https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/44892#M3262 <P>I upgraded my switch from firmware 08.0.90d to the 09.0.xx series and the aaa commands have changed quite a bit. Now my regular user can log in but&nbsp; can't get to the privileged mode (enable mode), I must use the local root/super account.</P><P>What I had before the upgrade:</P><PRE>aaa authentication login default local tacacs+ enable<BR />aaa authentication login privilege-mode<BR />aaa authorization exec default tacacs+<BR />aaa accounting commands 0 default start-stop tacacs+<BR />aaa accounting exec default start-stop tacacs+<BR />aaa accounting system default start-stop tacacs+<BR />enable aaa console<BR />tacacs-server host 192.168.33.253<BR />tacacs-server key 2 [redacted password hash]</PRE><P>And after after the upgrade:</P><PRE>aaa authentication login default local tacacs+<BR />aaa authentication enable default tacacs+ local<BR />aaa authorization exec default tacacs+<BR />aaa accounting commands 0 default start-stop tacacs+<BR />aaa accounting exec default start-stop tacacs+<BR />aaa accounting system default start-stop tacacs+<BR />tacacs-server host 192.168.33.253<BR />tacacs-server key 2 [redacted password hash]</PRE><P>What am I doing wrong?</P> Tue, 24 May 2022 01:36:13 GMT blanalex 2022-05-24T01:36:13Z https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/44892#M3262 <P>I upgraded my switch from firmware 08.0.90d to the 09.0.xx series and the aaa commands have changed quite a bit. Now my regular user can log in but&nbsp; can't get to the privileged mode (enable mode), I must use the local root/super account.</P><P>What I had before the upgrade:</P><PRE>aaa authentication login default local tacacs+ enable<BR />aaa authentication login privilege-mode<BR />aaa authorization exec default tacacs+<BR />aaa accounting commands 0 default start-stop tacacs+<BR />aaa accounting exec default start-stop tacacs+<BR />aaa accounting system default start-stop tacacs+<BR />enable aaa console<BR />tacacs-server host 192.168.33.253<BR />tacacs-server key 2 [redacted password hash]</PRE><P>And after after the upgrade:</P><PRE>aaa authentication login default local tacacs+<BR />aaa authentication enable default tacacs+ local<BR />aaa authorization exec default tacacs+<BR />aaa accounting commands 0 default start-stop tacacs+<BR />aaa accounting exec default start-stop tacacs+<BR />aaa accounting system default start-stop tacacs+<BR />tacacs-server host 192.168.33.253<BR />tacacs-server key 2 [redacted password hash]</PRE><P>What am I doing wrong?</P> Tue, 24 May 2022 01:36:13 GMT https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/44892#M3262 blanalex 2022-05-24T01:36:13Z https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/45530#M3319 <P>Hey&nbsp;<a href="https://community.ruckuswireless.com/t5/user/viewprofilepage/user-id/61">@blanalex</a>&nbsp;</P> <P>I know this is quite old, but did you get this figured out? 8x and 9x code have some major differences. Many commands were changed or deprecated (see release notes). It looks like 'enable' would auth against the following line in your 9x config:</P> <PRE>aaa authentication enable default tacacs+ local</PRE> <P>You could remove it to confirm and then rebuild the configuration as needed.&nbsp;</P> <P>&nbsp;</P> Fri, 08 Jul 2022 17:44:14 GMT https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/45530#M3319 BenBeck 2022-07-08T17:44:14Z https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/46086#M3392 <P>I tried and it worked... sort of. Now anybody can do ENABLE and it won't ask for authentication.</P> Fri, 19 Aug 2022 21:02:53 GMT https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/46086#M3392 blanalex 2022-08-19T21:02:53Z https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/46087#M3393 <P>Right. There are many, many ways to secure our switches. Our security guide covers these in details, but it can be a bit overwhelming. I would advise working with your account team to devise what it best for you or open support case (see my signature) and we can try to point you in the right direction.&nbsp;</P> Fri, 19 Aug 2022 21:05:52 GMT https://community.ruckuswireless.com/t5/ICX-Switches/TACACS-authorization-with-firmware-9-0-xx/m-p/46087#M3393 BenBeck 2022-08-19T21:05:52Z