How to make users from AD to authenticate in juniper devices ?

820 views
Skip to first unread message

Zapino

unread,
Jan 31, 2021, 3:09:34 AM1/31/21
to Event-Driven Servers
Hello guys,
Please help to find where is the issue, need to make work together network devices + TACACS + AD,  I am struggling couples days with authentication of user from AD which belong to specific group into switch through TACACS


When I try to authenticate I have message in log  of juniper switch "User 'remote' authenticated successfully but no local login-id configured.", if I add user "remote" then that work, usually user "remote" need when "authenticated user does not exist localy on the router or switch", in my case I have user in switch  with name "SU" but mapping with TACACS seems doesnt work :(

The scope is to allow users from AD which bellongs to "Network_admin" group to have super-user rights and users others users from AD to give them operators rights.

Example : User "zapino" belongs to group "Network_admin" provide him rights "SU" in the switch.

Below is my config  and user AUTH verification:

Input attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-11737-1612063448-0
USER                zapino
PASSWORD            Pass123
TACTYPE             AUTH


Output attribute-value-pairs:
TYPE                TACPLUS
TIMESTAMP           mavistest-11737-1612063448-0
USER                zapino
RESULT              ACK
PASSWORD            Pass123
SERIAL              eWUrRKY2bn+H6G7QrxY/ow=
DBPASSWORD          Pass123
TACMEMBER           "Users","Network_admin","video","support","cloud"
TACTYPE             AUTH




tac_plus.conf


#!/usr/local/sbin/tac_plus
id = spawnd {
    listen = { address = 0.0.0.0 port = 49 }
    #Uncomment the line below for IPv6 support
    #listen = { address = :: port = 49 }

    spawn = {
        instances min = 1
        instances max = 10
    }
    background = yes
}
id = tac_plus {
   debug = ALL -PARSE
    access log = /var/log/tac_plus/access/%Y/%m/access-%m-%d-%Y.txt
    accounting log = /var/log/tac_plus/accounting/%Y/%m/accounting-%m-%d-%Y.txt
    authentication log = /var/log/tac_plus/authentication/%Y/%m/authentication-%m-%d-%Y.txt
    mavis module = external {
        setenv LDAP_SERVER_TYPE = "microsoft"

setenv LDAP_HOSTS = "172.16.133.10"
        setenv LDAP_BASE = "DC=corp,DC=test,DC=com"
setenv LDAP_SCOPE = sub
        setenv LDAP_FILTER = "(&(objectClass=user)(objectClass=person)(sAMAccountName=%s))"
        setenv LDAP_USER = "ldap...@corp.test.com"
setenv LDAP_PASSWD = "1234"
        setenv UNLIMIT_AD_GROUP_MEMBERSHIP = 1
        setenv EXPAND_AD_GROUP_MEMBERSHIP = 0
        setenv AD_GROUP_PREFIX = ""
        setenv REQUIRE_TACACS_GROUP_PREFIX = 1
        exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
    }
    login backend = mavis
    user backend = mavis
    pap backend = mavis
    skip missing groups = yes
    host = mgmtnet {
        address = 0.0.0.0/0
        key = "mykey"
    }

         group = Network_admin {
       service = junos-exec {
set local-user-name = SU }
}
}


Config on JUNIPER device :

set system authentication-order tacplus
set system tacplus-server 172.16.133.13 secret "xxxxxx"
set system tacplus-server 172.16.133.13 timeout 10
set system tacplus-server 172.16.133.13 single-connection
set system tacplus-server 172.16.133.13 source-address 172.30.11.103
set system accounting destination tacplus


set system login user SU uid 2006
set system login user SU class super-user


Marc Huber

unread,
Jan 31, 2021, 7:41:22 AM1/31/21
to event-driv...@googlegroups.com
On 31.01.21 05:11, Zapino wrote:
> When I try to authenticate I have message in log  of juniper switch
> "User 'remote' authenticated successfully but no local login-id
> configured.", if I add user "remote" then that work, usually user
> "remote" need when "authenticated user does not exist localy on the
> router or switch", in my case I have user in switch  with name "SU"
> but mapping with TACACS seems doesnt work :(
>
> The scope is to allow users from AD which bellongs to "Network_admin"
> group to have super-user rights and users others users from AD to give
> them operators rights.
>
> Example : User "zapino" belongs to group "Network_admin" provide him
> rights "SU" in the switch.

SU might be just too short. According to

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-access-tacacs-authentication.html

the minimum length for the local-user-name VSA is 3.

