02-23-2021 06:25 AM
Hi, all good day:
I have a cisco ws-c2960x-24PS-L switch which was upgraded to 15.2(7)E3, version the file I use was downloaded from cisco software web site c2960x-universalk9-mz.152-7.E3.bin. that file gave to me searching by the cisco model.
before I upload the file y make a copy of sh running-configuration it is worth mentioning that to do that I was using my AD account with tacacs+, the switch has a tacacs+ configuration. After the upgrade, all local user lose the 15 privilege and I cannot go further, also, my AD account is no longer recognized by the switch, if I logging I get into the level 1 prompt "switch01>" if I try to enable I got %error in authentication message so I wonder if one of you guys can give me an advice cos I have a lot of switches to upgrade and I don't want to messes it with this kind of issue.
02-23-2021 06:53 AM
Hi,
Appears to be a bug in the version you are running.
If you can't access it via telnet or SSH, try accessing the switch via console. Hopefully, the console port is not part of your tacacs+.config.
HTH
02-23-2021 07:11 AM
Depending on how big of a jump you did in software versions during your upgrade can have an impact on the AAA commands. The syntax has changed over time and the upgrade may have discarded some of those older commands.
To be clear, you were running TACACS+ but since the upgrade, you can no longer access the switch with either TACACS+ or the local user accounts? If so, you may need to factory default the switch and manually enter the config from the last backup of that switch.
02-23-2021 07:40 AM
Hi Tyson thank for your reply, so i have been using the same image for other 3 switch but those switch a configured after the upgrade one weir notice is when I set the tactacs+ those switch wont work with the aaa new model.
in this particular last switch tacas was working and I'm going to factory reset just my question here is:
it is recommended to let the last upgrade of the IOS or should a downgrade to another version, also, this si the tactacs configu i am using, can you tell me if some command change for the new version:
config term
ip tacacs source-interface Vlan99
tacacs-server directed-request
aaa new-model
aaa group server tacacs+ ALG_TACACS
server-private 172.22.0.152 key "privatekey"
server-private 172.22.0.245 key "privatekey"
exit
aaa authentication login default local
aaa authentication login WanAdmin group radius local
aaa authentication login Cisco_Admins group ALG_TACACS local
aaa authentication enable default group ALG_TACACS enable
aaa authentication ppp default group ALG_TACACS
aaa authorization exec default group ALG_TACACS if-authenticated
aaa authorization network default group ALG_TACACS
aaa authorization configuration default group ALG_TACACS+
aaa accounting exec default
action-type start-stop
group ALG_TACACS
aaa accounting commands 15 default
action-type start-stop
group ALG_TACACS
aaa accounting network default
action-type start-stop
group ALG_TACACS
aaa accounting connection default
action-type start-stop
group ALG_TACACS
aaa accounting system default
action-type start-stop
group ALG_TACACS
aaa session-id common
line vty 0 15
login authentication Cisco_Admins
exit
Thanks
02-23-2021 08:12 AM
-You can't configure TACACS+ on the 3 other switches after issuing the command "aaa new-model"?
-I go with whatever the gold star version is for a Cisco device. Currently on software.cisco.com, it is 15.2.7E3(MD) for that model of switch
-Your configuration looks correct
02-23-2021 09:56 AM
yes I can configure tacacs+ but seems switch can reach the server for authenticate user in the other 3 switch, I am using local users.
this is the version I got from cisco website: Catalyst 2960X-24PS-L Switch Release 15.2.7E3 MD
going to try with 2 versions behind.
Thanks
02-23-2021 10:08 AM
So TACACS+ is broken on the other 3 switches. Any chance that you have a configuration backup prior to the upgrade for any of those switches? Could you post that here along with the current running configuration so we can look at the pre- vs post- upgrade changes to the config?
02-25-2021 05:33 AM
hello Tyson, the other 3 was wiped out cos was using in other office we were reused here, im going to setup the tacacs again and let you know what going on. for the moment I let them with local account as the switch are working well and office is grown so tacacs is the last priority.
Thanks
02-23-2021 01:51 PM
Hello
If its applicable, have you tried disconnecting the upgraded switch from the network and try an access the switch when its not trying to trying to reach the tacacs server.
If you can gain access, cross check the config you have at present to the one pre-upgrade.
02-25-2021 05:31 AM
Hi Paul, I tried to console the switch but no luck, in fact, I got a weird character and I am unable to do anything. see image attached
02-26-2021 08:52 AM
solved changed the Baud Rate to 115200 and reconfigured. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide