cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1538
Views
5
Helpful
6
Replies

3.x to Denali Upgrade

royce.varughese
Level 1
Level 1

We are upgrading switches from 3.x to Denali 16.3.8. After upgrade Tacacs server commands along with key is not accepting as a command. I need to be sure to run all current config on to new code before deploying on other switches. Any help or guidance will be appreciated.

 


385002(config)#tacacs server TACACS_PRIMARY
385002(config-server-tacacs)#key
385002(config-server-tacacs)#key <key>
385002(config-server-tacacs)#address ipv4 <ip>
385002(config-server-tacacs)#exit
Warning: Address not yet configured.

 

6 Replies 6

Mark Malone
VIP Alumni
VIP Alumni
I just tested it on Denali 16.3.7 its working ok

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 1 52 WS-C3650-48TS 16.3.7 CAT3K_CAA-UNIVERSALK9 BUNDLE


Configuration register is 0x142 (will be 0x102 at next reload)

xxxxxxx# conf t
Enter configuration commands, one per line. End with CNTL/Z.
xxxxxxx(config)#tacacs ser
xxxxxxx(config)#tacacs server test
xxxxxxx(config-server-tacacs)#key mark
xxxxxxxconfig-server-tacacs)#add ipv4 18.8.8.8
xxxxxxx(config-server-tacacs)#exit
xxxxxxx(config)#exit

Switch Ports Model SW Version SW Image Mode
------ ----- ----- ---------- ---------- ----
* 4 56 WS-C3850-48P 16.3.8 CAT3K_CAA-UNIVERSALK9 INSTALL

 

Doesnt work for me.

 

385002(config-server-tacacs)#exit
Warning: Address not yet configured.

dont see any open bugs for it in the release notes fro 3.8, are your running AAA too in config
have you scrubbed the config completely and tried re-applying it

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-3/release_notes/ol-16-3-3850.html#pgfId-1485670

Will try re configuring the switch, but AAA was the last thing i configured.

There maybe some tie to AAA and the way its setup once that's running the way you have to configure it , you can try it this way as an option works well for us on the newer IOS-XE packages like denali Everest etc , does the same thing

aaa new-model
!
!
aaa group server tacacs+ xtacacs
server-private x.x.x.x key xxxxxxxxxxxxx
server-private x.x.x.x key xxxxxxxxxxxxx
ip tacacs source-interface X
!
aaa authentication login default group xtacacs local enable
aaa authentication enable default group xtacacs enable
aaa authorization exec default group xtacacs local
aaa accounting exec default start-stop group xtacacs
aaa accounting commands 0 default start-stop group xtacacs
aaa accounting commands 1 default start-stop group xtacacs
aaa accounting commands 15 default start-stop group xtacacs
aaa accounting network default start-stop group xtacacs
aaa accounting connection default start-stop group xtacacs
aaa accounting system default start-stop group xtacacs

I was able to fix this issue by removing the server IP under ' aaa group server' config and then able to add the server address under 'tacacs server' config and then called this tacacs server under aaa group config, like below - 

!

tacacs server test
address ipv4 10.x.x.x
key 0 123456

!

aaa group server tacacs+ tacacs-grp
server name test

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco