Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
357
Views
0
Helpful
1
Replies

Delete old XML object no longer accessible in the GUI

vv0bbLeS
Level 1
Level 1

ā€Ž01-17-2023 08:32 AM

Hello all,

I'm running Cisco ACI 5.2(5c) and I have some Security errors about an old TACACS+ server that we renamed, so I figured no big deal and I will just go delete that old TACACS+ provider and create a new one. However, when I go to delete the TACACS+ provider (server) under Admin > AAA > Authentication > TACACS , I get the error message:

Cannot delete provider since it is being referenced by Login Domain PROD-TACACS-GROUP

However, looking at my Login Domains under Admin > AAA > Authentication > AAA > Policy, the only Login Domain I have is the local fallback domain.

If I dump the XML config for my ACI with showconfig xml on my APIC, I can see a few references to that PROD-TACACS-GROUP as being a TACACS Provider Group, which apparently was a thing in ACI version 4, but anymore it is no longer a thing.

So, to get rid of these Security errors in my ACI, I'm wondering if there is a safe way to either:

  1. Delete the bad server (BADSERVER) from this now "hidden" PROD-TACACS-GROUP object via a REST API call (i.e. set "status" on that object to "delete" ?).
  2. Delete this entire PROD-TACACS-GROUP object from my XML config? The only thing that makes me hesitate is that that PROD-TACACS-GROUP object is also referenced in a defaultauth realm.

Brief XML config for reference:

<polUni rn="uni" status="" userdom="all">
  ...
  <aaaUserEp rn="userext" status="" pwdStrengthCheck="yes" userdom="all">
	<aaaTacacsPlusProviderGroup name="PROD-LOGIN-DOMAIN" rn="tacacsplusprovidergroup-PROD-TACACS-GROUP" status="" userdom="all">
	  <aaaProviderRef name="GOODSERVER1.contoso.net" rn="providerref-GOODSERVER1.contoso.net" status="" order="4" userdom="all">
      </aaaProviderRef>
      <aaaProviderRef name="BADSERVER.contoso.net" rn="providerref-BADSERVER.contoso.net" status="" order="5" userdom="all">
      </aaaProviderRef>
      <aaaProviderRef name="GOODSERVER2.contoso.net" rn="providerref-GOODSERVER2.contoso.net" status="" order="6" userdom="all">
      </aaaProviderRef>
    </aaaTacacsPlusProviderGroup>
	...
	<aaaAuthRealm rn="authrealm" status="" defRolePolicy="no-login" userdom="all">
	  <aaaDefaultAuth rn="defaultauth" status="" fallbackCheck="false" providerGroup="PROD-TACACS-GROUP" realm="tacacs" realmSubType="default" userdom="all">
      </aaaDefaultAuth>
      <aaaConsoleAuth rn="consoleauth" status="" realm="local" realmSubType="default" userdom="all">
      </aaaConsoleAuth>
    </aaaAuthRealm>
	...
  </aaaUserEp>
  ...
</polUni>

 

0xD2A6762E
Labels:
0 Helpful
1 Reply 1

ecsnnsls
Level 1
Level 1

ā€Ž01-17-2023 09:37 PM

Hi @vv0bbLeS ,

I think you can use method #1 to delete the badserver provider using REST call or if you want to use method #2 you can use the fallback domain as a backup incase you get locked out.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License