Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8251
Views
15
Helpful
6
Replies

tacacs-server host <IP> vs tacacs server <NAME>

Go to solution
johnlloyd_13
Level 9
Level 9

‎01-30-2021 03:23 AM - edited ‎01-30-2021 03:26 AM

hi,

i recently upgraded a cisco ASR from 3.16.x to 16.12.x and noticed AAA didn't work afterwards. i was able to login using the local user but unable to execute any command.

 

Username: admin

Password: <LOCAL USER PW>

 

ASR#

ASR#sh run | s aaa

ASR#

ASR#sh run

Command authorization failed.

 

syslog shown after the 16.x upgrade. is this for info only or is it asking to migrate TACACS config?

 

Warning: The cli will be deprecated soon

'tacacs-server host 10.1.6.10'

Please move to 'tacacs server <name>' CLI

Warning: The cli will be deprecated soon

'tacacs-server host 10.1.6.2'

Please move to 'tacacs server <name>' CLI

 

i was able to successfully authenticate after i changed the TACACS and AAA server group to the new CLI format. my question is, was this due to a bug or is the new TACACS CLI format enforced on the new 16.12 code?

 

ASR(config)#tacacs server TAC-1
ASR(config-server-tacacs)#address ipv4 10.1.6.10
ASR(config-server-tacacs)#key cisco123

ASR(config)#aaa group server tacacs+ MY_GRP
ASR(config-sg-tacacs+)# no server 10.1.6.10
ASR(config-sg-tacacs+)# server name TAC-1

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-30-2021 03:44 AM

https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-16/products-release-notes-list.html

I've double checked a few different hardware platforms and it seems the command has been depreciated on all hardware platforms running 16.12.x. The ASR release notes aren't as detailed as the other platforms, but your experience matches what is documented.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎01-30-2021 03:32 AM

Hi @johnlloyd_13 

That command is finally depreciated in 16.12.x code on all hardware it seems.

 

TACACS legacy command: Do not configure the legacy tacacs-server host command; this command is deprecated. If the software version running on your device is Cisco IOS XE Gibraltar 16.12.2 or a later release, using the legacy command can cause authentication failures. Use the tacacs server command in global configuration mode

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Rob Ingram

‎01-30-2021 03:36 AM

hi rob,

i was expecting cisco would run a macro to convert it somehow so it would be seamless.

do you have a link to support this?

Go to solution
Rob Ingram
VIP
VIP

‎01-30-2021 03:44 AM

https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-16/products-release-notes-list.html

I've double checked a few different hardware platforms and it seems the command has been depreciated on all hardware platforms running 16.12.x. The ASR release notes aren't as detailed as the other platforms, but your experience matches what is documented.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Rob Ingram

‎01-30-2021 03:53 AM

hi rob,

thanks for the link. i saw it was indeed changed in 16.12.2

it's just unfortunate the upgrade process wasn't seamless.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to johnlloyd_13

‎02-01-2021 05:09 AM

hi,

i just got an update from TAC. i hit a bug and upgrade should auto convert the old "tacacs-server host" to the new CLI format.

there's a list of known fixed on the bug link:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu62273

 

Go to solution
Rob Ingram
VIP
VIP

‎02-01-2021 05:17 AM

@johnlloyd_13 thanks for the update!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card