Cheers,

Marc


Zapino

unread,
Jan 31, 2021, 9:17:19 AM1/31/21
to event-driv...@googlegroups.com
Thank you very much for answering Marc , but I have tried different user names in the past doesn't work :( , I tried and renamed SU => netadmin, the same issue :(

I attached a portion of syslog maybe can help 

Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get: checking user/group zapino, tag (NULL)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec@mgmtnet protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.16.65.174: ACL __internal__realm_default: match (cached)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get: checking user/group Network_admin, tag (NULL)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: not found: svcname=junos-exec@mgmtnet protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 zap...@172.30.11.103: found: svcname=junos-exec protocol=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 cfg_get_svc_attrs_func: found svcname=junos-exec proto=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:service=junos-exec (passed thru)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:allow-commands=.* -> add allow-commands=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:allow-configurations=.* -> add allow-configurations=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:local-user-name=remote -> add local-user-name=remote (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 nas:absent srv:user-permissions=all -> add user-permissions=all (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 added 4 args
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 Writing AUTHOR/PASS_ADD size=104
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 ---<start packet>---
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 key used: phatcat
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 version: 192, type: 2, seq no: 2, flags: unencrypted
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 session id: a37f205d, data length: 92
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 packet body (len: 92): \001\004\000\000\000\000\021\027\026\024allow-commands=.*allow-configurations=.*local-user-name=remoteuser-permissions=all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 01 04 00 00 00 00 11 17  16 14 61 6c 6c 6f 77 2d  ........ ..allow-
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 63 6f 6d 6d 61 6e 64 73  3d 2e 2a 61 6c 6c 6f 77  commands =.*allow
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0020 2d 63 6f 6e 66 69 67 75  72 61 74 69 6f 6e 73 3d  -configu rations=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0030 2e 2a 6c 6f 63 61 6c 2d  75 73 65 72 2d 6e 61 6d  .*local- user-nam
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0040 65 3d 72 65 6d 6f 74 65  75 73 65 72 2d 70 65 72  e=remote user-per
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0050 6d 69 73 73 69 6f 6e 73  3d 61 6c 6c              missions =all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 AUTHOR/REPLY, status=1 (AUTHOR/PASS_ADD)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 msg_len=0, data_len=0, arg_cnt=4
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 msg (len: 0):
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 data (len: 0):
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[0] (len: 17): allow-commands=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 61 6c 6c 6f 77 2d 63 6f  6d 6d 61 6e 64 73 3d 2e  allow-co mmands=.
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 2a                                                *
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[1] (len: 23): allow-configurations=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 61 6c 6c 6f 77 2d 63 6f  6e 66 69 67 75 72 61 74  allow-co nfigurat
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 69 6f 6e 73 3d 2e 2a                              ions=.*
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[2] (len: 22): local-user-name=remote
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 6c 6f 63 61 6c 2d 75 73  65 72 2d 6e 61 6d 65 3d  local-us er-name=
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 72 65 6d 6f 74 65                                 remote
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 arg[3] (len: 20): user-permissions=all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0000 75 73 65 72 2d 70 65 72  6d 69 73 73 69 6f 6e 73  user-per missions
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 0010 3d 61 6c 6c                                       =all
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103 ---<end packet>---

вс, 31 янв. 2021 г. в 07:41, Marc Huber <marc.j...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/adc0f094-4c5b-3cb6-67e0-5e2dda398fbb%40googlemail.com.

Marc Huber

unread,
Jan 31, 2021, 10:38:08 AM1/31/21
to event-driv...@googlegroups.com, Zapino
On 31.01.21 15:17, Zapino wrote:
> Thank you very much for answering Marc , but I have tried different
> user names in the past doesn't work :( , I tried and renamed SU =>
> netadmin, the same issue :(

I'm afraid I won't be of much help then -- I have no access to Junos
devices. The daemon debug doesn't show any error either.

However, "allow-configurations" looks wrong; the correct VSA here is
"allow-configuration". Your Junos device may very well reject the
session for that (unrecognized but mandatory VSA from daemon).

Cheers,

Marc


Zapino

unread,
Jan 31, 2021, 12:06:11 PM1/31/21
to Event-Driven Servers
Thank you Marc but I wondering from where in debug log during the authentication session there are rights assigned? , in Tacacs config is just "set local-user-name = netadmin"

Zapino

unread,
Jan 31, 2021, 12:06:11 PM1/31/21
to Event-Driven Servers
Need to mention the AD is not under my control

On Sunday, January 31, 2021 at 10:38:08 a.m. UTC-5 Marc Huber wrote:

Marc Huber

unread,
Jan 31, 2021, 12:17:41 PM1/31/21
to event-driv...@googlegroups.com
Hi,

On 31.01.21 17:47, Zapino wrote:
> Thank you Marc but I wondering from where in debug log during the
> authentication session there are rights assigned? , in Tacacs config
> is just "set local-user-name = netadmin"

you are certain about this? You debug output showed that there were
mandatory arguments configured ...

Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:service=junos-exec (passed thru)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:allow-commands=.* -> add allow-commands=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:allow-configurations=.* -> add allow-configurations=.* (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:local-user-name=remote -> add local-user-name=remote (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
nas:absent srv:user-permissions=all -> add user-permissions=all (k)
Jan 31 14:11:37 tacacs-co tac_plus[28598]: ab/5d207fa3: 172.30.11.103
added 4 args

Cheers,

Marc

Zapino

unread,
Jan 31, 2021, 4:22:42 PM1/31/21
to Event-Driven Servers
Hi Marc, thank you very much for pointing me to the issue.

I did so stupid :) mistake, since the beginning I went with tacacs another package "shrubbery" before found tacacs MAVIS which is documented very well,  I thought I did service down but during the troubleshoot I bring both tacacs UP,  which basically made another tacacs to answer to my request instead of MAVIS Tacacs.

Thank you very much
Reply all
Reply to author
Forward
0 new messages