I'm hoping someone could give me some pointers as to how I could get this working. I've been tasked with testing Cisco ISE for possible wide deployment at my company. (2,000+ network devices)
The goal is to get TACACS+ working for authentication as the standard for all our network devices and have it talk to our openldap server for credentials.
I've downloaded the ISE trial and have it running in my lab environment. Version is 188.8.131.527. My guinea pig is a Cisco 3850 (WS-C3850-48P) with software version 16.3.6. Both ISE and the 3850 are on the same network. There is no firewall between them at all and I've confirmed that there is some traffic going back and forth between the two (via ping and tcpdump).
I believe I have ISE configured correctly to talk to openldap. For example, it fetches the list of groups automatically and allows me to select one of the ldap groups with no problem.
I'm not sure if I've configured the 3850 correctly. The documentation I find for the device doesn't seem to jive with my software version perhaps, with regard to command line options available. I've poked around and tried various configs (at one point managing to lock myself out of the device completely, that was fun).
Here are the related config lines from the 3850 as it sits currently:
aaa authentication login default local group tacacs+
aaa authentication login console local
aaa authorization exec default local group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa session-id common
aaa traceback recording
ip address 10.0.126.2 255.255.255.224
tacacs-server key xxxxxxxxxxxxxxx
tacacs server CISCOISELAB
address ipv4 10.0.126.3
I've definitely got the server key the same on the ISE side and the 3850 (copy/pasted it to minimize typo possibilities).
When I use the ISE diag tcp dump facility, I can see two way communication, however the TACACS related packets don't show much. Here is what all the actual tacacs packets look like:
Transmission Control Protocol, Src Port: 18525, Dst Port: 49, Seq: 1, Ack: 1, Len: 43
Source Port: 18525
Destination Port: 49
[Stream index: 0]
[TCP Segment Len: 43]
Sequence number: 1 (relative sequence number)
[Next sequence number: 44 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window size value: 4128
[Calculated window size: 4128]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x20db [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[iRTT: 0.001515000 seconds]
[Bytes in flight: 43]
[Bytes sent since last PSH flag: 43]
[Time since first frame in this TCP stream: 0.001820000 seconds]
[Time since previous frame in this TCP stream: 0.000206000 seconds]
TCP payload (43 bytes)
[PDU Size: 43]
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
.... ...0 = Unencrypted: Not set
.... .0.. = Single Connection: Not set
Session ID: 1852465111
Packet length: 31
I also tried looking for ldap traffic during an attempted logon using an ldap user account and I don't see any traffic there.
So, could anyone give me some pointers on what I might be doing wrong?
Solved! Go to Solution.
Your script is a bit out of date for configuring TACACS:
username <backdoor account name> privilege 15 secret 0 <backdoor account password>
tacacs server <ISE PSN #1 hostname>
key 0 <TACACS key>
address ipv4 <ISE PSN #1 IP>
tacacs server <ISE PSN #2 hostname>
key 0 <TACACS key>
address ipv4 <ISE PSN #2 IP>
aaa group server tacacs+ ISE-TACACS
server name <ISE PSN #1 hostname>
server name <ISE PSN #2 hostname>
! Source interface only needed on devices with multiple L3 interface
ip tacacs source-interface <VLAN/interface>
aaa authentication login default group ISE-TACACS local
aaa authorization exec default group ISE-TACACS local
aaa authorization commands 15 default group ISE-TACACS if-authenticated
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 0 default stop-only group ISE-TACACS
aaa accounting commands 1 default stop-only group ISE-TACACS
aaa accounting commands 15 default stop-only group ISE-TACACS
If you aren't doing command authorization you can remove that line.
Just to close the loop, this specific guide linked off of that page is what did it for me: https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html
I'm not using AD, plus the new version of ISE looks nothing like that (the Authorization Policy stuff is under Device Admin Policy Sets now), but once I got those ducks in a comparable row... success.
My 2 cents, please reconsider deploying 16.3.6 on your 3850s.
This is a memory leak for this version.
Below is the recommended version of code from Cisco: