Use TLS for TACACS authentication against AD
305 views
Skip to first unread message
Zapino
Jan 31, 2021, 10:21:35 PM1/31/21
to Event-Driven Servers
Hello Guys,
Is possible to use TLS encryption between TACACS and AD ? , AD admin provided me Root and Subordinate Certificate Authority, need to find a way how to make that work together.
Thank you very much for any advice
Zapino
Jan 31, 2021, 10:44:51 PM1/31/21
to Event-Driven Servers
In one conversation Marc mentioned, "USE_TLS triggers use of STARTTLS which will upgrade an unencrypted LDAP connection to an encrypted one." Then how make STARTTLS use "provided by AD admin certificate " with TLS ?
Marc Huber
Feb 1, 2021, 9:52:33 AM2/1/21
to event-driv...@googlegroups.com
On 01.02.21 04:44, Zapino wrote:
> In one conversation Marc mentioned, "USE_TLS triggers use of STARTTLS
> which will upgrade an unencrypted LDAP connection to an encrypted
> one." Then how make STARTTLS use "provided by AD admin certificate "
> with TLS ?
I don't think Windows supports STARTTLS for LDAP. Both
> In one conversation Marc mentioned, "USE_TLS triggers use of STARTTLS
> which will upgrade an unencrypted LDAP connection to an encrypted
> one." Then how make STARTTLS use "provided by AD admin certificate "
> with TLS ?
setenv LDAP_HOSTS = "ldaps://<ip>:636"
and
setenv LDAP_HOSTS = "ldaps://<ip>:3269"
should work.
The backend script doesn't verify the server cert so you likely won't
need the CA certificates provided by your admin.
Cheers,
Marc
Zapino
Feb 2, 2021, 12:07:29 AM2/2/21
to Event-Driven Servers
Yeah, I see with tcpdump the session is on port 636 and with OpenSSL command + server IP where AD is configured give me certificate details TLS 1.2 , seems session to be encrypted. Thank you very much Marc for you help
Reply all
Reply to author
Forward
0 new messages