02-08-2021 04:18 PM
We upgraded our WS-C3560CX-12PC-S, from version 15.2(4)E7 to 5.2(7)E3.
After the upgrade, our aaa tacacs+ commands didn't work.
Here they are:
aaa new-model
aaa group server tacacs+ MGT
server-private 10.125.196.167 key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
server-private 10.125.196.168 key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ip tacacs source-interface Vlan253
aaa group server radius ISE-RADIUS
server 10.125.196.168
aaa authentication login default group MGT local
aaa authentication enable default group MGT enable
aaa authentication dot1x default group ISE-RADIUS
aaa authorization config-commands
aaa authorization exec default group MGT local
aaa authorization commands 15 default group MGT
aaa authorization commands 15 MGT group MGT if-authenticated
aaa accounting exec default start-stop group MGT
aaa accounting commands 1 default stop-only group MGT
aaa accounting commands 15 default stop-only group MGT
aaa session-id common
Please let me know what changed with the two versions.
Solved! Go to Solution.
02-09-2021 10:39 AM
We resolved the issue. Rather than use aaa group server tacacs+ MGT server-private, we used tacacs server ISE-POL1
address ipv4 x.x.x.x key 7 xxxxxxxxxxxxxxxxxxx.
Does anyone know what to replace key 7 with?
02-08-2021 05:11 PM
When you begin to enter the commands, at what point does the switch tell you there is a problem. I'm assuming you can enter the "aaa new-model" command just fine. When you go to type "aaa group server ?", do you see only radius as the next option or is tacacs there as well?
02-09-2021 02:50 AM
Remove the AAA config (make sure you do this from console) re-add (and please post the errors here to look)
02-09-2021 10:39 AM
We resolved the issue. Rather than use aaa group server tacacs+ MGT server-private, we used tacacs server ISE-POL1
address ipv4 x.x.x.x key 7 xxxxxxxxxxxxxxxxxxx.
Does anyone know what to replace key 7 with?
02-09-2021 11:16 AM
Changing from server-private to just server changes things a bit. I would recommend the following config:
aaa group server tacacs+ MGT server name MGT-1 server name MGT-2 ! tacacs server MGT-1 address ipv4 10.125.196.167 auth-port 1812 acct-port 1813 key 7 XXXXXXXXX ! tacacs server MGT-2 address ipv4 10.125.196.168 auth-port 1812 acct-port 1813 key 7 XXXXXXXXX
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide