Removing AAA on a Cisco ASA Security Context

I had to migrate TACACS+ from ACS to ISE and also needed to clean up AAA on each security context that were still pointed to ACS. You'll need to negate each AAA configuration lines before executing the clear configure aaa-server.

ciscoasa/CUST-A# show run aaa

aaa authentication http console ACS LOCAL

aaa authentication ssh console ACS LOCAL

aaa authentication telnet console ACS LOCAL

aaa authentication enable console ACS LOCAL

aaa authorization command ACS LOCAL

aaa authentication login-history

ciscoasa/CUST-A#          

ciscoasa/CUST-A# show run aaa-server

aaa-server ACS protocol tacacs+

aaa-server ACS (MGMT) host ACS01

 key *****

aaa-server ACS (MGMT) host ACS02

 key *****

ciscoasa/CUST-A# configure terminal

ciscoasa/CUST-A(config)# clear configure?          

configure mode commands/options:

  configure 

ciscoasa/CUST-A(config)# clear configure aaa-server ?

configure mode commands/options:

  WORD  Enter the name of the aaa-server group

  <cr>

ciscoasa/CUST-A(config)# clear configure aaa-server

ERROR: aaa-server group <ACS> is in use by the aaa subsystem. Please remove the relevant configuration before removing the aaa-server group.

ciscoasa/CUST-A(config)# no aaa authentication http console ACS LOCAL

ciscoasa/CUST-A(config)# no aaa authentication ssh console ACS LOCAL

ciscoasa/CUST-A(config)# no aaa authentication enable console ACS LOCAL

ciscoasa/CUST-A(config)# no aaa authorization command ACS LOCAL

ciscoasa/CUST-A(config)# no aaa authentication login-history

ciscoasa/CUST-A(config)# clear configure aaa-server

ciscoasa/CUST-A(config)#

ciscoasa/CUST-A(config)# show run aaa-server                           

ciscoasa/CUST-A(config)# show run aaa      

no aaa authentication login-history


I wasn't locked out after applying these commands under the ASA context. I opened a new SSH session to the ASA management IP address and it used ISE (for AAA) configured on the admin context.