<div dir="ltr">We have a fairly robust and redundant LDAP infrastructure at [insert very large public company] too but, that doesn't mean that I'll accept a SPOF (the LDAP infrastructure) in my network AAA.<div><br></div><div>I do a hybrid approach. I have several TACACS+ servers that user LOCAL accounts unix and password = PAM in tac_plus to auth. The accounts are replicated automagically on all all TACACS+ servers. I validate the local accounts against LDAP once/hour. There *must* be a corresponding account in LDAP - otherwise, the "local" account is locked. Account creation is also tied to there being an LDAP account. I enforce password complexity, age and reuse via PAM_cracklib and I've got a script that runs daily to send out reminder emails to users every day for 14 days leading up to their password expiring. If they fail to log into the TACACS+ server and change their password before it expires, the script locks the account.</div><div><br></div><div>I don't know about your company but, for SOX compliance, this works best for mine. I don't want the password they use for the local intranet or email to be the same password that they use to log into network infrastructure for a multitude of reasons. BUT, I had to make account-locking automatic in the event that someone is terminated (their account is removed from LDAP as part of that process - which causes their TACACS+ account to be locked) or their password expires (they refuse to log in and change their password.) This also keeps the "keys to the kingdom" in the hands of those who should hold them. It doesn't matter if you have an LDAP account. That doesn't let you log into the network infrastructure. You must ALSO have an account on the TACACS+ infrastructure - which can only be created by my team.</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div>--</div>John Fraizer<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">http://www.linkedin.com/in/johnfraizer/</a></div><div><br><div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br></span></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Mar 30, 2015 at 1:17 PM, Matt Almgren <span dir="ltr"><<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;color:rgb(0,0,0);font-size:14px;font-family:Calibri,sans-serif">
<div>
<div>Hi John, thanks for the information. We have a fairly robust and redundant AD env here, so I’m not worried about it . Plus we have other workarounds if the entire AAA infrastructure goes to hell that I can’t discuss on a public list. </div>
<div><br>
</div>
<div>My main goal is just to get as close to SSO as we can at this point. I’ll try out the PAM method and report back my findings.</div>
<div><br>
</div>
<div>Thanks, Matt</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
<div><br>
</div>
<span>
<div style="font-family:Calibri;font-size:11pt;text-align:left;color:black;BORDER-BOTTOM:medium none;BORDER-LEFT:medium none;PADDING-BOTTOM:0in;PADDING-LEFT:0in;PADDING-RIGHT:0in;BORDER-TOP:#b5c4df 1pt solid;BORDER-RIGHT:medium none;PADDING-TOP:3pt">
<span style="font-weight:bold">From: </span>John Fraizer <<a href="mailto:john@op-sec.us" target="_blank">john@op-sec.us</a>><br>
<span style="font-weight:bold">Date: </span>Monday, March 30, 2015 at 12:53 PM<br>
<span style="font-weight:bold">To: </span>Matt Almgren <<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a>" <<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: [tac_plus] Authentication using Likewise and AD<br>
</div>
<div><br>
</div>
<div>
<div><span class="">
<div dir="ltr">Configure tac_plus to use password = PAM and it will authenticate via whatever mechanism(s) PAM is configured to use. With that said, bear in mind that using LDAP for network auth isn't exactly the best idea. When you have a problem with your
LDAP server, tac_plus doesn't know. It just acts as if your credentials are wrong and you're unable to log into network devices. It is even MORE fun because you can't even log into your tac_plus server and shut down tac_plus so your network devices will
use "local" authentication because the server is ALSO using LDAP to authenticate.
<div><br>
</div>
<div>Just some things to keep in mind.</div>
</div>
</span><div class="gmail_extra"><span class=""><br clear="all">
<div>
<div>
<div dir="ltr">
<div>--</div>
John Fraizer
<div>LinkedIn profile: <a href="http://www.linkedin.com/in/johnfraizer/" target="_blank">
http://www.linkedin.com/in/johnfraizer/</a></div>
<div><br>
<div><span style="color:rgb(53,53,53);font-family:Arial,sans-serif;font-size:12px;line-height:12px;background-color:rgb(244,244,244)"><br>
</span></div>
</div>
</div>
</div>
</div>
<br>
</span><div class="gmail_quote"><span class="">On Mon, Mar 30, 2015 at 11:36 AM, Matt Almgren <span dir="ltr">
<<a href="mailto:matta@surveymonkey.com" target="_blank">matta@surveymonkey.com</a>></span> wrote:<br>
</span><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Hello all, I’ve recently joined another company that uses Likewise for authentication against AD. Does anyone have any experience working with Likewise and using it with TAC+? I’m assuming that if I configure PAM with TAC+, it will pass those authentication
requests on to the AD server?<br>
<br>
We’re running Ubuntu 14.04.1 LTS and the latest version of tac_plus, if that helps.<br>
<br>
Thanks, Matt<br>
<br>
<br>
--<br>
Matt Almgren<br>
Sr. Networking Engineer | SurveyMonkey<br>
<br>
<br>
<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://www.shrubbery.net/pipermail/tac_plus/attachments/20150330/8a6e9d43/attachment.html" target="_blank">http://www.shrubbery.net/pipermail/tac_plus/attachments/20150330/8a6e9d43/attachment.html</a>><br>
_______________________________________________<br>
tac_plus mailing list<br>
<a href="mailto:tac_plus@shrubbery.net" target="_blank">tac_plus@shrubbery.net</a><br>
<a href="http://www.shrubbery.net/mailman/listinfo/tac_plus" target="_blank">http://www.shrubbery.net/mailman/listinfo/tac_plus</a><br>
</blockquote>
</div></div></div>
<br>
</div>
</div>
</div>
</span>
</div>
</blockquote></div><br></div>