This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TACACS+ authorization with firmware 9.0.xx

blanalex
New Contributor II

‎05-23-2022 06:36 PM

I upgraded my switch from firmware 08.0.90d to the 09.0.xx series and the aaa commands have changed quite a bit. Now my regular user can log in but  can't get to the privileged mode (enable mode), I must use the local root/super account.

What I had before the upgrade:

aaa authentication login default local tacacs+ enable
aaa authentication login privilege-mode
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
enable aaa console
tacacs-server host 192.168.33.253
tacacs-server key 2 [redacted password hash]

And after after the upgrade:

aaa authentication login default local tacacs+
aaa authentication enable default tacacs+ local
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
tacacs-server host 192.168.33.253
tacacs-server key 2 [redacted password hash]

What am I doing wrong?

0 Kudos
3 REPLIES 3

BenBeck
Moderator
Moderator

‎07-08-2022 10:44 AM

Hey @blanalex 

I know this is quite old, but did you get this figured out? 8x and 9x code have some major differences. Many commands were changed or deprecated (see release notes). It looks like 'enable' would auth against the following line in your 9x config:

aaa authentication enable default tacacs+ local

You could remove it to confirm and then rebuild the configuration as needed. 

 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us
0 Kudos

blanalex
New Contributor II
In response to BenBeck

‎08-19-2022 02:02 PM

I tried and it worked... sort of. Now anybody can do ENABLE and it won't ask for authentication.

0 Kudos

BenBeck
Moderator
Moderator
In response to blanalex

‎08-19-2022 02:05 PM

Right. There are many, many ways to secure our switches. Our security guide covers these in details, but it can be a bit overwhelming. I would advise working with your account team to devise what it best for you or open support case (see my signature) and we can try to point you in the right direction. 

Ben Beck, RCNA, RCNI, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us
0 Kudos
Copyright © 2024 Khoros, LLC