cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
5
Helpful
2
Replies
Highlighted
Beginner

server either belongs to a group in use or default group - Tacacs

I need to remove one of the tacacs-server hosts from our devices but am getting the above error when I try.

 

Current config

 

aaa group server tacacs+ test

  server 1.1.1.1

  server 1.1.1.2

aaa authentication login default group test

aaa authentication login console local

aaa authorization commands default group test

 

Desired config:

as above, but replace server 1.1.1.2 with 1.1.1.3

 

Steps to reproduce error:

host# conf t

host(config)# aaa group server tacacs+ test

host(config-tacacs+)# no tacacs-server host 1.1.1.2  {I have also tried with no server 1.1.1.2} 

server either belongs to group in use or default group
configuration for 1.1.1.2 could not be removed

 

Is there a way to get around this or is the only choice to remove AAA (which I'd rather not do and risk getting locked out)?

thanks in advance. This is on a Nexus 5500 series, I have several devices which could be running 5.*, 6.* or 7.*

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: server either belongs to a group in use or default group - Tacacs

To avoid risk of being locked out change your exec-timeout on VTY lines to 0. Remove AAA statement, update server as desired, re-add AAA statement, change back exec-timeout.
2 REPLIES 2
Enthusiast

Re: server either belongs to a group in use or default group - Tacacs

To avoid risk of being locked out change your exec-timeout on VTY lines to 0. Remove AAA statement, update server as desired, re-add AAA statement, change back exec-timeout.
Cisco Employee

Re: server either belongs to a group in use or default group - Tacacs

I agreed with what Mike.Cifelli said. This looks similar to Solved: Cannot remove radius server from Nexus - Cisco Community