Re: after upgrade IOS i loose my privilege with my username

Adrián Moran · ‎02-23-2021

Hi, all good day:

I have a cisco ws-c2960x-24PS-L switch which was upgraded to 15.2(7)E3, version the file I use was downloaded from cisco software web site c2960x-universalk9-mz.152-7.E3.bin. that file gave to me searching by the cisco model.

before I upload the file y make a copy of sh running-configuration it is worth mentioning that to do that I was using my AD account with tacacs+, the switch has a tacacs+ configuration. After the upgrade, all local user lose the 15 privilege and I cannot go further, also, my AD account is no longer recognized by the switch, if I logging I get into the level 1 prompt "switch01>" if I try to enable I got %error in authentication message so I wonder if one of you guys can give me an advice cos I have a lot of switches to upgrade and I don't want to messes it with this kind of issue.

MSE Adrian M.

Reza Sharifi · ‎02-23-2021

Hi,

Appears to be a bug in the version you are running.

If you can't access it via telnet or SSH, try accessing the switch via console. Hopefully, the console port is not part of your tacacs+.config.

HTH

Tyson Joachims · ‎02-23-2021

Depending on how big of a jump you did in software versions during your upgrade can have an impact on the AAA commands. The syntax has changed over time and the upgrade may have discarded some of those older commands.

To be clear, you were running TACACS+ but since the upgrade, you can no longer access the switch with either TACACS+ or the local user accounts? If so, you may need to factory default the switch and manually enter the config from the last backup of that switch.

Adrián Moran · ‎02-23-2021

Hi Tyson thank for your reply, so i have been using the same image for other 3 switch but those switch a configured after the upgrade one weir notice is when I set the tactacs+ those switch wont work with the aaa new model.

in this particular last switch tacas was working and I'm going to factory reset just my question here is:

it is recommended to let the last upgrade of the IOS or should a downgrade to another version, also, this si the tactacs configu i am using, can you tell me if some command change for the new version:

config term
ip tacacs source-interface Vlan99
tacacs-server directed-request
aaa new-model
aaa group server tacacs+ ALG_TACACS
server-private 172.22.0.152 key "privatekey"
server-private 172.22.0.245 key "privatekey"
exit
aaa authentication login default local
aaa authentication login WanAdmin group radius local
aaa authentication login Cisco_Admins group ALG_TACACS local
aaa authentication enable default group ALG_TACACS enable
aaa authentication ppp default group ALG_TACACS
aaa authorization exec default group ALG_TACACS if-authenticated
aaa authorization network default group ALG_TACACS
aaa authorization configuration default group ALG_TACACS+
aaa accounting exec default
action-type start-stop
group ALG_TACACS
aaa accounting commands 15 default
action-type start-stop
group ALG_TACACS
aaa accounting network default
action-type start-stop
group ALG_TACACS
aaa accounting connection default
action-type start-stop
group ALG_TACACS
aaa accounting system default
action-type start-stop
group ALG_TACACS
aaa session-id common
line vty 0 15
login authentication Cisco_Admins
exit

Thanks

MSE Adrian M.

Tyson Joachims · ‎02-23-2021

-You can't configure TACACS+ on the 3 other switches after issuing the command "aaa new-model"?

-I go with whatever the gold star version is for a Cisco device. Currently on software.cisco.com, it is 15.2.7E3(MD) for that model of switch

-Your configuration looks correct

Adrián Moran · ‎02-23-2021

yes I can configure tacacs+ but seems switch can reach the server for authenticate user in the other 3 switch, I am using local users.

this is the version I got from cisco website: Catalyst 2960X-24PS-L Switch Release 15.2.7E3 MD

going to try with 2 versions behind.

Thanks

MSE Adrian M.

Tyson Joachims · ‎02-23-2021

So TACACS+ is broken on the other 3 switches. Any chance that you have a configuration backup prior to the upgrade for any of those switches? Could you post that here along with the current running configuration so we can look at the pre- vs post- upgrade changes to the config?

Adrián Moran · ‎02-25-2021

hello Tyson, the other 3 was wiped out cos was using in other office we were reused here, im going to setup the tacacs again and let you know what going on. for the moment I let them with local account as the switch are working well and office is grown so tacacs is the last priority.

Thanks

MSE Adrian M.

paul driver · ‎02-23-2021

Hello

If its applicable, have you tried disconnecting the upgraded switch from the network and try an access the switch when its not trying to trying to reach the tacacs server.

If you can gain access, cross check the config you have at present to the one pre-upgrade.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Adrián Moran · ‎02-25-2021

Hi Paul, I tried to console the switch but no luck, in fact, I got a weird character and I am unable to do anything. see image attached

MSE Adrian M.

Adrián Moran · ‎02-26-2021

solved changed the Baud Rate to 115200 and reconfigured. Thanks

MSE Adrian M.