cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
420
Views
5
Helpful
10
Replies
Highlighted
Beginner

after upgrade IOS i loose my privilege with my username

Hi, all good day:

 

I have a cisco ws-c2960x-24PS-L switch which was upgraded to 15.2(7)E3, version the file I use was downloaded from cisco software web site c2960x-universalk9-mz.152-7.E3.bin. that file gave to me searching by the cisco model.

 

before I upload the file y make a copy of sh running-configuration it is worth mentioning that to do that I was using my AD account with tacacs+, the switch has a tacacs+ configuration. After the upgrade, all local user lose the 15 privilege and I cannot go further, also, my AD account is no longer recognized by the switch, if I logging I get into the level 1 prompt "switch01>" if I try to enable I got %error in authentication message so I wonder if one of you guys can give me an advice cos I have a lot of switches to upgrade and I don't want to messes it with this kind of issue.

10 REPLIES 10
Highlighted
Hall of Fame Expert

Hi,

Appears to be a bug in the version you are running.

If you can't access it via telnet or SSH, try accessing the switch via console. Hopefully, the console port is not part of your tacacs+.config.

 

HTH

Highlighted
Rising star

Depending on how big of a jump you did in software versions during your upgrade can have an impact on the AAA commands. The syntax has changed over time and the upgrade may have discarded some of those older commands.

To be clear, you were running TACACS+ but since the upgrade, you can no longer access the switch with either TACACS+ or the local user accounts? If so, you may need to factory default the switch and manually enter the config from the last backup of that switch.

Highlighted

Hi Tyson thank for your reply, so i have been using the same image for other 3 switch but those switch a configured after the upgrade one weir notice is when I set the tactacs+ those switch wont work with the aaa new model.

in this particular last switch tacas was working and I'm going to factory reset just my question here is:

it is recommended to let the last upgrade of the IOS or should a downgrade to another version, also, this si the tactacs configu i am using, can you tell me if some command change for the new version:

 

config term
ip tacacs source-interface Vlan99
tacacs-server directed-request
aaa new-model
aaa group server tacacs+ ALG_TACACS
server-private 172.22.0.152 key "privatekey"
server-private 172.22.0.245 key "privatekey"
exit
aaa authentication login default local
aaa authentication login WanAdmin group radius local
aaa authentication login Cisco_Admins group ALG_TACACS local
aaa authentication enable default group ALG_TACACS enable
aaa authentication ppp default group ALG_TACACS
aaa authorization exec default group ALG_TACACS if-authenticated
aaa authorization network default group ALG_TACACS
aaa authorization configuration default group ALG_TACACS+
aaa accounting exec default
action-type start-stop
group ALG_TACACS
aaa accounting commands 15 default
action-type start-stop
group ALG_TACACS
aaa accounting network default
action-type start-stop
group ALG_TACACS
aaa accounting connection default
action-type start-stop
group ALG_TACACS
aaa accounting system default
action-type start-stop
group ALG_TACACS
aaa session-id common
line vty 0 15
login authentication Cisco_Admins
exit

Thanks

Highlighted

-You can't configure TACACS+ on the 3 other switches after issuing the command "aaa new-model"?

-I go with whatever the gold star version is for a Cisco device. Currently on software.cisco.com, it is 15.2.7E3(MD) for that model of switch

-Your configuration looks correct

Highlighted

yes I can configure tacacs+ but seems switch can reach the server for authenticate user in the other 3 switch, I am using local users.

 

this is the version I got from cisco website: Catalyst 2960X-24PS-L Switch Release 15.2.7E3 MD

going to try with 2 versions behind.

Thanks

Highlighted

So TACACS+ is broken on the other 3 switches. Any chance that you have a configuration backup prior to the upgrade for any of those switches? Could you post that here along with the current running configuration so we can look at the pre- vs post- upgrade changes to the config?

Highlighted

hello Tyson, the other 3 was wiped out cos was using in other office we were reused here, im going to setup the tacacs again and let you know what going on. for the moment I let them with local account as the switch are working well and office is grown so tacacs is the last priority.

Thanks

Highlighted
VIP Mentor

Hello

If its applicable, have you tried disconnecting the upgraded switch from the network and try an access the switch when its not trying to trying to reach the tacacs server.

If you can gain access, cross check the config you have at present to the one pre-upgrade.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted

Hi Paul, I tried to console the switch but no luck, in fact, I got a weird character and I am unable to do anything. see image attached

sw15.JPG

Highlighted

solved changed the Baud Rate to 115200 and reconfigured. Thanks

Content for Community-Ad