I have recently upgraded from 22.214.171.124 to version 126.96.36.199 on my several SG300-28P switches. I am using TACACS authentication. My account is a part of "admins" group which has been set "priv-lvl = 15" (inside tac_plus.conf configuration). This means, that before upgrade I get privilege 15 level access immediately (shell ending with "#" sign) without need to use "enable". But after upgrade to 188.8.131.52 I have lost authorization function and login behavior looks following:
$ ssh dist-sw testuser@dist-sw's password: Password: ss Verification Username: Password: ss Verification Username: dist-sw>
(note: I have to enter password only once - requested on second line above, the rest username/password requests were just displayed automatically followed until the "dist-sw>" line without need of my interaction)
Yes, I read release notes and there is mentioned new functionality:
AAA authentication – Added a control for authorization so the user can decide whether to do authentication-only or authentication + authorization. When upgrading from previous versions, the default becomes authentication-only.
So I have added new command to switch configuration: "aaa authentication enable authorization default tacacs enable" which should enable authorization over same channel like authentication (i.e. using tacacs). But it is not working either and I have to use "enable" command in order to get privilege 15 level access.
With using RADIUS authentication the behavior is different (better from user point of view), byt seems not working correctly as well: no matter if I apply "aaa authentication enable authorization default radius enable" command or not, I get privilege 15 level access immediately (radius is sending Cisco-AVPair = "shell:priv-lvl=15" within access-accept response).
Has anyone working tacacs aaa authorization on 184.108.40.206? Or are you observing same behavior? For me its looking like bug.
I have no TACACS to test but it will be very good idea to open official ticket with Small Business team so they can communicate with engineering team:
this just happened to me today as well. SF-30048P same firmware
ill post if i get it figured out.
for me, i can ssh in as user (after pressing enter on the "login as:" prompt, and then entering login on the "User Name:" prompt
but older f/w does that too)
i just cannot get into enable mode
when i connect via web with tacacs account im good.
login as: [press enter]
it looks quite similar. I managed to get it finally work once I tried to reproduce issue for Cisco TAC. Once I have entered those two commands in a row:
aaa authentication enable default tacacs enable aaa authentication enable authorization default tacacs enable
...then authorization started finally work me. no need to reload device. for me it was looking like first time that command "aaa authentication enable authorization default tacacs enable" was not applied to environment.
and for the benefit of those that could access the web in lvl15 but not the shell,
in the web, i went to Security, Management Access Authentication, selected SSH in the Application list, and checked off "enable" under Authorization
(i rarely use the web but i was locked out of enable mode.)
voila! its working