Solved: Remove tacacs groups in C9300

Leftz · ‎09-06-2022

Folks:

We have two group commands below. What is function of the red highlighted commands in cli switch C9300? Can we delete them?

In some gui config, we can use group ABC as ise or tacacs group for backup. but now its 9300 switch. Thanks

aaa group server tacacs+ ABC

server name ise-1

server name ise-2

tacacs server ise-1

address ipv4 10.1.1.1

key xxxx

tacacs server ise-2

address ipv4 10.1.1.2

key xxxx

Rob Ingram · ‎09-07-2022

@Leftz so the TACACS group ABC is in use, which means only those 2 specific TACACS servers in that group will be used for authentication. If you had other TACACS servers they would not be used for authentication.

You could re write that aaa authentication rule and use "group tacacs+" instead of "group ABC".

Why do you want to delete the ABC group though?

View solution in original post

MHM Cisco World · ‎09-07-2022

Friend you have for example 4 server

You config two in group a and other two in group b,

If you config group a

Then only two server will be check

If you config group tacacs

Then all server will check

View solution in original post

Rob Ingram · ‎09-07-2022

@Leftz using "aaa authentication login LOGIN local" would mean you would login using local authentication not TACACS.

LOGIN = the method list name
local = a local user account on the router/switch.

To use TACACS under the vty lines

aaa authentication login ISE-MLIST group ABC local
!
line vty 0 4
 login authentication ISE-MLIST

UPDATE - Sorry I mis-understood your initial request, I thought you wanted to delete the TACACS group ABC. You can use "group tacacs+" or "group ABC".

View solution in original post

MHM Cisco World · ‎09-06-2022

I see one group two server not two group!!

interfacedy · ‎09-06-2022

What I mean is the below commands can be deleted in switch system? I think it can be removed. so that the servers can be used directly. otherwise the switch use ABC as tacacs server.

aaa group server tacacs+ ABC

server name ise-1

server name ise-2

Rob Ingram · ‎09-06-2022

@interfacedy do you have a AAA method list referencing the tacacs group ABC that is use? If not then you can delete the group.

Run "show aaa" to confirm what method lists have been defined, you may well just be using "default".

MHM Cisco World · ‎09-07-2022

there are two group keyword
one for use group of server and other specify all server.

Leftz · ‎09-07-2022

@Rob Ingram

You are right. so the below commands should be a set of commands. but no command can be deleted, right?

aaa authentication login default group ABC local

aaa group server tacacs+ ABC

server name ise-1

server name ise-2

tacacs server ise-1

address ipv4 10.1.1.1

key xxxx

tacacs server ise-2

address ipv4 10.1.1.2

key xxxx

Rob Ingram · ‎09-07-2022

@Leftz so the TACACS group ABC is in use, which means only those 2 specific TACACS servers in that group will be used for authentication. If you had other TACACS servers they would not be used for authentication.

You could re write that aaa authentication rule and use "group tacacs+" instead of "group ABC".

Why do you want to delete the ABC group though?

Leftz · ‎09-07-2022

@Rob Ingram I do not want to delete the group, instead I just need to understand it.

So, if using "aaa authentication login LOGIN local" at config mode and "login authentication LOGIN" under line vty, the switch would use any defined tacacs server? but I feel the list method does not associate with any tacacs server.

As you mentioned above, "use "group tacacs+" instead of "group ABC". "

Is there any difference between "group tacacs+" and "group ABC". ? If using "group tacacs+", how can associate with server group ABC? Thanks

MHM Cisco World · ‎09-07-2022

Friend you have for example 4 server

You config two in group a and other two in group b,

If you config group a

Then only two server will be check

If you config group tacacs

Then all server will check

Rob Ingram · ‎09-07-2022

@Leftz using "aaa authentication login LOGIN local" would mean you would login using local authentication not TACACS.

LOGIN = the method list name
local = a local user account on the router/switch.

To use TACACS under the vty lines

aaa authentication login ISE-MLIST group ABC local
!
line vty 0 4
 login authentication ISE-MLIST

UPDATE - Sorry I mis-understood your initial request, I thought you wanted to delete the TACACS group ABC. You can use "group tacacs+" or "group ABC".

Leftz · ‎09-07-2022

yes I got it. thanks. the below command can be used to associate with server group, right?

aaa authentication login default tacacs+ group ABC local

Rob Ingram · ‎09-07-2022

@Leftz that will use TACACS on the default method list, with local authentication if TACACS is down.

Leftz · ‎09-07-2022

Thanks for your reply. One more question, do we have a command to test or confirm the configured aaa system can work well in switch /router level?

Rob Ingram · ‎09-07-2022

@Leftz well once you apply it to the VTY line just open another session to the router/switch and login to test.

MHM Cisco World · ‎09-07-2022

No you can not because you use local username/password,

The sw will try use server failed and failover to local.

Note:- recommended not use this way for console