?
Solved

tacacs.net - Active Directory / LDAP setup for authentication and authorization

Posted on 2014-03-19
5
Medium Priority
?
4,633 Views
Last Modified: 2014-03-30
I am trying to implement tacacs authentication for our network equipment by using the tacacs.net software package installed on our Win2012 domain controller. I am looking for assistance setting up the connection/configuration. tacacs.net software is configured via .xml documents. The error I am seeing is "User does not belong to specified group". I am relatively new to Active Directory and LDAP, any help with this would be great. I can post my configs if necessary.
0
Comment
Question by:farroar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 39941795
I've never used the server, but I do know AD / LDAP very well. Can you share the config files? I'm sure we can find a way to get it working if you haven't already :)

Cheers,

Chris
0
 

Author Comment

by:farroar
ID: 39946765
Great. I think it is just a config issue. I'm more of a networking person :)

There are a few different xml files that drive the connection. The first one is the authentication.xml file. It is here that the users are authenticated off of the active directory. Here is some of the code that pertains to AD:

-----------------------------------------------------------------------------------------------------------------
<!--This is an example is of a Windows Active Directory group. This group will authenticate using a Windows Domain Controller. LDAPUserDirectorySubtree is the distinguished name of the subtree that contains all users. The LDAPGroupName should point to the name of the AD group. LDAPAccessUserName and LDAPAccessUserPassword are optional elements and should be specified if the active directory server does not allow anonymous access to the active directory for authentication. This username must have read/write access to Active Directory. To see the user directory subtree name, you can execute the following dsquery command on windows server: Note: The command DSQUERY is only available on Windows Server. C:\>dsquery user -samid USERNAME To see the list of AD groups the user belongs to, use: C:\>dsquery user -samid USERNAME | dsget user -memberof -expand You can use the complete DN of the group or just the AD name of the group in the LDAPGroupName configuration parameter. -->

<UserGroup>
<Name>Network Admins</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>127.0.0.1:389</LDAPServer>
<LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>
<LDAPGroupName>Domain Users</LDAPGroupName>
<LDAPAccessUserName>tacacs</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="xxxxxxx" DES="xxxxxxx"></LDAPAccessUserPassword>

</UserGroup>
--------------------------------------------------------------------------------------------------------

I believe this is the only portion of the configuration that pertains to the AD connection. The documents explain that you find the info you need to enter into the config. I am a user on the domain so I am using my username to gather the information. Here is the output from the query commands it mentions:

dsquery user -samid nathan.farrar:
"CN=Nathan Farrar,OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com"

dsquery user -samid nathan.farrar | dsget user -memberof -expand:

"CN=Network Admins,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Tech_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Alerts_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Domain Users,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Clients,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Common,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=TS Gateway Users,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Users,CN=Builtin,DC=ad,DC=xssentials,DC=com"

When I run the file the application comes with to test the connection by specifying my username and password, I get a return of "User does not belong to specified group". I've tried different names and groups. It seems to connect fine but I know I'm missing something.

The one thing I notice that is different is that on our AD we have the OU= item. Their example file shows CN=. I'm not sure if this is significant but it is the only difference I can see.

Thoughts?

Thanks!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 39949763
The CN / OU thing is critical. Some LDAP directories define folders in the structure using CN, others use OU. MS AD uses OU for all but a very small number of cases.

Whatever happens, you should trust the responses you get from dsquery and use those values, so if we start to go through the configuration:

> <LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

Should be:

<LDAPUserDirectorySubtree>OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

This is the point in Active Directory where it can find user accounts, the code behind the XML file will initiate a search using this as the starting point.

Using Domain Users as the group may cause you some difficulty:

> <LDAPGroupName>Domain Users</LDAPGroupName>

Domain Users is a bit special, it doesn't have  satrict list of members as other groups do. It is (normally) a users Primary Group is requires special handling. If authentication doesn't work, try another group. In short, it may work, but don't be surprised if it doesn't.

AD will not allow anonymous binding by default, but I see you've specified a tacacs user as a service account. Hopefully that's already working for you.

Chris
0
 

Author Comment

by:farroar
ID: 39963959
I am going to try a few different things this weekend and get back to you. I appreciate the comments! Hope to get it figured out.
0
 

Author Closing Comment

by:farroar
ID: 39964815
Not using Domain Users was key. I ended up using the OU designation and then referencing a Network Admins group for users that were allowed to access resources via tacacs authentication. Still more tweaking to be done but it is currently working. Thanks!!
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question