I am strugling with an issue for the last 2 days.
Based on my config , I am able to connect via ldap ad account, but when I use the local defined user which resides on the tacacs-ng config , it does not work.
I am not able to identify my issue.
I appreciate any help or guidance, thank you.
#!/usr/local/sbin/tac_plus-ng
id = spawnd {
listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10
}
background = yes
}
id = tac_plus-ng
{
##### LDAP-Config-Start #####
mavis module = groups {
groups filter = /^(CN=AdminSupport,)|(CN=NetworkSupport)$/
memberof filter = /^(CN=AdminSupport,)|(CN=NetworkSupport)/
}
mavis module = external {
setenv LDAP_SERVER_TYPE = "microsoft"
setenv LDAP_HOSTS = "ldaps://
example.com:3269"
setenv LDAP_SCOPE = sub
setenv LDAP_BASE = "DC=contiwan,DC=com"
setenv LDAP_FILTER = "(&(objectclass=user)(sAMAccountName=%s))"
setenv LDAP_USER = "cn=service-account"
setenv LDAP_PASSWD = "password123"
setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
setenv AD_GROUP_PREFIX = ""
setenv FLAG_CACHE_CONNECTION = 1
setenv FLAG_USE_MEMBEROF = 1
exec = /usr/local/lib/mavis/
mavis_tacplus-ng_ldap.pl }
login backend = mavis
user backend = mavis
pap backend = mavis
##### LDAP-Config-End #####
##### Host/Devices-subnets-config-file-Start #####
device conti {
include = /config/world.locations
}
#content of world.locations
# device = local-it {
# address =
10.10.10.0/25# welcome banner = "\nConnection by Tacacs Server ${hostname}\n"
# key = asdasdasd
# }
##### Host/Devices-subnets-config-file-End #####
##### Profiles-Config-Start #####
profile admins {
script {
if (service == shell) {
set priv-lvl = 15
permit
}
if (service == "ciscowlc") {
set role1 = "ALL"
permit
}
if (service == "cas-service") {
set protocol = "permit"
set custom-av-pair = "Role=SUPER-ADMIN-ROLE"
set priv-lvl = 15
permit
}
}
}
profile backups {
script {
if (service == shell) {
set priv-lvl = 15
permit
}
if (service == "ciscowlc") {
set role1 = "ALL"
permit
}
if (service == "cas-service") {
set protocol = "permit"
set custom-av-pair = "Role=RESTAPI"
set priv-lvl = 15
permit
}
}
}
profile admin_LIT {
script {
if (service == shell) {
if (cmd == "")
set priv-lvl = 15
permit
}
if (service == ciscowlc) {
if (cmd == "")
set role1 = ALL
permit
}
if (service == cas-service) {
if (cmd == "")
set priv-lvl = 15
set custom-av-pair="Role=LITM"
permit
}
}
}
group admins { member = admins }
group backups { member = backups }
group admin_LIT { member = admin_LIT }
user = swbackup {
password login = clear "test123"
member = backups
}
ruleset {
rule localaccounts {
enabled = yes
script {
if (member == admins) { profile = admins permit }
if (member == backups) { profile = backups permit }
}
}
rule scs {
enabled = yes
script {
if (memberof =~ /^CN=AdminSupport,/) { profile = admins permit }
}
}
rule localit {
enabled = yes
script {
########################NAFTA##
if (nas == local-it) { if (memberof =~ /^CN=NetworkSupport,/ ) {profile = admin_LIT permit}}
}
}
}
}
##### Rulset-Config-End #####
---------------------------------------------------------------------------------------