What worked for my quick test lab:
Setup:
-
Windows 2016 Server with AD & tacacs.net configured.
-
LTM v.14 running with internal vlan connected into the above server.
Tacacs.net config files (found under c:\ProgramData\TACACS.net\config):
-
tacacsplus.xml => LocalIP changed from 127.0.0.1 to the NIC IP facing LTM (10.1.20.30 in my case)
-
authentication.xml:
a) LDAPServer stays on 127.0.0.1:389 (check with "dsquery user -samid " from cli on Windows AD Server)
b) LDAPUserDirectorySubtree updated to your AD setup (w/ input taken from above B-a)
c) LDAPGroupName set on Domain Users
d) LDAPAccessUserName set on the user tacacs.net will use to connect to LDAP (say, it's called "ldap_user")
e) LDAPAccessUserPassword ClearText="" DES="???" (find it with "tacdes in cmd on Windows Server)
-
Verify tacacs.net connection to AD works by executing following command in Window Server's cli: "tacacs -s 10.1.20.30 -k "pass_set_during_tacacs.net_setup" -u user user_a -p user_a_pass"
-
authorization.xml - equally important. Without this, authentication will pass but authorization will fail and LTM login will fail.
a) Add UserGroup with value Users
b) Set / Uncoment section with service=ppp and protocol=ip
Having done this,the last bit would be to set LTM (System -> Users -> Authentication = Remote - TACACS+ w/ servicename=ppp,protocolname=ip, Role=Administrator, Encryption=enabled, secret=pass_set_during_tacacs.net_setup, TerminalAccess=tmsh {or according to your need})
Once done & saved, a "tail -f" on Windows Server c:\ProgramData\TACACS.net\Logs\Debug*.log will show:
$ tail -f Debug_2019-03-11_9.log
IsSingleConnect=False
SessionID=1327763209
DataLength=18
Authorization Status=PassAdd
User=
Port=
Args: protocol=ip
<87> 2019-03-11 12:50:38 [10.1.20.251:1386] Removing session 1327763209
<87> 2019-03-11 12:51:17 Removed 2 old connections. Remaining connections=0
<87> 2019-03-11 13:09:43 Device 10.1.20.251:25366 is allowed to connect based on settings for group INTERNAL
<94> 2019-03-11 13:09:43 New client connection opened for 10.1.20.251:25366 TID:7
<87> 2019-03-11 13:09:43 TOTAL connections: 1
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received 1 packets on connection
<87> 2019-03-11 13:09:43 [10.1.20.251:25366]
Received:
MajorVersion=12
MinorVersion=1
Type=Authentication
SeqNum=1
IsEncrypted=True
IsSingleConnect=False
SessionID=-1286258581
DataLength=33
Authentication Start:
Action=Login
Priv_Lvl=0
Type=PAP
Service=PPP
User=user_a
Port=unknown
RemAddr=
Data=**************
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user-user_a
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user against group Network Engineering
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] User user_a does not belong to group Network Engineering
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Local file Authentication result: user-user_a specified in group Network Engineering=InvalidUserOrPassword
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Result of authentication user against group Network Engineering is InvalidUserOrPassword. Trying to authentiate against next group in list
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Trying to authenticate user against group Users
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Performing authentication of user user_a against group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:Checking if user user_a belongs to group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:User user_a belong to group Domain Users - from cache
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD: User user_a belongs to group Domain Users
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD:LDAP auth result = Passed. AD:Authentication passed
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] AD Authentication result: user-user_a against group Users=Passed
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Authentication for user user_a passed against group Users - Passed
<87> 2019-03-11 13:09:43 [10.1.20.251:25366] Received 2 packets on connection
<87> 2019-03-11 13:09:43 [10.1.20.251:25366]
Sending:
MajorVersion=12
MinorVersion=1
Type=Authentication
SeqNum=2
IsEncrypted=True
IsSingleConnect=False
SessionID=-1286258581
DataLength=6
Authentication AuthReply:
Status=Pass
Flags=Debug
UserMsg=
Data=
<87> 2019-03-11 13:09:44 [10.1.20.251:25366] Removing session -1286258581
<87> 2019-03-11 13:09:44 [10.1.20.251:25366] Device 10.1.20.251:3478 is allowed to connect based on settings for group INTERNAL
<94> 2019-03-11 13:09:44 [10.1.20.251:25366] New client connection opened for 10.1.20.251:3478 TID:7
<87> 2019-03-11 13:09:44 [10.1.20.251:25366] TOTAL connections: 2
<87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received 1 packets on connection
<87> 2019-03-11 13:09:44 [10.1.20.251:3478]
Received:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=1
IsEncrypted=True
IsSingleConnect=False
SessionID=1732981209
DataLength=45
Authorization Method=TACACSPLUS
Priv lvl=0
Auth Type=PAP
Service=PPP
User=user_a
Port=unknown
Rem Addr=
Args: service=ppp protocol=ip
<87> 2019-03-11 13:09:44 [10.1.20.251:3478] AD:Checking if user user_a belongs to group Domain Users for LDAPServer=127.0.0.1:389 UseSSL=False DomainName= UserDirectoryDN=cn=Users,DC=f5demo,DC=com UserObjectClass=user UserNameAttribute=sAMAccountName MemberOfAttribute=memberOf AdminUserName=user_a AuthType=Ntlm
<87> 2019-03-11 13:09:44 [10.1.20.251:3478] AD:User user_a belong to group Domain Users - from cache
<87> 2019-03-11 13:09:44 [10.1.20.251:3478] Authorization Entry 1 is being applied based on Client configuration
<87> 2019-03-11 13:09:44 [10.1.20.251:3478] Received 2 packets on connection
<87> 2019-03-11 13:09:44 [10.1.20.251:3478]
Sending:
MajorVersion=12
MinorVersion=0
Type=Authorization
SeqNum=2
IsEncrypted=True
IsSingleConnect=False
SessionID=1732981209
DataLength=18
Authorization Status=PassAdd
User=
Port=
Args: protocol=ip
<87> 2019-03-11 13:09:44 [10.1.20.251:3478] Removing session 1732981209