11-12-2007 04:11 AM - edited 03-05-2019 07:22 PM
Hi,
I have a 3550 running 12.2(40)SE, if I configure "aaa group server tacacs test" and add a server, it is removed after a reload. Its ok with radius.
Its ok running 12.2.(25)SEE4.
Anyone seen this issue and why?
Thanks.
Gary
11-16-2007 10:19 AM
Make sure you save the running-config to startup-config, before reloading the switch. After reloading check if the commands are present in the startup-config. If they are present, then the new IOS release may not be compatible with the AAA commands. Verify if there is any change in syntax for the command in the new release.
11-18-2007 12:16 PM
Thanks.
what I have done recently is to erase the config and reload the box, add a basic ip address and tftp the config back. I now get the errors below. I am guessing that the tacacs-server commands being lower down in the configuration are being parsed later than the server group commands. The tacacs-server commands are required before adding servers into the server group.
I will also check the startup config as well, however you can add the commands, and in radius config as well which works.
thanks.
00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.25 is not defined.
00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.25 is not defined.
00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.26 is not defined.
00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.26 is not defined.
11-19-2007 04:34 AM
Yes, you get that message if you define the group first before the servers are added in global config. It is the same for Radius. It is a bit odd as in the configuration file (or show run) the server groups appear before the individual servers, which are towards the end.
I have 12.2(40)SE on a 3550 but I only have some Radius Servers defined. I'll add some TACACS+ Servers and reload it and see what happens...
EDIT: I have just tried this and you are correct.... The servers in the group are removed following a reboot. They do remain in global configuration though.
I added:
tacacs-server host 10.1.1.1 key cisco
aaa group server tacacs+ TACACS-Servers
server 10.1.1.1
I then saved the config and rebooted and only this was left:
tacacs-server host 10.1.1.1 key cisco
aaa group server tacacs+ TACACS-Servers
I think this is probably a bug. Raise a TAC case.
Andy
11-19-2007 01:50 PM
Andy,
I have a TAC case open, but its being handled with Cisco's lightening speed I have come to loath.
Regarding the same upgrade I am getting info on failing to fall back to enable password if connectivity to Tacacs servers are lost.
Will keep you posted.
Thanks.
Gary.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide