but it’s a bit unclear. After debug process I found out that the Lunux PAM sends the only logins which exist localy on device. Root, Admin and User are embeded. So when I enter “admin” login and the PAM is configured as “Optional” I can see the “admin” as a user name and obviously it doesn’t match. For some reason it doesn’t send the AD’s user creds. Looks like it’s more question for Linux and PAM, but for me it makes no sense because the one of case of using tacacs is AD creds. I can’t understand what has to be matched with what. On linux devices there are 3 embedded groups (root,admin,user) and I can’t change it , but can create a local users. On the ISE there are AD groups, but what I have to do for matching an AD’s like RO\RW group with the local Admin\User groups? Does anyone have this expirience? Share guides please. Thanks !
a Teltonika RUT device with TACACS+ and Cisco ISE can indeed be tricky, especially when dealing with Linux PAM and Active Directory (AD) integration. Based on your description, here are some steps and considerations that might help clarify the process:
Understanding the PAM Configuration
The PAM_tacplus module acts as a TACACS+ client, but it relies on the local Linux system’s user accounts unless explicitly configured to authenticate against external sources like AD.
To enable AD credentials, you may need to configure PAM to use both TACACS+ and an AD authentication module (e.g., pam_winbind or pam_ldap).
Mapping AD Groups to Local Groups
Since the RUT device has fixed local groups (root, admin, user), you’ll need to map AD groups to these local groups. This can be done in Cisco ISE by creating authorization policies that assign specific privilege levels based on the AD group membership.
For example:
Map the AD group RO (Read-Only) to the local user group.
Map the AD group RW (Read-Write) to the local admin group.
Cisco ISE Configuration
Ensure that the ISE server is correctly joined to the AD domain and that the required AD groups are imported into ISE.
Create TACACS+ profiles in ISE to define the privilege levels and command sets for each group.
Configure authorization policies in ISE to assign the appropriate TACACS+ profile based on the user’s AD group membership.
Teltonika RUT Device Configuration
Follow the Teltonika TACACS+ guide to configure the RUT device as a TACACS+ client. Pay close attention to the PAM_tacplus settings and ensure the shared secret matches the one configured in ISE.
If the guide is unclear, focus on the sections related to PAM configuration and ensure that the auth, account, and session directives in the PAM configuration file are correctly set up to use PAM_tacplus.
Debugging and Testing
Use the debug tools on both the RUT device and Cisco ISE to monitor authentication attempts and identify where the process is failing.
On the RUT device, check the PAM logs (/var/log/auth.log or /var/log/secure) for errors or warnings.
On Cisco ISE, use the TACACS+ live logs to verify that the authentication requests are being received and processed correctly.
Thanks, appreciate it! You mentioned that we should use the PAM_ldap and PAM_winbind packets as well , could you share some examples of configuration please? As I said before , we got the situation when on the ISE server I can see tacacs messages from the RUT device but only when I try to login with a local username like “admin” and the “admin” I see in the tacacs request message. The question is how to force teltonika to send AD creds and in what format ?
You need to create local users on RUT device with the same username as you have in your tacacs+ server for it to work correctly, there is no other way at this moment. External users (without locally creating them) are only available for PAM radius.
Thanks mate! But as far as I know the purpose of AAA (tacacs or radius) is using a centralized storage of creds for avoiding creating them localy. We can try with radius as well , it was a plan B. Do you have an example for radius? Thanks