Password Incorrect received from TAC_PLUS on Switch when Authenticating from AD through LDAPS

[Collin Smith]

Marc,
From a test router I am attempting to authenticate through TAC_PLUS using AD credentials transferred over LDAPS. I am finding that while accounts are being recognized the passwords are not. I receive password failures from accounts that otherwise authenticate fine for other services.
The exact Error is as follows:

Using keyboard-interactive authentication.

An error occured while parsing your user profile. Please ask your TACACS+
administrator to have a look at the TACACS+ logs and provide the following
information:

        Host: {ServerName}
        User: {AD Username}
        Date: Tue Jun  9 16:39:26 2015

Password incorrect.
Access denied

2015-06-09 14:13:29 -0400       x.x.x.x: shell login for 'username' from x.x.x.x on tty514 failed ()

I know the username is being recognized as any other format will return an error.

2015-06-09 14:45:04 -0400       x.x.x.x: shell login for 'domain\\username' from x.x.x.x on tty514 failed (no such user)
2015-06-09 15:05:46 -0400       x.x.x.x: shell login for 'username@domain.TLD' from x.x.x.x on tty514 failed (no such user)

2015-06-09 15:41:56 -0400       x.x.x.x: shell login for 'mr.wiggles' from x.x.x.x on tty514 failed (no such user)

Anything below in my config that looks obviously wrong ?

Thanks,
Collin

#!/usr/local/sbin/tac_plus
id = spawnd {
        listen = {
        port = 49
        }
        spawn = {
                instances min = 1
                instances max = 10
        }
        background = yes
}

id = tac_plus {
        debug = +AUTHEN
        access log = /var/log/tac_plus/access/%Y%m%d.log
        accounting log = /var/log/tac_plus/acct/%Y%m%d.log
        authorization log = /var/log/tac_plus/auth/%Y%m%d.log
        mavis module = external {
                        #script out = {
                        #if (undef($TACMEMBER) && $RESULT == ACK) set $RESULT = NAK
                        #if ($RESULT == ACK) set $PASSWORD_ONESHOT = 1
                         # }
                setenv LDAP_SERVER_TYPE = "microsoft"
                setenv LDAP_HOSTS = "ldaps://x.x.x.x:636 ldaps://x.x.x.x:636"
                setenv LDAP_SCOPE = sub
                setenv LDAP_BASE = "dc=Domain,dc=TLD"
                setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
                setenv LDAP_USER = LDAP Service Account
                setenv LDAP_PASSWD = Service Account Password
                #setenv USE_TLS = 1 <----Regarding Mavistest - Password fails with this turned on...Otherwise LDAPS seems OK HERE.
                setenv AD_GROUP_PREFIX = TACACS_
                setenv REQUIRE_TACACS_GROUP_PREFIX = 1
                exec = /usr/local/lib/login backend = mavis   # authenticate login via backend
        #pap backend = mavis     # authenticate PAP via backend
        host = world {
        welcome banner = "\nReally Bloated Welcome Message\n\n"
        #Crypt password generate by "openssl passwd-1 clear_text_password"
        enable 15 = crypt xxxxxxxxxxxxxxxxxxxxxx
        key = "KEY String" #for the TACACS-client
        address = 0.0.0.0/0
        }
        group = ADMIN {
        enable = login
        default service = permit
        service = shell {
        default command = permit
        default attribute = permit
        set priv-lvl = 15
        }
        }
        #group = NMS {
        #default service = permit
        #service = shell {
                #default command = permit
                #default attribute = permit
                #set priv-lvl = 1
        #}
        #enable = deny
        #member = NMS
        #cmd = show {
        #permit "running-config .*"
        #permit ip .*
        #permit version .*
        #deny .*
        #message deny = ”
        #*************************************************************
        #*You do not have the privilege level to execute this command*
        #*************************************************************
        #”
        #}
        #}
        #group = AUDIT {
        #default service = permit
        #service = shell {
        #       default command = permit
        #       default attribute = permit
        #       set priv-lvl = 1
        #}
        #enable = deny
        #member = AUDIT
        #cmd = show {
        #permit running-config .*
        #permit ip .*
        #permit version .*
        #deny .*
        #message deny = ”

[Marc Huber]

Hi Collin,

On 09.06.15 22:48, Collin Smith wrote:

Marc,
From a test router I am attempting to authenticate through TAC_PLUS using AD credentials transferred over LDAPS. I am finding that while accounts are being recognized the passwords are not. I receive password failures from accounts that otherwise authenticate fine for other services.
The exact Error is as follows:

Using keyboard-interactive authentication.

An error occured while parsing your user profile. Please ask your TACACS+
administrator to have a look at the TACACS+ logs and provide the following
information:

        Host: {ServerName}
        User: {AD Username}
        Date: Tue Jun  9 16:39:26 2015

Password incorrect.
Access denied

you should find a correlated "parsing dynamic profile failed" error message in one of your syslog files, plus -possibly- some additional information, e.g. "group not found". In the latter case, "skip missing groups = yes" might help (alternatively: the groups" module may be used to filter group names delivered by the backend).

Cheers,

Marc