cancel
Showing results for 
Search instead for 
Did you mean: 

TACACS+ authorization with firmware 9.0.xx

blanalex
New Contributor II

I upgraded my switch from firmware 08.0.90d to the 09.0.xx series and the aaa commands have changed quite a bit. Now my regular user can log in but  can't get to the privileged mode (enable mode), I must use the local root/super account.

What I had before the upgrade:

aaa authentication login default local tacacs+ enable
aaa authentication login privilege-mode
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
enable aaa console
tacacs-server host 192.168.33.253
tacacs-server key 2 [redacted password hash]

And after after the upgrade:

aaa authentication login default local tacacs+
aaa authentication enable default tacacs+ local
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
tacacs-server host 192.168.33.253
tacacs-server key 2 [redacted password hash]

What am I doing wrong?

3 REPLIES 3

BenBeck
Moderator
Moderator

Hey @blanalex 

I know this is quite old, but did you get this figured out? 8x and 9x code have some major differences. Many commands were changed or deprecated (see release notes). It looks like 'enable' would auth against the following line in your 9x config:

aaa authentication enable default tacacs+ local

You could remove it to confirm and then rebuild the configuration as needed. 

 

Ben Beck, RCNA, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us

blanalex
New Contributor II

I tried and it worked... sort of. Now anybody can do ENABLE and it won't ask for authentication.

Right. There are many, many ways to secure our switches. Our security guide covers these in details, but it can be a bit overwhelming. I would advise working with your account team to devise what it best for you or open support case (see my signature) and we can try to point you in the right direction. 

Ben Beck, RCNA, Principal Technical Support Engineer
support.ruckuswireless.com/contact-us