Reset Search
 

 

Article

Tacacs users cannot log into a switch after downgrading to 15.7 or earlier from 16.1 or later

« Go Back

Information

 
TitleTacacs users cannot log into a switch after downgrading to 15.7 or earlier from 16.1 or later
Symptoms
When tacacs shared secret is configured in 16.1 or later, tacacs users cannot log into a switch any longer after downgrading to 15.7 or earlier.
Environment
  • EXOS 15.7 and earlier
Cause
In EXOS 16.1, the encryption of tacacs+ and radius shared secrets is enhanced for stronger obfuscation since the old encryption is too weak and predictable. EXOS 15.7 or earlier doesn't support the new encryption. Therefore, shared secrets created with the new encryption in 16.1 will not work after a software downgrade.
# configure tacacs primary shared-secret "test123"
Note: Shared secrets created with EXOS 16.1 and greater are not compatible with EXOS 15.x and earlier.
Resolution
In order to allow login after downgrading, you can configure the failsafe account and ensure that an appropriate connection type is enabled.
# configure failsafe-account 
enter failsafe user name: failsafe
enter failsafe password: 
enter password again: 
# configure failsafe-account permit telnet 
# configure failsafe-account permit ssh 
# show failsafe-account 
User-Specified Failsafe Account Username and Password are in effect
for these connection types:
        - Serial Console
        - Control Fabric (inter-node)
        - Mgmt VR Telnet
        - Mgmt VR SSH
        - User VR Telnet
        - User VR SSH

Once the failsafe account has been configured, you can downgrade to 15.7 or earlier and log into a switch with the failsafe account, bypassing the tacacs/radius authentication. Once you log in, you can reconfigure tacacs/radius shared secrets.
# configure tacacs primary shared-secret "test123"
Additional notes
You can also use 'autoexec.xsf' to have a switch reconfigure tacacs shared secrets after downgrading.
# vi autoexec.xsf
configure tacacs primary shared-secret "test123"

Local accounts cannot log into EXOS switch after downgrading from EXOS 16 to an earlier release  
Cannot log into EXOS switch after downgrading from EXOS 16 to an earlier release

 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255