cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
420
Views
0
Helpful
4
Replies

12.2(15)JA tacacs-server host entries disappear

gwcrook
Level 1
Level 1

We script our AP1200's which have been converted fron VxWorks to IOS. The tacacs-server host X.X.X.X key xxxxxxxxxx entries (we use multiple tacacs servers) are in the config.txt file, startup config and running config file. The AP performs tacacs author/authen without a problem once they are configured with the script.

The strange part -- If the BVI1 interface receives a DHCP address and it is a new AP upon reload the tacacs-server host entries are deleted from all of the configuration files and the AP can not perform authenication. If the AP has been operating the network and we do an IOS upgrade the tacacs-server entries are not deleted. During the reload process a message to the effect that the tacacs server X.X.X.X could not be found is displayed for each tacacs-server entry.

I will have to perform some more tests but I believe the AP deletes all tacacs-server host entries if the assigned IP changes.

Any comments/suggestions/experiences would be appreciated because I have been unable to get XR2 to issue client DHCP addresses so I am forced to stay on JA.

4 Replies 4

umedryk
Level 5
Level 5

Probably, you need to change the severity to get the error in your syslog server.

gwcrook
Level 1
Level 1

Thank you for the suggestion.

We have located the problem.

Hard code the IP address on the BVI1 interface. During the startup phase the AP tries to connect to the tacacs server before the IP configuration is complete.

Hard coding the IP address is the only workaround I have found.

It looks like a bug to me. Please open a TAC SR and ask the TAC engineer to open a bug.

Hi all,

I have witnessed the same issue with tacacs on AP upgrades and reboots and have been given the same response from the TAC to hard-code the BVI. It does not seem adequate in my opinion. If its an option it should be compatible with all IP service requirements. As long as you have a fallback to access the AP (i.e. a line password) you can simply re-issue the tacacs commands to restore the authentication function. I believe it has been more stable on 12.2(13)JA4 and 12.2(15)XR2.

Review Cisco Networking for a $25 gift card