Hi, all good day:
I have a cisco ws-c2960x-24PS-L switch which was upgraded to 15.2(7)E3, version the file I use was downloaded from cisco software web site c2960x-universalk9-mz.152-7.E3.bin. that file gave to me searching by the cisco model.
before I upload the file y make a copy of sh running-configuration it is worth mentioning that to do that I was using my AD account with tacacs+, the switch has a tacacs+ configuration. After the upgrade, all local user lose the 15 privilege and I cannot go further, also, my AD account is no longer recognized by the switch, if I logging I get into the level 1 prompt "switch01>" if I try to enable I got %error in authentication message so I wonder if one of you guys can give me an advice cos I have a lot of switches to upgrade and I don't want to messes it with this kind of issue.
Appears to be a bug in the version you are running.
If you can't access it via telnet or SSH, try accessing the switch via console. Hopefully, the console port is not part of your tacacs+.config.
Depending on how big of a jump you did in software versions during your upgrade can have an impact on the AAA commands. The syntax has changed over time and the upgrade may have discarded some of those older commands.
To be clear, you were running TACACS+ but since the upgrade, you can no longer access the switch with either TACACS+ or the local user accounts? If so, you may need to factory default the switch and manually enter the config from the last backup of that switch.
Hi Tyson thank for your reply, so i have been using the same image for other 3 switch but those switch a configured after the upgrade one weir notice is when I set the tactacs+ those switch wont work with the aaa new model.
in this particular last switch tacas was working and I'm going to factory reset just my question here is:
it is recommended to let the last upgrade of the IOS or should a downgrade to another version, also, this si the tactacs configu i am using, can you tell me if some command change for the new version:
ip tacacs source-interface Vlan99
aaa group server tacacs+ ALG_TACACS
server-private 172.22.0.152 key "privatekey"
server-private 172.22.0.245 key "privatekey"
aaa authentication login default local
aaa authentication login WanAdmin group radius local
aaa authentication login Cisco_Admins group ALG_TACACS local
aaa authentication enable default group ALG_TACACS enable
aaa authentication ppp default group ALG_TACACS
aaa authorization exec default group ALG_TACACS if-authenticated
aaa authorization network default group ALG_TACACS
aaa authorization configuration default group ALG_TACACS+
aaa accounting exec default
aaa accounting commands 15 default
aaa accounting network default
aaa accounting connection default
aaa accounting system default
aaa session-id common
line vty 0 15
login authentication Cisco_Admins
-You can't configure TACACS+ on the 3 other switches after issuing the command "aaa new-model"?
-I go with whatever the gold star version is for a Cisco device. Currently on software.cisco.com, it is 15.2.7E3(MD) for that model of switch
-Your configuration looks correct
yes I can configure tacacs+ but seems switch can reach the server for authenticate user in the other 3 switch, I am using local users.
this is the version I got from cisco website: Catalyst 2960X-24PS-L Switch Release 15.2.7E3 MD
going to try with 2 versions behind.
So TACACS+ is broken on the other 3 switches. Any chance that you have a configuration backup prior to the upgrade for any of those switches? Could you post that here along with the current running configuration so we can look at the pre- vs post- upgrade changes to the config?
hello Tyson, the other 3 was wiped out cos was using in other office we were reused here, im going to setup the tacacs again and let you know what going on. for the moment I let them with local account as the switch are working well and office is grown so tacacs is the last priority.
If its applicable, have you tried disconnecting the upgraded switch from the network and try an access the switch when its not trying to trying to reach the tacacs server.
If you can gain access, cross check the config you have at present to the one pre-upgrade.