I hope you are well.
I did the upgrade of SF300-48P to the latest version 1.4.0.88 using my TACACS acc. After that I could ssh to the switch, but it wouldn't allow me access Privileged EXEC mode – "wrong password". Surprisingly, I can access the switch via HTTP and make/save changes (using the same TACACS acc.). Also I can login and access the Privileged EXEC mode with another account.
This problem repeated on two other switches (both SF300-48P): first I had had the access to Privileged EXEC mode and after the upgrade it stopped working for the account that made the upgrade.
When I check the logs (they are quite limited) I see my account being authorised by TACACS server (when I ssh) and when I try enter Privileged EXEC mode – it says it has been rejected. On any other switches this account works fine.
Any suggestions what might be the cause of this bizarre behaviour?
AAA/TACACAS before the change:
aaa authentication enable Console enable
aaa authentication enable SSH tacacs enable
aaa authentication enable Telnet enable
aaa authentication enable default tacacs enable
ip http authentication aaa login-authentication https tacacs local
aaa authentication login Console local
aaa authentication login SSH tacacs local
aaa authentication login Telnet local
aaa authentication login default tacacs local
tacacs-server host x.x.x.x priority 2
tacacs-server host x.x.x.x priority 1
tacacs-server key xyz
tacacs-server timeout 3
After the change:
ip http authentication aaa login-authentication https tacacs local
aaa authentication login SSH tacacs local
aaa authentication enable SSH tacacs enable
aaa authentication login Telnet local
aaa authentication enable Telnet enable
aaa authentication login Console local
aaa authentication enable Console enable
aaa authentication login default tacacs local
aaa authentication enable default tacacs enable
tacacs-server host x.x.x.x priority 2
tacacs-server host x.x.x.x priority 1
encrypted tacacs-server key 123456 (encrypted xyz)
tacacs-server timeout 3
Best Answer
I've recreated my TACACS account with the same settings and it's working now. Strange...