Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4017
Views
6
Helpful
7
Replies

"Address not yet configured" when adding tacacs server address

Go to solution
jbulloch
Level 1
Level 1

‎01-19-2023 11:01 AM

Good morning/evening,

 

Recently i encountered a device where someone had incorrectly entered the IP addresses of our tacacs servers. The group (aaa group server tacacs+) and the AAA configuration names matched fine, however the IP addresses under each server name in the group were incorrect. I attempted to remove them and readd them, but received the following:

(config)#tacacs server ISE1
(config-server-tacacs)#address ipv4 x.x.x.x
(config-server-tacacs)#key  7 <key>
(config-server-tacacs)# single-connection
(config-server-tacacs)#exit
Warning: Address not yet configured.

Removing the group did not result in any further action. I've also tried tacacs-server, (config)#tacacs-server host x.x.x.x along with the key but afterwards, key is shown in running config but no address. 

Has anyone else encountered this and may have some advice? Thank you. 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jbulloch
Level 1
Level 1

‎01-24-2023 10:57 AM

Resolved issue.

Despite coworker being determined it was the case, it would appear you cannot have multiple "tacacs server" in multiple server groups with the same ipv4 address. Removing the double dnac group resolved the problem. I would assume you would be able to do this if you wanted for some reason with tacacs-server hosts, but i'am not sure why you would want to if its allows for it there.

 

Thank everyone for thier assistance. 

 

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-19-2023 11:06 AM

what device and IOS running, post the TACACS config here

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-19-2023 11:17 AM

Can you try config another aaa group and use ip address, 

Dont modify old aaa group.

0 Helpful

Go to solution
jbulloch
Level 1
Level 1
In response to MHM Cisco World

‎01-19-2023 11:30 AM

Attempted, resulted in same issue of "Warning: Address not yet configured." 

0 Helpful

Go to solution
jbulloch
Level 1
Level 1

‎01-19-2023 11:24 AM - edited ‎01-19-2023 11:26 AM

Hi BB,

 

The device is a 9300-48U.  Running cat9k_iosxe.17.09.02.SPA.bin. 

 

Config is as follows, IPs and keys masked due to org policy.

 

AAA:

aaa authentication login default local
aaa authentication login VTY_authen group dnac-network-tacacs-group local
aaa authentication login TAC_AUTHEN group ISE_TACACS local
aaa authentication enable default group ISE_TACACS enable
aaa authentication dot1x default group ISE_RADIUS
aaa authorization console
aaa authorization config-commands
aaa authorization exec default local
aaa authorization exec VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization exec TAC_AUTHOR group ISE_TACACS local if-authenticated
aaa authorization commands 15 VTY_author group dnac-network-tacacs-group local if-authenticated
aaa authorization commands 15 TAC_AUTHOR group ISE_TACACS local if-authenticated
aaa authorization network default group ISE_RADIUS
aaa accounting update newinfo
aaa accounting auth-proxy default start-stop group ISE_RADIUS
aaa accounting dot1x default start-stop group ISE_RADIUS
aaa accounting exec default start-stop group dnac-network-tacacs-group
aaa accounting exec TAC_ACCT start-stop broadcast group ISE_TACACS
aaa accounting commands 15 TAC_ACCT start-stop broadcast group ISE_TACACS

----
Groups:
aaa group server tacacs+ dnac-network-tacacs-group
server name dnac-tacacs_x.x.x.x
server name dnac-tacacs_x.x.x.x
!
aaa group server tacacs+ ISE_TACACS
server name ISE-PSN-1
server name ISE-PSN-2
---------------------------------
Servers:

tacacs-server key 7 <key>
tacacs server dnac-tacacs_x.x.x.x
address ipv4 x.x.x.x
key 7 <key>
timeout 10
tacacs server dnac-tacacs_x.x.x.x
address ipv4 x.x.x.x
key 7 <key>
timeout 10
tacacs server ISE-PSN-1
key 7 <key>
single-connection

 

ISE-PSN-1 and ISE-PSN-2 are the two i'am having issues with.

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jbulloch

‎01-19-2023 12:14 PM

friend I dont totally sure but, you assign IP to server 
and then you use hostname of server under the AAA group server, here the Q, are the new IP is also add to DNS server??

0 Helpful

Go to solution
jbulloch
Level 1
Level 1
In response to MHM Cisco World

‎01-23-2023 09:09 AM

Hi MHM, thanks for your time in attempting to assist me with this issue.

 

This IP is in our DNS/Routing. It's our backend ISE policy nodes.  I've tried removing the group and the server totally, without any change in sucess. I suspected it might be a misconfig in the name/spelling but that does not appear to the case either. Some people have suggested rebuilding the device, but since it's operating fine otherwise that would seem to be a less resort effort.

0 Helpful

Go to solution
jbulloch
Level 1
Level 1

‎01-24-2023 10:57 AM

Resolved issue.

Despite coworker being determined it was the case, it would appear you cannot have multiple "tacacs server" in multiple server groups with the same ipv4 address. Removing the double dnac group resolved the problem. I would assume you would be able to do this if you wanted for some reason with tacacs-server hosts, but i'am not sure why you would want to if its allows for it there.

 

Thank everyone for thier assistance. 

 

Customers Also Viewed These Support Documents