Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
G
G
gadzhikuliev2018-09-26 12:53:24
Active Directory
gadzhikuliev, 2018-09-26 12:53:24

How to set up Tacacs+ authorization through an Active Directory group?

Set up authorization with Mavis Tacacs+. It works if I prescribe users in the configuration file, but I want to make the server take them from the AD group without prescribing users. The tacacsadmin group has been created in AD . It seems that I registered the group in the conf file according to the rules of Tacacs +, taking into account the prefix, but something does not let it in, although the session is established via SSH and a password is requested.

id = spawnd {
        listen = { address = 0.0.0.0 port = 49 }
        #Uncomment the line below for IPv6 support
        #listen = { address = :: port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {

        access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
        accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
        authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt


        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "172.31.2.113:3268 172.31.4.4:3268"
                setenv LDAP_BASE = "DC=domain,DC=ru"
                setenv LDAP_SCOPE = sub
                setenv LDAP_FILTER = "(&(objectClass=user)(sAMAccountName=%s))"
                setenv LDAP_USER = "[email protected]"
                setenv LDAP_PASSWD = "VerySecretPassword"
                setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
                # setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
                setenv AD_GROUP_PREFIX = "tacacs"
                # setenv REQUIRE_TACACS_GROUP_PREFIX = 0
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }

        login backend = mavis
        user backend = mavis
        pap backend = mavis

        host = world {
            address = 0.0.0.0/0
            key = cisco
            }

        group = ADMIN {
            default service = permit
            service = exec {
            set priv-lvl = 15
         }
        }

#       user = gr {
#           member = ADMIN
#       }

#       user = dv {
#           member = ADMIN
#       }

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
A
Alexey Kukharichev2019-10-29 12:39:15
How to enter a domain into an existing forest? 1Reply
D
Danil2017-06-01 14:39:29
Why is the password policy not working? 1Reply
A
algordon2019-11-04 22:36:45
Active Directory: how to authorize a user outside the local network? 5Reply
K
Konstantin Gorodetsky2015-07-01 03:18:25
How to monitor the "normal" shutdown of workstations? 5Reply
A
AllenIranto2017-06-13 21:48:11
Do unlicensed copies of Windows work with Active Directory? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question