Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS 3.3 to 4.2 Upgrade and TACACS+

Unanswered Question
Oct 20th, 2008
User Badges:

Hi All

We have ACS 3.3 and planned to upgrade to 4.2 - however when we installed 4.2 on our test system we found that an extra field was required in the TACACS set up for switches - within Network Configuration -> Network Device Groups -> AAA setup, there is a shared secret.

None of our (1500+) switches have had a share secret on them before for TACACS, so my question is what is the best approach to upgrade to 4.2.

If we install 4.2 first then we lose TACACS to all the switches until we have added a shared secret to the switches. If we add the shared secret TACACS+ fails.

We have Cisco LMS - so if we need to add the shared ket to the switches then we can do it via LMS - but we cannot afford to lose access to the switches as these are used 24 x 7.

BTW in case you are wondering about the number of switches - we are a retail company with 153 stores across the UK and each store has a minimum of three switches.....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Mon, 10/20/2008 - 08:39
User Badges:
  • Red, 2250 points or more

Well there is no change in acs 4.2 with regards to shared secret key.

It seems that you do not have shared key defined currently in acs 3.3 for switches ?



Paul Williams Mon, 10/20/2008 - 23:48
User Badges:

Well thats the difference - in 3.3 the "key" there was the option to leave the key blank - which we did; however in 4.2 it insists on having a shared secret.

Now since we have not configured any of the switches with a shared secret it seems that we cannot move forward and upgrade to 4.2 - not without losing access to the switches via TACACS.

jasonmcl Fri, 10/24/2008 - 10:25
User Badges:


You can have multiple tacac-servers... If possible you can stand up a new install of the 4.2 rather then upgrading your existing single server. Use LMS to add the second sever to all your switch configs. once they are all populated and configured with keys. then use LMS to strip the old tacacs out of the configs. This way you dont lose connectivity while performing your upgrade.


This Discussion