[c-nsp] Fwd: tacplus and rancid combined

Estes, Paul pestes at covad.com
Wed May 3 12:56:15 EDT 2006 

The # in your banner is probably the culprit. From the RANCID FAQ:

Q. Are there any characters in the banner that rancid has problems with
OR
   I changed the device's command prompt and now collection is failing?
A. The trickiest part about clogin (et al) is recognizing the prompt
   correctly.  clogin looks for '>' and '#' to figure out if it is
logged
   in or in enable mode.  So if you have a '>' or '#' in your login
banner
   (or other motd), then clogin gets all confused and will not be able
to log
   in correctly, and thus rancid will fail.

--Paul

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan Basalamah
Sent: Wednesday, May 03, 2006 9:25 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Fwd: tacplus and rancid combined

On 4/29/06, Afsheen Bigdeli <afsheenb at emusic.com> wrote:
> Your .cloginrc should be in the following format:
>
> add user         10.10.10.1           username
> add password 10.10.10.1           {login-password}
{enable-password}
>
> You can specify an individual user in the .cloginrc, but if you do not
> rancid will attempt to login as user rancid. For this reason you may
> want to try changing all instances of user ranciduser to user rancid,
so
> you'll be able to get rid of the "add user" line entirely in your
> config.
>
> <conjecture> I believe that the problem you're having is with the
> autoenable=1 bit; IIRC that will only work if a user is able to enter
> privileged exec mode without a password. </conjecture>
>
>
> Also, you can always try manually, from the command line on your linux
> box, running "clogin devicename", which is essentially the same
> mechanism that rancid uses to login to your devices. If all works
well,
> you should be logged in with an enable prompt after typing this. If
not,
> the point where the login process fails, combined with the log files
> that rancid outputs, should offer plenty of guidance.
>
>
> --afsheenb
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan
Basalamah
> Sent: Saturday, April 29, 2006 8:47 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] tacplus and rancid combined
>
> Hi all,
>
> Currently I am stuck into a problem in running tacplus and rancid.
>
> I installed tacplus, configured the username and password at tacplus
> server, and configuring authentication, authorization and accounting
> at router, and currently it works just fine. Only registered user at
> tacplus server that can access the router. I follow the directions
> from Cisco Press book 'Cisco Router & Firewall Security'
>
> The problem comes when I want to archive all the configuration using
> RANCID. Since I use tacplus username and password, I setup one
> username and password for RANCID, and set it to only do 'show'
> command. I set the username and password for router in .cloginrc, but
> after thorough search on rancid manuals, I didn't find any command
> that allows me to put username, user password and enable password in
> .cloginrc just like when I use command 'add password <router> <passwd>
> <enable passwd>.
>
> This is the snippet of my .cloginrc :
>
> add user 10.10.10.1           ranciduser
> add password 10.10.10.1       {rancidpassword}
> add autoenable                  1
>
> This is the snippet of my tacplus.conf :
>
> user = ranciduser {
>     member = automated
>     login = cleartext rancidpassword
> }
>
> user = $enab15$ {
>     login = cleartext enablepassword
> }
>
> I am confused that I don't know where will I put the enable password
> at my .cloginrc. With this config, rancid tells that it cannot access
> my router. Anyone had a clue about this ? Please help.
>
> Regards,
>
> -affan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

Hi,
thanks for the info,
it works in some part, some don't.
I am able to run rancid manually by clogin, but the automated process
failed.

This is how I run rancid manually :
----
[monitoring] # /usr/local/libexec/rancid/clogin ai3.vl1
ai3.vl1
spawn telnet ai3.vl1
Trying 10.10.10.1...
Connected to ai3.vl1.
Escape character is '^]'.
C
========================================
ITB Backbone Catalyst (3524)
# Serial # FAA0404W0P5 #
Location: AI3 ITB
========================================


User Access Verification

Username: Kerberos:     No default realm defined for Kerberos!
rancid
Password:

AI3-cat3k>enable
Password:
AI3-cat3k#
AI3-cat3k#q
Connection closed by foreign host.
----
You see that I am able to run rancid manually, it just get the enable
prompt.
But in the other hand, the automated process failed.

This is snippet of the rancid logs :

-----
starting: Mon May 1 18:00:34 WIT 2006



Trying to get all of the configs.
write(spawn_id=1): broken pipe
    while executing
"send_user -- "$expect_out(buffer)""
    invoked from within
"expect -nobrace -re+ { exp_continue } -re {^[^
^M *]*AI3-cat3k([^#>\r\n]+)?[#>](\([^)\r\n]+\))?} { send_user --
"$expect_out(buffer)"
                                                } -re {^[..."
    invoked from within
"expect {
                -re "\b+"                       { exp_continue }
                -re "^\[^\n\r *]*$reprompt"     { send_user --
"$expect_out(buffer)"
                                                }
                -re "^\[^\n\r]*$reprompt."      { send..."
    invoked from within
"if [ string match "*\;*" "$command" ] {
        set commands [split $command \;]
        set num_commands [llength $commands]
        # the pager can not be turned off on ..."
    (procedure "run_commands" line 34)
    invoked from within
"run_commands $prompt $command"
    ("foreach" body line 144)
    invoked from within
"foreach router [lrange $argv $i end] {
    set router [string tolower $router]
    send_user "$router\n"

    # Figure out prompt.
    # Since autoena..."
    (file "/usr/local/libexec/rancid//clogin" line 616)
!
!
ai3.vl1: missed cmd(s): dir /all slavesup-bootflash:,dir /all
sec-disk0:,dir /all sec-disk2:,dir /all sup-bootflash:,dir /all sec-bo
otflash:,dir /all harddiska:,dir /all sec-nvram:,dir /all
slaveslot0:,dir /all slaveslot2:,show vlan,dir /all slot0:,dir /all
slot2:
,dir /all slavedisk0:,show controllers,dir /all slavedisk2:,dir /all
sup-microcode:,dir /all sec-slot1:,dir /all disk0:,dir /all sla
vebootflash:,dir /all disk2:,show diagbus,dir /all slavenvram:,write
term,dir /all bootflash:,show running-config,show controllers c
bus,dir /all sec-disk1:,show module,dir /all harddisk:,show c7200,dir
/all harddiskb:,show spe version,dir /all slaveslot1:,dir /all
 slot1:,show diag,dir /all slavedisk1:,dir /all sec-slot0:,dir /all
sec-slot2:,dir /all disk1:,show vtp status
ai3.vl1: End of run not found

----

This is my .cloginrc :

add user ai3.vl1 {rancid}
add password ai3.vl1 {rancidpass} {enablepass}
add autoenable  0

Please tell me what's wrong with my configuration.
Thanks for all the help.

-affan

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list