Hi everyone,

I need to migrate an old Cisco Secure ACS to a new TACACSGUI.
Old ACS run on two servers (XX.XX.XX.XX and YY.YY.YY.YY), while the new server is ZZ.ZZ.ZZ.ZZ.

This was the previous configuration:

aaa group server tacacs+ TACACS-GROUP-SERVER
   server XX.XX.XX.XX
   server YY.YY.YY.YY

tacacs-server key 7 ENCRYPTED_KEY
tacacs-server host XX.XX.XX.XX
tacacs-server host YY.YY.YY.YY

aaa authentication login default group TACACS-GROUP-SERVER local
aaa authentication login console group TACACS-GROUP-SERVER local
aaa authorization exec default group TACACS-GROUP-SERVER local
aaa authorization commands all default group TACACS-GROUP-SERVER local

Then I made a rookie mistake.

I added the new server to the aaa group and removed the old ones, but I did not added the command line tacacs-server host ZZ.ZZ.ZZ.ZZ.

aaa group server tacacs+ TACACS-GROUP-NAME

   server ZZ.ZZ.ZZ.ZZ

A moment later I lost connection and I'm locked out of the router.

Now, using local router accounts I'm able to get into EXEC mode, but I'm not authorized to do a configure terminal. It returns this error:
% Authorization denied for command 'configure terminal'.

I tried to change the "Shell Command Authorization Set" and other User Setup configurations on old ACS server, but it doesn't seem to make a difference.

I'm able to authenticate on old ACS server (even show logs on old ACS GUI) through the command test aaa group tacacs+ USERNAME PASSWORD.

Using old ACS/new TACASGUI registered accounts, I can't even login. None of the three servers register any log of authentication or authorization attempts.

Any suggestions on how to bypass TACACS to be able to configure terminal again?