Hello everyone,

I'm trying to implement LDAP authentication on Cisco Catalyst 3850 switches, they run IOS XE 16.12.08. My LDAP server is an Open LDAP running slapd on TCP/636

According to the documentation, and if I trust the available commands, it seems that it is possible! 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ldap/configuration/15-e/sec-usr-ldap-15-e-book/sec_conf_ldap.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ldap/configuration/xe-3se/3850/sec-usr-ldap-xe-3se-3850-book.html

However, I can't find any concrete example of this on the internet ! 

Here is my current configuration on the Catalyst  : 

ldap server ldapvip

      ipv4 172.28.X.X

      transport port 636

      timeout retransmit 20

      bind authenticate root-dn ou=**,cn=**,dc=**,dc=** password 7 ********

      base-dn dc=**,dc=**

      authentication bind-first

      mode secure

aaa new-model

aaa authentication login default group ldap 

aaa new-model

aaa authentication login default group ldap

aaa authentication enable default group ldap

aaa session-id common

The OpenLdap is functionnal, as I already implemented authentication for those same Catalyst, but using tacacs and a PAM solution to interface my tacacs solution to the OpenLdap.

The thing is when I'm trying to authenticate using my LDAP configuration, the catalyst doesn't send any packet to the LDAP server, there is a Firewall in the middle but I tested the tcp/636 port and even allowed every type of traffic between those two hosts.

When I try to authenticate, the ouptut of debug aaa authentication is :
GMT: AAA/BIND(000010CA) Bind i/f
GMT: AAA/AUTHEN/LOGIN (000010CA) : Pick method list 'default'

GMT: AAA/AUTHEN/LOGIN (000010CA) : Pick method list 'default'

And the default method list is set to ldap, wich according to the documentation, consists in every ldap host defined, such as my ldapvip.

I've struggled with this for a long time, and I tried many other configurations.

Does anyone see the issue ?