Deleted tacacs servers after reload

Unanswered Question
Nov 12th, 2007
User Badges:

Hi,


I have a 3550 running 12.2(40)SE, if I configure "aaa group server tacacs test" and add a server, it is removed after a reload. Its ok with radius.

Its ok running 12.2.(25)SEE4.

Anyone seen this issue and why?


Thanks.

Gary

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wdrootz Fri, 11/16/2007 - 10:19
User Badges:
  • Bronze, 100 points or more

Make sure you save the running-config to startup-config, before reloading the switch. After reloading check if the commands are present in the startup-config. If they are present, then the new IOS release may not be compatible with the AAA commands. Verify if there is any change in syntax for the command in the new release.

g-hopkinson Sun, 11/18/2007 - 12:16
User Badges:

Thanks.

what I have done recently is to erase the config and reload the box, add a basic ip address and tftp the config back. I now get the errors below. I am guessing that the tacacs-server commands being lower down in the configuration are being parsed later than the server group commands. The tacacs-server commands are required before adding servers into the server group.

I will also check the startup config as well, however you can add the commands, and in radius config as well which works.


thanks.


00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.25 is not defined.

00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.25 is not defined.

00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.26 is not defined.

00:03:15: %AAAA-4-NOSERVER: Warning: Server 192.168.185.26 is not defined.


andrew.butterworth Mon, 11/19/2007 - 04:34
User Badges:
  • Gold, 750 points or more

Yes, you get that message if you define the group first before the servers are added in global config. It is the same for Radius. It is a bit odd as in the configuration file (or show run) the server groups appear before the individual servers, which are towards the end.

I have 12.2(40)SE on a 3550 but I only have some Radius Servers defined. I'll add some TACACS+ Servers and reload it and see what happens...


EDIT: I have just tried this and you are correct.... The servers in the group are removed following a reboot. They do remain in global configuration though.

I added:


tacacs-server host 10.1.1.1 key cisco

aaa group server tacacs+ TACACS-Servers

server 10.1.1.1


I then saved the config and rebooted and only this was left:


tacacs-server host 10.1.1.1 key cisco

aaa group server tacacs+ TACACS-Servers



I think this is probably a bug. Raise a TAC case.


Andy

g-hopkinson Mon, 11/19/2007 - 13:50
User Badges:

Andy,


I have a TAC case open, but its being handled with Cisco's lightening speed I have come to loath.

Regarding the same upgrade I am getting info on failing to fall back to enable password if connectivity to Tacacs servers are lost.

Will keep you posted.

Thanks.

Gary.

Actions

This Discussion