Solved

tacacs.net - Active Directory / LDAP setup for authentication and authorization

Posted on 2014-03-19
5
3,842 Views
Last Modified: 2014-03-30
I am trying to implement tacacs authentication for our network equipment by using the tacacs.net software package installed on our Win2012 domain controller. I am looking for assistance setting up the connection/configuration. tacacs.net software is configured via .xml documents. The error I am seeing is "User does not belong to specified group". I am relatively new to Active Directory and LDAP, any help with this would be great. I can post my configs if necessary.
0
Comment
Question by:farroar
  • 3
  • 2
5 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
I've never used the server, but I do know AD / LDAP very well. Can you share the config files? I'm sure we can find a way to get it working if you haven't already :)

Cheers,

Chris
0
 

Author Comment

by:farroar
Comment Utility
Great. I think it is just a config issue. I'm more of a networking person :)

There are a few different xml files that drive the connection. The first one is the authentication.xml file. It is here that the users are authenticated off of the active directory. Here is some of the code that pertains to AD:

-----------------------------------------------------------------------------------------------------------------
<!--This is an example is of a Windows Active Directory group. This group will authenticate using a Windows Domain Controller. LDAPUserDirectorySubtree is the distinguished name of the subtree that contains all users. The LDAPGroupName should point to the name of the AD group. LDAPAccessUserName and LDAPAccessUserPassword are optional elements and should be specified if the active directory server does not allow anonymous access to the active directory for authentication. This username must have read/write access to Active Directory. To see the user directory subtree name, you can execute the following dsquery command on windows server: Note: The command DSQUERY is only available on Windows Server. C:\>dsquery user -samid USERNAME To see the list of AD groups the user belongs to, use: C:\>dsquery user -samid USERNAME | dsget user -memberof -expand You can use the complete DN of the group or just the AD name of the group in the LDAPGroupName configuration parameter. -->

<UserGroup>
<Name>Network Admins</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>127.0.0.1:389</LDAPServer>
<LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>
<LDAPGroupName>Domain Users</LDAPGroupName>
<LDAPAccessUserName>tacacs</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="xxxxxxx" DES="xxxxxxx"></LDAPAccessUserPassword>

</UserGroup>
--------------------------------------------------------------------------------------------------------

I believe this is the only portion of the configuration that pertains to the AD connection. The documents explain that you find the info you need to enter into the config. I am a user on the domain so I am using my username to gather the information. Here is the output from the query commands it mentions:

dsquery user -samid nathan.farrar:
"CN=Nathan Farrar,OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com"

dsquery user -samid nathan.farrar | dsget user -memberof -expand:

"CN=Network Admins,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Tech_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Alerts_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Domain Users,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Clients,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Common,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=TS Gateway Users,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Users,CN=Builtin,DC=ad,DC=xssentials,DC=com"

When I run the file the application comes with to test the connection by specifying my username and password, I get a return of "User does not belong to specified group". I've tried different names and groups. It seems to connect fine but I know I'm missing something.

The one thing I notice that is different is that on our AD we have the OU= item. Their example file shows CN=. I'm not sure if this is significant but it is the only difference I can see.

Thoughts?

Thanks!
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
Comment Utility
The CN / OU thing is critical. Some LDAP directories define folders in the structure using CN, others use OU. MS AD uses OU for all but a very small number of cases.

Whatever happens, you should trust the responses you get from dsquery and use those values, so if we start to go through the configuration:

> <LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

Should be:

<LDAPUserDirectorySubtree>OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

This is the point in Active Directory where it can find user accounts, the code behind the XML file will initiate a search using this as the starting point.

Using Domain Users as the group may cause you some difficulty:

> <LDAPGroupName>Domain Users</LDAPGroupName>

Domain Users is a bit special, it doesn't have  satrict list of members as other groups do. It is (normally) a users Primary Group is requires special handling. If authentication doesn't work, try another group. In short, it may work, but don't be surprised if it doesn't.

AD will not allow anonymous binding by default, but I see you've specified a tacacs user as a service account. Hopefully that's already working for you.

Chris
0
 

Author Comment

by:farroar
Comment Utility
I am going to try a few different things this weekend and get back to you. I appreciate the comments! Hope to get it figured out.
0
 

Author Closing Comment

by:farroar
Comment Utility
Not using Domain Users was key. I ended up using the OU designation and then referencing a Network Admins group for users that were allowed to access resources via tacacs authentication. Still more tweaking to be done but it is currently working. Thanks!!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now