tac_plus authentication with Active Directory

[Yno]

Hi

I want to authenticate active directory users on a cisco hw

On the tac_plus server :

Mavis can authenticate on the AD, an ACK is received by mavistest tool

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-4012-1393601609-0
USER                jean
PASSWORD            Pass123
TACTYPE             AUTH

Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-4012-1393601609-0
USER                jean
RESULT              ACK
PASSWORD            Pass123
SERIAL              WnUh6V2zLE10MAH6c6DM/A=
DBPASSWORD          Pass123
TACMEMBER           admin
TACTYPE             AUTH

on the cisco :

User can log-in with local tacacs IDs (cisco ; cisco), but not via the AD IDs

Then ... I don't know where it stuck

Thank you for your advices

here the tac plus config file

/usr/local/etc/tac_plus.cfg

#!/usr/local/sbin/tac_plus

id = spawnd {
        listen = { port = 49 }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}
id = tac_plus {
        access log = /var/log/tac_plus/access/%Y%m%d.log
        accounting log = /var/log/tac_plus/acct/%Y%m%d.log
        mavis module = external {
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "DC1.domain.lan"
                setenv LDAP_BASE = "dc=domain,dc=lan"
                setenv LDAP_USER = tacacs @domain.lan
                setenv LDAP_PASSWD = Pass456
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }
        login backend = mavis
        user backend = mavis
        pap backend = mavis
        host = world {
                address = ::/0
                prompt = "Welcome\n"
                enable 15 = clear secret
                key = cisco
        }
        group = admin {
                default service = permit
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }
        group = guest {
                default service = permit
                enable = deny
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 1
                }
        }
        user = cisco {
                password = clear cisco
                member = admin
                service = shell {
                        default command = permit
                        default attribute = permit
                        set priv-lvl = 15
                }
        }
        user = readonly {
                password = clear readonly
                member = guest
        }
}

here the cisco sw settings

aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
tacacs-server host @IP
tacacs-server key cisco

line con 0
line aux 0
line vty 0 4
 exec-timeout 15 0
 logging synchronous
 transport input telnet ssh
line vty 5 15
 transport input all

[Marc Huber]

Hi,

On 28.02.14 16:36, Yno wrote:
> on the cisco :
> User can log-in with local tacacs IDs (cisco ; cisco), but not via the
> AD IDs

I don't see any obvious problems with your configuration. I'd first
check whether there was logged anything relevant to syslog. If that
doesn't help: ./configure --debug, reinstall, then start the daemon in
the foreground with full debugging enabled (tac_plus -f -d -1
<configuration file>).

Cheers,

Marc

[Yno]

Okay, it works right now (reinstall ; reboot)

Thanks for your help