[tac_plus] Authentication using Likewise and AD

John Fraizer john at op-sec.us
Mon Mar 30 20:31:42 UTC 2015


We have a fairly robust and redundant LDAP infrastructure at [insert very
large public company] too but, that doesn't mean that I'll accept a SPOF
(the LDAP infrastructure) in my network AAA.

I do a hybrid approach.  I have several TACACS+ servers that user LOCAL
accounts unix and password = PAM in tac_plus to auth.  The accounts are
replicated automagically on all all TACACS+ servers.  I validate the local
accounts against LDAP once/hour.  There *must* be a corresponding account
in LDAP - otherwise, the "local" account is locked.  Account creation is
also tied to there being an LDAP account.  I enforce password complexity,
age and reuse via PAM_cracklib and I've got a script that runs daily to
send out reminder emails to users every day for 14 days leading up to their
password expiring.  If they fail to log into the TACACS+ server and change
their password before it expires, the script locks the account.

I don't know about your company but, for SOX compliance, this works best
for mine.  I don't want the password they use for the local intranet or
email to be the same password that they use to log into network
infrastructure for a multitude of reasons.  BUT, I had to make
account-locking automatic in the event that someone is terminated (their
account is removed from LDAP as part of that process - which causes their
TACACS+ account to be locked) or their password expires (they refuse to log
in and change their password.)    This also keeps the "keys to the kingdom"
in the hands of those who should hold them.  It doesn't matter if you have
an LDAP account.  That doesn't let you log into the network
infrastructure.  You must ALSO have an account on the TACACS+
infrastructure - which can only be created by my team.

--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/



On Mon, Mar 30, 2015 at 1:17 PM, Matt Almgren <matta at surveymonkey.com>
wrote:

>  Hi John, thanks for the information.  We have a fairly robust and
> redundant AD env here, so I’m not worried about it .  Plus we have other
> workarounds if the entire AAA infrastructure goes to hell that I can’t
> discuss on a public list.
>
>  My main goal is just to get as close to SSO as we can at this point.
> I’ll try out the PAM method and report back my findings.
>
>  Thanks, Matt
>
>
>
>
>
>
>
>
>   From: John Fraizer <john at op-sec.us>
> Date: Monday, March 30, 2015 at 12:53 PM
> To: Matt Almgren <matta at surveymonkey.com>
> Cc: "tac_plus at shrubbery.net" <tac_plus at shrubbery.net>
> Subject: Re: [tac_plus] Authentication using Likewise and AD
>
>   Configure tac_plus to use password = PAM and it will authenticate via
> whatever mechanism(s) PAM is configured to use.  With that said, bear in
> mind that using LDAP for network auth isn't exactly the best idea.  When
> you have a problem with your LDAP server, tac_plus doesn't know.  It just
> acts as if your credentials are wrong and you're unable to log into network
> devices.  It is even MORE fun because you can't even log into your tac_plus
> server and shut down tac_plus so your network devices will use "local"
> authentication because the server is ALSO using LDAP to authenticate.
>
>  Just some things to keep in mind.
>
>   --
> John Fraizer
> LinkedIn profile: http://www.linkedin.com/in/johnfraizer/
>
>
>
> On Mon, Mar 30, 2015 at 11:36 AM, Matt Almgren <matta at surveymonkey.com>
> wrote:
>
>>
>> Hello all, I’ve recently joined another company that uses Likewise for
>> authentication against AD.   Does anyone have any experience working with
>> Likewise and using it with TAC+?  I’m assuming that if I configure PAM with
>> TAC+, it will pass those authentication requests on to the AD server?
>>
>> We’re running Ubuntu 14.04.1 LTS and the latest version of tac_plus, if
>> that helps.
>>
>> Thanks, Matt
>>
>>
>> --
>> Matt Almgren
>> Sr. Networking Engineer | SurveyMonkey
>>
>>
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <
>> http://www.shrubbery.net/pipermail/tac_plus/attachments/20150330/8a6e9d43/attachment.html
>> >
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150330/ff7cff9d/attachment.html>


More information about the tac_plus mailing list