Deleted tacacs servers after reload

Unanswered Question
Nov 12th, 2007

Hi,

I have a 3550 running 12.2(40)SE, if I configure "aaa group server tacacs test" and add a server, it is removed after a reload. Its ok with radius.

Its ok running 12.2.(25)SEE4.

Anyone seen this issue and why?

Thanks.

Gary

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wdrootz Fri, 11/16/2007 - 10:19

Make sure you save the running-config to startup-config, before reloading the switch. After reloading check if the commands are present in the startup-config. If they are present, then the new IOS release may not be compatible with the AAA commands. Verify if there is any change in syntax for the command in the new release.

g-hopkinson Sun, 11/18/2007 - 12:16

Thanks.

what I have done recently is to erase the config and reload the box, add a basic ip address and tftp the config back. I now get the errors below. I am guessing that the tacacs-server commands being lower down in the configuration are being parsed later than the server group commands. The tacacs-server commands are required before adding servers into the server group.

I will also check the startup config as well, however you can add the commands, and in radius config as well which works.

thanks.

00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.25 is not defined.

00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.25 is not defined.

00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.26 is not defined.

00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.26 is not defined.

andrew.butterworth Mon, 11/19/2007 - 04:34

Yes, you get that message if you define the group first before the servers are added in global config. It is the same for Radius. It is a bit odd as in the configuration file (or show run) the server groups appear before the individual servers, which are towards the end.

I have 12.2(40)SE on a 3550 but I only have some Radius Servers defined. I'll add some TACACS+ Servers and reload it and see what happens...

EDIT: I have just tried this and you are correct.... The servers in the group are removed following a reboot. They do remain in global configuration though.

I added:

tacacs-server host 10.1.1.1 key cisco

aaa group server tacacs+ TACACS-Servers

server 10.1.1.1

I then saved the config and rebooted and only this was left:

tacacs-server host 10.1.1.1 key cisco

aaa group server tacacs+ TACACS-Servers

I think this is probably a bug. Raise a TAC case.

Andy

g-hopkinson Mon, 11/19/2007 - 13:50

Andy,

I have a TAC case open, but its being handled with Cisco's lightening speed I have come to loath.

Regarding the same upgrade I am getting info on failing to fall back to enable password if connectivity to Tacacs servers are lost.

Will keep you posted.

Thanks.

Gary.

Actions

This Discussion