Firmware 184.108.40.206 breaks aaa authorization for TACACS
I have recently upgraded from 220.127.116.11 to version 18.104.22.168 on my several SG300-28P switches. I am using TACACS authentication. My account is a part of "admins" group which has been set "priv-lvl = 15" (inside tac_plus.conf configuration). This means, that before upgrade I get privilege 15 level access immediately (shell ending with "#" sign) without need to use "enable". But after upgrade to 22.214.171.124 I have lost authorization function and login behavior looks following:
$ ssh dist-sw
Password: ss Verification
Password: ss Verification
(note: I have to enter password only once - requested on second line above, the rest username/password requests were just displayed automatically followed until the "dist-sw>" line without need of my interaction)
Yes, I read release notes and there is mentioned new functionality:
AAA authentication – Added a control for authorization so the user can decide whether to do authentication-only or authentication + authorization. When upgrading from previous versions, the default becomes authentication-only.
So I have added new command to switch configuration: "aaa authentication enable authorization default tacacs enable" which should enable authorization over same channel like authentication (i.e. using tacacs). But it is not working either and I have to use "enable" command in order to get privilege 15 level access.
With using RADIUS authentication the behavior is different (better from user point of view), byt seems not working correctly as well: no matter if I apply "aaa authentication enable authorization default radius enable" command or not, I get privilege 15 level access immediately (radius is sending Cisco-AVPair = "shell:priv-lvl=15" within access-accept response).
Has anyone working tacacs aaa authorization on 126.96.36.199? Or are you observing same behavior? For me its looking like bug.
...then authorization started finally work me. no need to reload device. for me it was looking like first time that command "aaa authentication enable authorization default tacacs enable" was not applied to environment.
Article ID:4006 Configure Secure Shell (SSH) Server Authentication
Settings on a Switch Objective Secure Shell (SSH) is a protocol that
provides a secure remote connection to specific network devices. This
connection provides functionality that is similar...
Article ID:4982 Access an SMB Switch CLI using SSH or Telnet Objective
The Cisco Small Business Managed Switches can be remotely accessed and
configured through the Command Line Interface (CLI). Accessing the CLI
allows commands to be entered in a termina...
Article ID:5735 Convert Configuration Files using the Configuration
Migration Tool on Cisco Small Business Switches Introduction The Cisco
Configuration Migration Tool allows you to convert configuration files
from previous generation of Cisco Small Busin...