Issue with Cisco switches LDAP
30 views
Skip to first unread message
Brady Wang
Sep 29, 2025, 12:37:45 AMSep 29
to Event-Driven Servers
Hi Marc,
Here is the output :
xxx:~/event-driven-servers$ sudo tac_plus-ng tac_plus-ng.cfg
xxx:~/event-driven-servers$ sudo tail -F /var/log/syslog
Sep 29 11:43:24 xxx tac_plus-ng[84308]: Error tac_plus-ng.cfg:47: Expected 'acl', 'debug', 'enable', 'hushlogin', 'profile', 'script', 'skip' or '}', but got 'service'
Sep 29 11:43:24 xxx tac_plus-ng[84307]: Child reported fatal configuration problem. Exiting.
Sep 29 11:43:24 xxx tac_plus-ng[84308]: Error Detected fatal configuration error. Exiting.
Sep 29 11:44:53 xxx tac_plus-ng[84322]: startup (version 5bbc42f35383db902dd97b94c549b4d7055156e5)
Sep 29 11:44:53 xxx tac_plus-ng[84323]: epoll event notification mechanism is being used
Sep 29 11:44:53 xxx tac_plus-ng[84323]: bind to [10.1.248.113]:49 succeeded
Sep 29 11:44:53 xxx tac_plus-ng[84324]: epoll event notification mechanism is being used
Sep 29 11:44:53 xxx tac_plus-ng[84324]: Error tac_plus-ng.cfg:47: Expected 'acl', 'debug', 'enable', 'hushlogin', 'profile', 'script', 'skip' or '}', but got 'service'
Sep 29 11:44:53 xxx tac_plus-ng[84323]: Child reported fatal configuration problem. Exiting.
Sep 29 11:44:53 xxx tac_plus-ng[84324]: Error Detected fatal configuration error. Exiting.
Here is the configuration:
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { address = 10.1.248.113 port = 49 }
# Optional: IPv6 support
# listen = { address = :: port = 49 }
spawn = { instances min = 1 instances max = 10 }
background = yes
}
id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m/%d.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m/%d.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
mavis module = external {
# Set environment variables for LDAP connection
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://ldaps.xxxx.com.au:389"
setenv LDAP_BASE = "DC=xxxx,DC=com,DC=au"
setenv LDAP_BINDDN = "CN=svc_dsconn,OU=Service Accounts,OU=xxxx Users,DC=xxxx,DC=com,DC=au"
setenv LDAP_BINDPW = "xxxxx"
setenv LDAP_SCOPE = sub
setenv AD_GROUP_PREFIX = ""
setenv REQUIRE_TACACS_GROUP_PREFIX = 0
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_GROUP_FILTER = "(&(objectclass=group)(member=%s))"
# Optional: setenv REQUIRE_TACACS_GROUP_PREFIX = 0
# Do NOT set USE_TLS unless you are sure; see notes below
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
# Use mavis for all authentication backends
login backend = mavis
user backend = mavis
pap backend = mavis
device cisco {
address = 10.1.252.100/24
key = "Cisco123!"
}
# --- Profile(s) mapped from AD groups ---
profile cisco-admin {
# IOS/IOS-XE/ASA: priv-lvl drives full admin
service shell {
script {
if (cmd == "") {
set priv-lvl = 15
permit
}
}
}
}
ruleset {
rule ndc-admins {
if (member == "SEC_Network") { profile = cisco-admin permit }
deny
}
}
}
I currently have an issue setting up Cisco IOS switches to authenticate access via tac_plus-ng with LDAP. The admin user account is part of the LDAP group SEC_Network. Could you assist me with the configuration?
Here is the output :
xxx:~/event-driven-servers$ sudo tac_plus-ng tac_plus-ng.cfg
xxx:~/event-driven-servers$ sudo tail -F /var/log/syslog
Sep 29 11:43:24 xxx tac_plus-ng[84308]: Error tac_plus-ng.cfg:47: Expected 'acl', 'debug', 'enable', 'hushlogin', 'profile', 'script', 'skip' or '}', but got 'service'
Sep 29 11:43:24 xxx tac_plus-ng[84307]: Child reported fatal configuration problem. Exiting.
Sep 29 11:43:24 xxx tac_plus-ng[84308]: Error Detected fatal configuration error. Exiting.
Sep 29 11:44:53 xxx tac_plus-ng[84322]: startup (version 5bbc42f35383db902dd97b94c549b4d7055156e5)
Sep 29 11:44:53 xxx tac_plus-ng[84323]: epoll event notification mechanism is being used
Sep 29 11:44:53 xxx tac_plus-ng[84323]: bind to [10.1.248.113]:49 succeeded
Sep 29 11:44:53 xxx tac_plus-ng[84324]: epoll event notification mechanism is being used
Sep 29 11:44:53 xxx tac_plus-ng[84324]: Error tac_plus-ng.cfg:47: Expected 'acl', 'debug', 'enable', 'hushlogin', 'profile', 'script', 'skip' or '}', but got 'service'
Sep 29 11:44:53 xxx tac_plus-ng[84323]: Child reported fatal configuration problem. Exiting.
