Answer the question
In order to leave comments, you need to log in
G
G
gadzhikuliev2018-09-26 12:53:24
gadzhikuliev, 2018-09-26 12:53:24
How to set up Tacacs+ authorization through an Active Directory group?
Set up authorization with Mavis Tacacs+. It works if I prescribe users in the configuration file, but I want to make the server take them from the AD group without prescribing users. The tacacsadmin group has been created in AD . It seems that I registered the group in the conf file according to the rules of Tacacs +, taking into account the prefix, but something does not let it in, although the session is established via SSH and a password is requested.
id = spawnd {
listen = { address = 0.0.0.0 port = 49 }
#Uncomment the line below for IPv6 support
#listen = { address = :: port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus {
access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "172.31.2.113:3268 172.31.4.4:3268"
setenv LDAP_BASE = "DC=domain,DC=ru"
setenv LDAP_SCOPE = sub
setenv LDAP_FILTER = "(&(objectClass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "[email protected]"
setenv LDAP_PASSWD = "VerySecretPassword"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
# setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
setenv AD_GROUP_PREFIX = "tacacs"
# setenv REQUIRE_TACACS_GROUP_PREFIX = 0
exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
}
login backend = mavis
user backend = mavis
pap backend = mavis
host = world {
address = 0.0.0.0/0
key = cisco
}
group = ADMIN {
default service = permit
service = exec {
set priv-lvl = 15
}
}
# user = gr {
# member = ADMIN
# }
# user = dv {
# member = ADMIN
# }
Similar questions
M
A
S
E
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question