Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

3850 FUJI 16.9 code TACACS+ configuration

Does anyone have any advice of the "correct" configuration of TACACS+ on the 3850 series.

I have recently upgraded a switch to 16.9.3 (FUJI) code.

On older switches I would use the following sample to configure TACACS+

aaa new-model

tacacs server ServerA
address ipv4
key abcd1234

I am now presented with (after the last command "key abcd1234")

WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

I have been searching for a "new" syntax for hte command but have been unseccesful.

Cisco documentation from the "Security Configuration Guide, Cisco IOS XE Fuji 16.9.x"

Chapter: Configuring TACACS+
How to Configure Switch Access with TACACS+"
Identifying the TACACS+ Server Host and Setting the Authentication Key

This sounded exactly what I was looking for. But the summary and detailed steps do not include anything for setting the Authentication Key

1. enable
2. configure terminal
3. tacacs server server-name
4. address {ipv4 | ipv6 } ip address
5. exit
6. aaa new-model
7. aaa group server tacacs+ group-name
8. server ip-address
9. end
10. show running-config
11. copy running-config startup-config

I appreciate that the old syntac is still accepted, but would like to get the new syntax if possible.




I checked it again, confirmed that the script was using Unix style EOL (LF) and I can confirm, that under 16.x.x on a 3650 or a 3850 or even a 4300 router that you can not set the "key config-key password-encrypt MYPASSWORDHERE" via script and it only works from the CLI.


If you run the "key config-key password-encrypt MYPASSWORDHERE" command first in a script and then turn on "password encryption aes" and then set up keys later on down in the script, that it will not create type 6 keys only type 7. Only after you type "key config-key password-encrypt MYPASSWORDHERE" in a CLI first will the script be able to set type 6 keys.

Peter Paluch
Hall of Fame Cisco Employee


Hmmm... Would it be possible for you in fact to share the script you're using? When I get a few minutes spare time, I can try testing it and seeing what's going on.

Many thanks!

Best regards,

Sadly no, at least not the whole thing (it's 980 lines long anyway), but here is the passwords, DOT1X, line and TACACS portion (with real passwords, non-relevant commands and IPs sanitized obviously).


Here is enough to show that with a blank switch (as in erase startup, blank) that you cannot set "key config-key password-encrypt PASSWORD" with a script. (you can tell it didn't work because it doesn't create type 6 passwords only type 7).

So run the script, then look up the password types, then run it again if you want, it will never work to create type 6 types (even though the "password aes" command will show up int the running config).

However, type "key config-key password-encrypt PASSWORD" manually into the CLI and run the script again, you'll see that all the type 7s are now type 6.

! ---- PASSWORDS ----
service password-encryption
key config-key password-encrypt MYCOREPASSWORD
password encryption aes
enable algorithm-type sha256 secret MYENABLEPASSWORD
username LOCALUSER privilege 15 algorithm-type sha256 secret 
ip domain name MYDOMAIN crypto key generate rsa general modulus 2048 ! ! ---- GLOBAL DOT1X WIRED ---- !
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius authentication mac-move permit dot1x system-auth-control radius-server dead-criteria time 30 tries 14 radius-server retry method reorder ip radius source-interface loop 0 ! no radius server MYRADIUSSERVER1 radius server MYRADIUSSERVER1 address ipv4 auth-port 1812 acct-port 1813 key 0 MYRADIUSPASSWORD ! no radius server MYRADIUSSERVER2 radius server MYRADIUSSERVER2 address ipv4 auth-port 1812 acct-port 1813 key 0 MYRADIUSPASSWORD ! ! ---- TACACS SETUP ---- ! aaa group server tacacs+ MYTACACSGROUP no server name MYTACACSSERVER1 server name MYTACACSSERVER1 server-private key 0 MYTACACSPASSWORD ! no server name MYTACACSSERVER2 server name MYTACACSSERVER2 server-private key 0 MYTACACSPASSWORD ! aaa authentication login VTYMETHOD group MYTACACSGROUP local enable aaa authentication login CONMETHOD group MYTACACSGROUP local enable aaa authentication enable default enable none aaa authentication username-prompt Username: aaa authentication password-prompt Password: aaa authorization console aaa authorization config-commands aaa authorization exec CONMETHOD group MYTACACSGROUP local if-authenticated aaa authorization exec VTYMETHOD group MYTACACSGROUP local aaa accounting exec default start-stop group MYTACACSGROUP aaa accounting network default start-stop group MYTACACSGROUP aaa accounting connection default start-stop group MYTACACSGROUP aaa accounting system default start-stop group MYTACACSGROUP tacacs-server timeout 5 ip tacacs source-interface loop 0
no tacacs server MYTACACSSERVER1
tacacs server MYTACACSSERVER1
address ipv4
port 49
no tacacs server MYTACACSSERVER2
tacacs server MYTACACSSERVER2
address ipv4
port 49
! ! ----LINE IN SETTINGS ---- ! line vty 0 4 authorization exec VTYMETHOD login authentication VTYMETHOD ! line con 0 authorization exec CONMETHOD login authentication CONMETHOD end

Here is the relevant portion of the end user interface configuration (the part that pertains to DOT1X).

int ran gi 1/0/1 - 48
 switchport access vlan 123
 switchport mode access
 switchport voice vlan 456
 authentication event fail action next-method
 authentication event server dead action authorize
 authentication event server dead action authorize voice
 authentication event server alive action reinitialize
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 dot1x pae authenticator


Remember for anyone trying to use type 6 RADIUS passwords on 16.9.5 with FIPS enabled (as of March 11,2020), that those don't seem to work at all.





   Funny question:


Who writes these error messages?  Setting the password encryption to AES calls a Master Key Change Notification ? 

There is no way to set the Master Key in the password encryption statement. "


   Simple answer: humans, but this is what i call "Beer programming" . In the old days you would expect an error/warning/informational message to give you some hints/guidance. Nowadays it gives you just headaches. 



Cristian Matei.