Sep 29 11:44:53 xxx tac_plus-ng[84324]: Error Detected fatal configuration error. Exiting.
Here is the configuration:
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { address = 10.1.248.113 port = 49 }
# Optional: IPv6 support
# listen = { address = :: port = 49 }
spawn = { instances min = 1 instances max = 10 }
background = yes
}
id = tac_plus-ng {
log authzlog { destination = /var/log/tac_plus/authz/%Y/%m/%d.log }
log authclog { destination = /var/log/tac_plus/authc/%Y/%m/%d.log }
log acctlog { destination = /var/log/tac_plus/acct/%Y/%m/%d.log }
accounting log = acctlog
authentication log = authclog
authorization log = authzlog
mavis module = external {
# Set environment variables for LDAP connection
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldap://ldaps.xxxx.com.au:389"
setenv LDAP_BASE = "DC=xxxx,DC=com,DC=au"
setenv LDAP_BINDDN = "CN=svc_dsconn,OU=Service Accounts,OU=xxxx Users,DC=xxxx,DC=com,DC=au"
setenv LDAP_BINDPW = "xxxxx"
setenv LDAP_SCOPE = sub
setenv AD_GROUP_PREFIX = ""
setenv REQUIRE_TACACS_GROUP_PREFIX = 0
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_GROUP_FILTER = "(&(objectclass=group)(member=%s))"
# Optional: setenv REQUIRE_TACACS_GROUP_PREFIX = 0
# Do NOT set USE_TLS unless you are sure; see notes below
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
# Use mavis for all authentication backends
login backend = mavis
user backend = mavis
pap backend = mavis
device cisco {
address = 10.1.252.100/24
key = "Cisco123!"
}
# --- Profile(s) mapped from AD groups ---
profile cisco-admin {
# IOS/IOS-XE/ASA: priv-lvl drives full admin
service shell {
script {
if (cmd == "") {
set priv-lvl = 15
permit
}
}
}
}
ruleset {
rule ndc-admins {
if (member == "SEC_Network") { profile = cisco-admin permit }
deny
}
}
}
Regards,
Brady
fukhell
Sep 29, 2025, 5:26:37 AMSep 29
to event-driv...@googlegroups.com
Hi Brady,
Look at row 48, it doesn't look correct
service shell {
пн, 29 сент. 2025 г. в 09:37, Brady Wang <wzb...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/7914f529-d99f-41ca-8382-839b5d607807n%40googlegroups.com.
fukhell
Sep 29, 2025, 5:30:52 AMSep 29
to event-driv...@googlegroups.com
should be like this
profile readwrite {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
}
}
пн, 29 сент. 2025 г. в 14:26, fukhell <helpde...@gmail.com>:
Brady Wang
Sep 30, 2025, 10:08:41 PMSep 30
to Event-Driven Servers
Hi
fukhell,
setenv LDAP_SCOPE = sub
setenv AD_GROUP_PREFIX = ""
setenv REQUIRE_TACACS_GROUP_PREFIX = 0
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_GROUP_FILTER = "(&(objectclass=group)(member=%s))"
# Optional: setenv REQUIRE_TACACS_GROUP_PREFIX = 0
# Do NOT set USE_TLS unless you are sure; see notes below
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
Apart from LDAP_HOSTS change to "ldaps://ldaps.xxxx.com.au:636", any other attribute needed?
LDAPS server have a self-sign cert to provide connection. I have copied to /usr/local/share/ca-certificates/
Thanks for your help. It works now.
I'd like to change to LDAPS but failed.
I'd like to change to LDAPS but failed.
mavis module = external {
# Set environment variables for LDAP connection
setenv LDAP_SERVER_TYPE = "microsoft"
# Set environment variables for LDAP connection
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://ldaps.xxxx.com.au:636"
setenv LDAP_BASE = "DC=xxxx,DC=com,DC=au"
setenv LDAP_USER = "CN=xxxx,OU=Service Accounts,OU=xxxx,DC=xxxx,DC=com,DC=au"
setenv LDAP_PASSWD = "xxxx"
setenv LDAP_BASE = "DC=xxxx,DC=com,DC=au"
setenv LDAP_USER = "CN=xxxx,OU=Service Accounts,OU=xxxx,DC=xxxx,DC=com,DC=au"
setenv LDAP_PASSWD = "xxxx"
setenv LDAP_SCOPE = sub
setenv AD_GROUP_PREFIX = ""
setenv REQUIRE_TACACS_GROUP_PREFIX = 0
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_GROUP_FILTER = "(&(objectclass=group)(member=%s))"
# Optional: setenv REQUIRE_TACACS_GROUP_PREFIX = 0
# Do NOT set USE_TLS unless you are sure; see notes below
exec = /usr/local/lib/mavis/mavis_tacplus-ng_ldap.pl
}
Apart from LDAP_HOSTS change to "ldaps://ldaps.xxxx.com.au:636", any other attribute needed?
LDAPS server have a self-sign cert to provide connection. I have copied to /usr/local/share/ca-certificates/
Regards,
Brady
Reply all
Reply to author
Forward
0 new messages