cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3772
Views
5
Helpful
2
Replies

server either belongs to a group in use or default group - Tacacs

RichardD2
Level 1
Level 1

I need to remove one of the tacacs-server hosts from our devices but am getting the above error when I try.

 

Current config

 

aaa group server tacacs+ test

  server 1.1.1.1

  server 1.1.1.2

aaa authentication login default group test

aaa authentication login console local

aaa authorization commands default group test

 

Desired config:

as above, but replace server 1.1.1.2 with 1.1.1.3

 

Steps to reproduce error:

host# conf t

host(config)# aaa group server tacacs+ test

host(config-tacacs+)# no tacacs-server host 1.1.1.2  {I have also tried with no server 1.1.1.2} 

server either belongs to group in use or default group
configuration for 1.1.1.2 could not be removed

 

Is there a way to get around this or is the only choice to remove AAA (which I'd rather not do and risk getting locked out)?

thanks in advance. This is on a Nexus 5500 series, I have several devices which could be running 5.*, 6.* or 7.*

1 Accepted Solution

Accepted Solutions

Mike.Cifelli
VIP Alumni
VIP Alumni
To avoid risk of being locked out change your exec-timeout on VTY lines to 0. Remove AAA statement, update server as desired, re-add AAA statement, change back exec-timeout.

View solution in original post

2 Replies 2

Mike.Cifelli
VIP Alumni
VIP Alumni
To avoid risk of being locked out change your exec-timeout on VTY lines to 0. Remove AAA statement, update server as desired, re-add AAA statement, change back exec-timeout.

hslai
Cisco Employee
Cisco Employee

I agreed with what Mike.Cifelli said. This looks similar to Solved: Cannot remove radius server from Nexus - Cisco Community

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: