Showing results for 
Search instead for 
Did you mean: 

Cisco ISE with TACACS and a 3850 switch (backed by OpenLDAP)


I'm hoping someone could give me some pointers as to how I could get this working.  I've been tasked with testing Cisco ISE for possible wide deployment at my company.  (2,000+ network devices)


The goal is to get TACACS+ working for authentication as the standard for all our network devices and have it talk to our openldap server for credentials.


I've downloaded the ISE trial and have it running in my lab environment.  Version is  My guinea pig is a Cisco 3850 (WS-C3850-48P) with software version 16.3.6.  Both ISE and the 3850 are on the same network.  There is no firewall between them at all and I've confirmed that there is some traffic going back and forth between the two (via ping and tcpdump).


I believe I have ISE configured correctly to talk to openldap.  For example, it fetches the list of groups automatically and allows me to select one of the ldap groups with no problem.


I'm not sure if I've configured the 3850 correctly.  The documentation I find for the device doesn't seem to jive with my software version perhaps, with regard to command line options available.  I've poked around and tried various configs (at one point managing to lock myself out of the device completely, that was fun).


Here are the related config lines from the 3850 as it sits currently:


aaa new-model
aaa authentication login default local group tacacs+
aaa authentication login console local
aaa authorization exec default local group tacacs+
aaa accounting exec default start-stop group tacacs+


aaa session-id common
aaa traceback recording



interface Vlan2222
ip address


tacacs-server key xxxxxxxxxxxxxxx
tacacs server CISCOISELAB
address ipv4
key xxxxxxxxxxxxxxx


I've definitely got the server key the same on the ISE side and the 3850 (copy/pasted it to minimize typo possibilities).


When I use the ISE diag tcp dump facility, I can see two way communication, however the TACACS related packets don't show much.  Here is what all the actual tacacs packets look like:


Transmission Control Protocol, Src Port: 18525, Dst Port: 49, Seq: 1, Ack: 1, Len: 43
Source Port: 18525
Destination Port: 49
[Stream index: 0]
[TCP Segment Len: 43]
Sequence number: 1 (relative sequence number)
[Next sequence number: 44 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window size value: 4128
[Calculated window size: 4128]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x20db [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.001515000 seconds]
[Bytes in flight: 43]
[Bytes sent since last PSH flag: 43]
[Time since first frame in this TCP stream: 0.001820000 seconds]
[Time since previous frame in this TCP stream: 0.000206000 seconds]
TCP payload (43 bytes)
[PDU Size: 43]


Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
.... ...0 = Unencrypted: Not set
.... .0.. = Single Connection: Not set
Session ID: 1852465111
Packet length: 31
Encrypted Request



I also tried looking for ldap traffic during an attempted logon using an ldap user account and I don't see any traffic there.


So, could anyone give me some pointers on what I might be doing wrong?






2 Accepted Solutions

Accepted Solutions

Rising star
Rising star

Your AAA configuration on the switch is incorrect.

You've configured your primary method of connecting via VTY as local and not tacacs+. It should be the other way around.

View solution in original post