I had to migrate TACACS+ from ACS to ISE and also needed to clean up AAA on each security context that were still pointed to ACS. You'll need to negate each AAA configuration lines before executing the clear configure aaa-server.
ciscoasa/CUST-A#
show run aaa
aaa
authentication http console ACS LOCAL
aaa
authentication ssh console ACS LOCAL
aaa
authentication telnet console ACS LOCAL
aaa
authentication enable console ACS LOCAL
aaa
authorization command ACS LOCAL
aaa
authentication login-history
ciscoasa/CUST-A#
ciscoasa/CUST-A#
show run aaa-server
aaa-server ACS protocol tacacs+
aaa-server ACS (MGMT) host ACS01
key *****
aaa-server ACS (MGMT) host ACS02
key *****
ciscoasa/CUST-A#
configure terminal
ciscoasa/CUST-A(config)# clear
config a?
configure mode commands/options:
aaa aaa-server access-group access-list
all anyconnect-custom-data arp arp-inspection
as-path asdm asp auth-prompt
auto-update
configure
mode commands/options:
WORD
Enter the name of the aaa-server group
<cr>
ciscoasa/CUST-A(config)#
clear configure aaa-server
ERROR: aaa-server group
<ACS> is in use by the aaa subsystem. Please remove the relevant
configuration before removing the aaa-server group.
Remove AAA config first with the quick and easy clear config aaa global config command:
ciscoasa/CUST-A(config)# clear config aaa ?
configure mode commands/options:
<cr>
ciscoasa/CUST-A(config)# clear config aaa
ciscoasa/CUST-A(config)#
ciscoasa/CUST-A(config)# clear config aaa-server
ciscoasa/CUST-A(config)# end
ciscoasa/CUST-A# show run aaa-server
ciscoasa/CUST-A#
ciscoasa/CUST-Ax# show run aaa
aaa authentication login-history
ciscoasa/CUST-A#
I wasn't locked out after applying these commands inside the ASA context.
Thank you
ReplyDelete