Delete old XML object no longer accessible in the GUI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2023 08:32 AM
Hello all,
I'm running Cisco ACI 5.2(5c) and I have some Security errors about an old TACACS+ server that we renamed, so I figured no big deal and I will just go delete that old TACACS+ provider and create a new one. However, when I go to delete the TACACS+ provider (server) under Admin > AAA > Authentication > TACACS , I get the error message:
Cannot delete provider since it is being referenced by Login Domain PROD-TACACS-GROUP
However, looking at my Login Domains under Admin > AAA > Authentication > AAA > Policy, the only Login Domain I have is the local fallback domain.
If I dump the XML config for my ACI with showconfig xml on my APIC, I can see a few references to that PROD-TACACS-GROUP as being a TACACS Provider Group, which apparently was a thing in ACI version 4, but anymore it is no longer a thing.
So, to get rid of these Security errors in my ACI, I'm wondering if there is a safe way to either:
- Delete the bad server (BADSERVER) from this now "hidden" PROD-TACACS-GROUP object via a REST API call (i.e. set "status" on that object to "delete" ?).
- Delete this entire PROD-TACACS-GROUP object from my XML config? The only thing that makes me hesitate is that that PROD-TACACS-GROUP object is also referenced in a defaultauth realm.
Brief XML config for reference:
<polUni rn="uni" status="" userdom="all">
...
<aaaUserEp rn="userext" status="" pwdStrengthCheck="yes" userdom="all">
<aaaTacacsPlusProviderGroup name="PROD-LOGIN-DOMAIN" rn="tacacsplusprovidergroup-PROD-TACACS-GROUP" status="" userdom="all">
<aaaProviderRef name="GOODSERVER1.contoso.net" rn="providerref-GOODSERVER1.contoso.net" status="" order="4" userdom="all">
</aaaProviderRef>
<aaaProviderRef name="BADSERVER.contoso.net" rn="providerref-BADSERVER.contoso.net" status="" order="5" userdom="all">
</aaaProviderRef>
<aaaProviderRef name="GOODSERVER2.contoso.net" rn="providerref-GOODSERVER2.contoso.net" status="" order="6" userdom="all">
</aaaProviderRef>
</aaaTacacsPlusProviderGroup>
...
<aaaAuthRealm rn="authrealm" status="" defRolePolicy="no-login" userdom="all">
<aaaDefaultAuth rn="defaultauth" status="" fallbackCheck="false" providerGroup="PROD-TACACS-GROUP" realm="tacacs" realmSubType="default" userdom="all">
</aaaDefaultAuth>
<aaaConsoleAuth rn="consoleauth" status="" realm="local" realmSubType="default" userdom="all">
</aaaConsoleAuth>
</aaaAuthRealm>
...
</aaaUserEp>
...
</polUni>
- Labels:
-
Cisco ACI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2023 09:37 PM
Hi @vv0bbLeS ,
I think you can use method #1 to delete the badserver provider using REST call or if you want to use method #2 you can use the fallback domain as a backup incase you get locked out.
