cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1669
Views
15
Helpful
5
Replies

Cisco ISE with TACACS and a 3850 switch (backed by OpenLDAP)

AHinNH
Beginner
Beginner

I'm hoping someone could give me some pointers as to how I could get this working.  I've been tasked with testing Cisco ISE for possible wide deployment at my company.  (2,000+ network devices)

 

The goal is to get TACACS+ working for authentication as the standard for all our network devices and have it talk to our openldap server for credentials.

 

I've downloaded the ISE trial and have it running in my lab environment.  Version is 2.4.0.357.  My guinea pig is a Cisco 3850 (WS-C3850-48P) with software version 16.3.6.  Both ISE and the 3850 are on the same network.  There is no firewall between them at all and I've confirmed that there is some traffic going back and forth between the two (via ping and tcpdump).

 

I believe I have ISE configured correctly to talk to openldap.  For example, it fetches the list of groups automatically and allows me to select one of the ldap groups with no problem.

 

I'm not sure if I've configured the 3850 correctly.  The documentation I find for the device doesn't seem to jive with my software version perhaps, with regard to command line options available.  I've poked around and tried various configs (at one point managing to lock myself out of the device completely, that was fun).

 

Here are the related config lines from the 3850 as it sits currently:

 

aaa new-model
!
!
aaa authentication login default local group tacacs+
aaa authentication login console local
aaa authorization exec default local group tacacs+
aaa accounting exec default start-stop group tacacs+

!

aaa session-id common
aaa traceback recording

!

!

interface Vlan2222
ip address 10.0.126.2 255.255.255.224

!

tacacs-server key xxxxxxxxxxxxxxx
tacacs server CISCOISELAB
address ipv4 10.0.126.3
key xxxxxxxxxxxxxxx

 

I've definitely got the server key the same on the ISE side and the 3850 (copy/pasted it to minimize typo possibilities).

 

When I use the ISE diag tcp dump facility, I can see two way communication, however the TACACS related packets don't show much.  Here is what all the actual tacacs packets look like:

 

Transmission Control Protocol, Src Port: 18525, Dst Port: 49, Seq: 1, Ack: 1, Len: 43
Source Port: 18525
Destination Port: 49
[Stream index: 0]
[TCP Segment Len: 43]
Sequence number: 1 (relative sequence number)
[Next sequence number: 44 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
0101 .... = Header Length: 20 bytes (5)
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: ·······A····]
Window size value: 4128
[Calculated window size: 4128]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x20db [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.001515000 seconds]
[Bytes in flight: 43]
[Bytes sent since last PSH flag: 43]
[Timestamps]
[Time since first frame in this TCP stream: 0.001820000 seconds]
[Time since previous frame in this TCP stream: 0.000206000 seconds]
TCP payload (43 bytes)
[PDU Size: 43]

 

TACACS+
Major version: TACACS+
Minor version: 0
Type: Authentication (1)
Sequence number: 1
Flags: 0x00 (Encrypted payload, Multiple Connections)
.... ...0 = Unencrypted: Not set
.... .0.. = Single Connection: Not set
Session ID: 1852465111
Packet length: 31
Encrypted Request

 

 

I also tried looking for ldap traffic during an attempted logon using an ldap user account and I don't see any traffic there.

 

So, could anyone give me some pointers on what I might be doing wrong?

 

Thanks!

 

-- 

Andrew

2 Accepted Solutions

Accepted Solutions

Nadav
Rising star
Rising star

Your AAA configuration on the switch is incorrect.

You've configured your primary method of connecting via VTY as local and not tacacs+. It should be the other way around.

View solution in original post

5 Replies 5

paul
Advocate
Advocate

Your script is a bit out of date for configuring TACACS:

 

username <backdoor account name> privilege 15 secret 0 <backdoor account password>
aaa new-model
!
tacacs server <ISE PSN #1 hostname>
  key 0 <TACACS key>
  address ipv4 <ISE PSN #1 IP>
!
tacacs server <ISE PSN #2 hostname>
key 0 <TACACS key>
address ipv4 <ISE PSN #2 IP>
!
aaa group server tacacs+ ISE-TACACS
 server name <ISE PSN #1 hostname>
 server name <ISE PSN #2 hostname>
!
! Source interface only needed on devices with multiple L3 interface
!
ip tacacs source-interface <VLAN/interface>
!
aaa authentication login default group ISE-TACACS local
aaa authorization exec default group ISE-TACACS local
aaa authorization commands 15 default group ISE-TACACS if-authenticated
aaa accounting exec default start-stop group ISE-TACACS
aaa accounting commands 0 default stop-only group ISE-TACACS
aaa accounting commands 1 default stop-only group ISE-TACACS
aaa accounting commands 15 default stop-only group ISE-TACACS

 

If you aren't doing command authorization you can remove that line.

Nadav
Rising star
Rising star

Your AAA configuration on the switch is incorrect.

You've configured your primary method of connecting via VTY as local and not tacacs+. It should be the other way around.

Just to close the loop, this specific guide linked off of that page is what did it for me:  https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

 

I'm not using AD, plus the new version of ISE looks nothing like that (the Authorization Policy stuff is under Device Admin Policy Sets now), but once I got those ducks in a comparable row...  success.

 

Thanks!

santiago.jem
Beginner
Beginner

Hi Andrew,

 

My 2 cents, please reconsider deploying 16.3.6 on your 3850s.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi38191/?rfs=iqvred

This is a memory leak for this version.

Below is the recommended version of code from Cisco:

https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3650-series-switches/bulletin-c25-737420.html

 

regards,

J

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers