topic Re: LDAP authentication on Catalyst 3850 in Network Access Control

LDAP authentication on Catalyst 3850

nblazquez — Wed, 05 Apr 2023 14:23:23 GMT

Hello everyone,

I'm trying to implement LDAP authentication on Cisco Catalyst 3850 switches, they run IOS XE 16.12.08. My LDAP server is an Open LDAP running slapd on TCP/636

According to the documentation, and if I trust the available commands, it seems that it is possible!

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ldap/configuration/15-e/sec-usr-ldap-15-e-book/sec_conf_ldap.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ldap/configuration/xe-3se/3850/sec-usr-ldap-xe-3se-3850-book.html

However, I can't find any concrete example of this on the internet !

Here is my current configuration on the Catalyst :

ldap server ldapvip

ipv4 172.28.X.X

transport port 636

timeout retransmit 20

bind authenticate root-dn ou=**,cn=**,dc=**,dc=** password 7 ********

base-dn dc=**,dc=**

authentication bind-first

mode secure

aaa new-model

aaa authentication login default group ldap

aaa new-model

aaa authentication login default group ldap

aaa authentication enable default group ldap

aaa session-id common

The OpenLdap is functionnal, as I already implemented authentication for those same Catalyst, but using tacacs and a PAM solution to interface my tacacs solution to the OpenLdap.

The thing is when I'm trying to authenticate using my LDAP configuration, the catalyst doesn't send any packet to the LDAP server, there is a Firewall in the middle but I tested the tcp/636 port and even allowed every type of traffic between those two hosts.

When I try to authenticate, the ouptut of debug aaa authentication is :
GMT: AAA/BIND(000010CA) Bind i/f
GMT: AAA/AUTHEN/LOGIN (000010CA) : Pick method list 'default'

GMT: AAA/AUTHEN/LOGIN (000010CA) : Pick method list 'default'

And the default method list is set to ldap, wich according to the documentation, consists in every ldap host defined, such as my ldapvip.

I've struggled with this for a long time, and I tried many other configurations.

Does anyone see the issue ?

Re: LDAP authentication on Catalyst 3850

Nancy Saini — Wed, 05 Apr 2023 17:02:20 GMT

Enable LDAP debugs on the switch and check if switch is initiating any authentication request.

Re: LDAP authentication on Catalyst 3850

nblazquez — Thu, 06 Apr 2023 07:20:01 GMT

Hello,
Thank you for your answer! Here are the debug output :

GMT: LDAP: Received queue eventg, new AAA requests
GMT: LDAP: LDAP authentication request
GMT: Username/Password sanity check failed!!
GMT: LDAP: LDAP doesn't support interactive login

GMT: LDAP: LDAP: Queuing AAA request 4310 for processing

GMT: LDAP: Received queue event, new AAA request

GMT: LDAP: LDAP authentication request

GMT: LDAP: Username/Password sanity sanity check failed!!

GMT: LDAP: LDAP doesn't support interactive login

Re: LDAP authentication on Catalyst 3850

Nancy Saini — Thu, 06 Apr 2023 18:04:07 GMT

Debugs are self-explanatory that LDAP doesn't support interactive login and the same is mentioned in this document.

Re: LDAP authentication on Catalyst 3850

nblazquez — Fri, 07 Apr 2023 07:42:12 GMT

Yes I figured it out, thank you for your help, now I need to find a workaround