUserDirectorySubtree>OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

This is the point in Active Directory where it can find user accounts, the code behind the XML file will initiate a search using this as the starting point.

Using Domain Users as the group may cause you some difficulty:

> <LDAPGroupName>Domain Users</LDAPGroupName>

Domain Users is a bit special, it doesn't have  satrict list of members as other groups do. It is (normally) a users Primary Group is requires special handling. If authentication doesn't work, try another group. In short, it may work, but don't be surprised if it doesn't.

AD will not allow anonymous binding by default, but I see you've specified a tacacs user as a service account. Hopefully that's already working for you.

Chris
0
 

Author Comment

by:farroar
ID: 39963959
I am going to try a few different things this weekend and get back to you. I appreciate the comments! Hope to get it figured out.
0
 

Author Closing Comment

by:farroar
ID: 39964815
Not using Domain Users was key. I ended up using the OU designation and then referencing a Network Admins group for users that were allowed to access resources via tacacs authentication. Still more tweaking to be done but it is currently working. Thanks!!
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question