Solved

tacacs.net - Active Directory / LDAP setup for authentication and authorization

Posted on 2014-03-19
5
4,387 Views
Last Modified: 2014-03-30
I am trying to implement tacacs authentication for our network equipment by using the tacacs.net software package installed on our Win2012 domain controller. I am looking for assistance setting up the connection/configuration. tacacs.net software is configured via .xml documents. The error I am seeing is "User does not belong to specified group". I am relatively new to Active Directory and LDAP, any help with this would be great. I can post my configs if necessary.
0
Comment
Question by:farroar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 39941795
I've never used the server, but I do know AD / LDAP very well. Can you share the config files? I'm sure we can find a way to get it working if you haven't already :)

Cheers,

Chris
0
 

Author Comment

by:farroar
ID: 39946765
Great. I think it is just a config issue. I'm more of a networking person :)

There are a few different xml files that drive the connection. The first one is the authentication.xml file. It is here that the users are authenticated off of the active directory. Here is some of the code that pertains to AD:

-----------------------------------------------------------------------------------------------------------------
<!--This is an example is of a Windows Active Directory group. This group will authenticate using a Windows Domain Controller. LDAPUserDirectorySubtree is the distinguished name of the subtree that contains all users. The LDAPGroupName should point to the name of the AD group. LDAPAccessUserName and LDAPAccessUserPassword are optional elements and should be specified if the active directory server does not allow anonymous access to the active directory for authentication. This username must have read/write access to Active Directory. To see the user directory subtree name, you can execute the following dsquery command on windows server: Note: The command DSQUERY is only available on Windows Server. C:\>dsquery user -samid USERNAME To see the list of AD groups the user belongs to, use: C:\>dsquery user -samid USERNAME | dsget user -memberof -expand You can use the complete DN of the group or just the AD name of the group in the LDAPGroupName configuration parameter. -->

<UserGroup>
<Name>Network Admins</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>127.0.0.1:389</LDAPServer>
<LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>
<LDAPGroupName>Domain Users</LDAPGroupName>
<LDAPAccessUserName>tacacs</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="xxxxxxx" DES="xxxxxxx"></LDAPAccessUserPassword>

</UserGroup>
--------------------------------------------------------------------------------------------------------

I believe this is the only portion of the configuration that pertains to the AD connection. The documents explain that you find the info you need to enter into the config. I am a user on the domain so I am using my username to gather the information. Here is the output from the query commands it mentions:

dsquery user -samid nathan.farrar:
"CN=Nathan Farrar,OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com"

dsquery user -samid nathan.farrar | dsget user -memberof -expand:

"CN=Network Admins,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Tech_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Alerts_Dcy,OU=Users-Decypher,DC=ad,DC=xssentials,DC=com"
"CN=!Everyone,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Domain Users,CN=Users,DC=ad,DC=xssentials,DC=com"
"CN=Clients,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Common,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=TS Gateway Users,OU=Groups-Security,DC=ad,DC=xssentials,DC=com"
"CN=Users,CN=Builtin,DC=ad,DC=xssentials,DC=com"

When I run the file the application comes with to test the connection by specifying my username and password, I get a return of "User does not belong to specified group". I've tried different names and groups. It seems to connect fine but I know I'm missing something.

The one thing I notice that is different is that on our AD we have the OU= item. Their example file shows CN=. I'm not sure if this is significant but it is the only difference I can see.

Thoughts?

Thanks!
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 39949763
The CN / OU thing is critical. Some LDAP directories define folders in the structure using CN, others use OU. MS AD uses OU for all but a very small number of cases.

Whatever happens, you should trust the responses you get from dsquery and use those values, so if we start to go through the configuration:

> <LDAPUserDirectorySubtree>CN=Users-Xssentials,CN=Domain Users,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

Should be:

<LDAPUserDirectorySubtree>OU=Users-Xssentials,DC=ad,DC=xssentials,DC=com</LDAPUserDirectorySubtree>

This is the point in Active Directory where it can find user accounts, the code behind the XML file will initiate a search using this as the starting point.

Using Domain Users as the group may cause you some difficulty:

> <LDAPGroupName>Domain Users</LDAPGroupName>

Domain Users is a bit special, it doesn't have  satrict list of members as other groups do. It is (normally) a users Primary Group is requires special handling. If authentication doesn't work, try another group. In short, it may work, but don't be surprised if it doesn't.

AD will not allow anonymous binding by default, but I see you've specified a tacacs user as a service account. Hopefully that's already working for you.

Chris
0
 

Author Comment

by:farroar
ID: 39963959
I am going to try a few different things this weekend and get back to you. I appreciate the comments! Hope to get it figured out.
0
 

Author Closing Comment

by:farroar
ID: 39964815
Not using Domain Users was key. I ended up using the OU designation and then referencing a Network Admins group for users that were allowed to access resources via tacacs authentication. Still more tweaking to be done but it is currently working. Thanks!!
0

Featured Post

Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup new Server 2012R2 DC 1 63
Can't ping new computer 17 52
Password not expiry users and if they're enabled 7 24
Duplicate SPN entries 1 23
This article runs through the process of deploying a single EXE application selectively to a group of user.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question