I'm having some trouble configuring LDAP authentication (via Windows AD) when connecting via ssh on our CISCO. I replaced some information from the switch, you will see it in uppercase here.
Currently we only have one shared user, and the goal is to have users login with their own AD accounts and passwords.
I've verified connectivity to the AD Domain Controller using telnet with the IP on port 389.
Here's the revelant (aaa, ldap, user) info when I look at the running config:
username admin password 5 PASSWORD role network-admin
feature ldap
ldap-server host NAMEOFSERVER rootDN "cn=USERACCT,DC=EXAMPLE,DC=COM" password
7 PASSWORD timeout 60
aaa group server ldap GROUPNAME
server NAMEOFSERVER
no ldap-search-map
aaa authentication login default group GROUPNAME
aaa authentication login console local
aaa authorization ssh-publickey default group GROUPNAME
aaa accounting default group GROUPNAME
Here's some additional info:
version 7.0(3)I6(1)
The user I'm logging in with is in a different ou, but this rootDN user should see all of the accounts. This set-up works fine for other non-Cisco devices.
show aaa authorization all
pki-ssh-cert: local
pki-ssh-pubkey: group GROUPNAME
AAA command authorization:
default authorization for config-commands: local
default authorization for commands: local
console authorization for config-commands: local
console authorization for commands: local
Here's some debug information:
2020 Jan 29 14:14:25.830685 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830697 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830708 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830718 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830728 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830743 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830757 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830770 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830784 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830797 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830810 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830820 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830831 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830844 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830857 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830870 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830884 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830897 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830910 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830924 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830937 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830950 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830967 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830980 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.830993 ldap: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2020 Jan 29 14:14:25.831009 ldap: mts_ldap_aaa_request_handler: entering for aaa session id 0
2020 Jan 29 14:14:25.831029 ldap: mts_ldap_aaa_request_handler: user :MYACCOUNT@EXAMPLE.COM:, user_len 30, user_data_len 13
2020 Jan 29 14:14:25.831043 ldap: ldap_authenticate: user MYACCOUNT@EXAMPLE.COM servergroup GROUPNAME
2020 Jan 29 14:14:25.831059 ldap: ldap_global_config: entering ...
2020 Jan 29 14:14:25.831103 ldap: ldap_global_config: GET_REQ...
2020 Jan 29 14:14:25.831115 ldap: ldap_global_config: got back the return value of global configuration operation: SUCCESS
2020 Jan 29 14:14:25.831124 ldap: ldap_global_config: REQ - num server 1 num group 2 timeout 5 deadtime 0
2020 Jan 29 14:14:25.831134 ldap: ldap_global_config: returning retval 0
2020 Jan 29 14:14:25.831143 ldap: ldap_servergroup_config: GET_REQ for LDAP servergroup index 0 name GROUPNAME
2020 Jan 29 14:14:25.831162 ldap: ldap_pss_move2key: rcode = 0 syserr2str = SUCCESS
2020 Jan 29 14:14:25.831183 ldap: ldap_servergroup_config: GET_REQ got protocol server group index 2 name GROUPNAME
2020 Jan 29 14:14:25.831193 ldap: ldap_servergroup_config: returning retval 0 for server group GROUPNAME
2020 Jan 29 14:14:25.831205 ldap: IN FUNCTION ldap_search_map.... for name
2020 Jan 29 14:14:25.831214 ldap: ldap_search_map: entering for search_map , index 0
2020 Jan 29 14:14:25.831222 ldap: ldap_search_map: key size 532, value size 2200
2020 Jan 29 14:14:25.831230 ldap: ldap_search_map: GET_REQ: search_index: 0, search_map:
2020 Jan 29 14:14:25.831237 ldap: find_search_map: entering for search map
2020 Jan 29 14:14:25.831258 ldap: ldap_pss_move2key: rcode = 40480003 syserr2str = no such pss key
2020 Jan 29 14:14:25.831269 ldap: ldap_pss_move2key: calling pss2_getkey
2020 Jan 29 14:14:25.831276 ldap: find_search_map: search map not in PSS
2020 Jan 29 14:14:25.831284 ldap: ldap_search_map: no search map with Protocol search map:
2020 Jan 29 14:14:25.831294 ldap: ldap_search_map: got back the return value of Protocol server operation: can not find the LDAP server, desc: can not find the LDAP server
2020 Jan 29 14:14:25.831307 ldap: ldap_authenticate: ldap_read_config failed for server group GROUPNAME
2020 Jan 29 14:14:25.831320 ldap: ldap_send_response_to_aaa: entering for user MYACCOUNT@EXAMPLE.COM auth_result 7
2020 Jan 29 14:14:25.831349 ldap: ldap_send_response_to_aaa: (user MYACCOUNT@EXAMPLE.COM) - mts_send_response success
2020 Jan 29 14:14:27 NAMEOFSWITCH %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed from IPOFSWITCH - dcos_sshd[6734]
It accepts the following commands:
aaa authorization ssh-publickey default group GROUPNAME
but anytime I try to do:
aaa authorization commands default group GROUPNAME
Command failed to apply
I'm sure I just don't know too much about the roles, I'm missing something from the docs, or I don’t know which attribute Cisco looks for by default for role access. I’m going to try a different rootDN user that does not have a comma in its password.
Resources Used:
Best Answer
aaa authorization commands default group GROUPNAMEapplies only for tacacs-based groups, not for ldap. For ldap authentication, initial rootDN configuration will help in root binding. But then for ldap search, you need to configure search-map with proper filter and baseDN so as to extract the particular user information from the ldap directory.