[rancid] Rancid with Cisco ACS 4.x Issue

Discussion:

Oglum AVD

2008-12-08 02:06:55 UTC

I have been running Rancid a while and everything has been great until
recent.
We purchased Cisco ACS 4.x and of-course authentication is going thru the
ACS server. I have been having issue with when Rancid access the router,
nothing displays;

Example:
***@linux804:/var/lib/rancid# /var/lib/rancid/bin/clogin -c 'sho clock'
c3560-24-sw1
hsparkeast-c3560-24-sw1
spawn ssh -c 3des -x -l netman c3560-24-sw1
***@c3560-24-sw1's password:
*Error: TIMEOUT reached
****@linux804:/var/lib/rancid#

if I removed the device from ACS and use local account, everything work
great!

Any help greatly appreciated!

OglumAVD

Sam Munzani

2008-12-08 19:37:51 UTC

Permalink

If you figure out please post the solution. I have same exact issue with
Radius services for over an year now and haven't figured out a solution yet.

Thanks,
Sam

Post by Oglum AVD
I have been running Rancid a while and everything has been great until
recent.
We purchased Cisco ACS 4.x and of-course authentication is going thru
the ACS server. I have been having issue with when Rancid access the
router, nothing displays;
/var/lib/rancid/bin/clogin -c 'sho clock' c3560-24-sw1
hsparkeast-c3560-24-sw1
spawn ssh -c 3des -x -l netman c3560-24-sw1
*Error: TIMEOUT reached
if I removed the device from ACS and use local account, everything
work great!
Any help greatly appreciated!
OglumAVD
------------------------------------------------------------------------
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

john heasley

2008-12-08 20:45:34 UTC

Permalink

Post by Sam Munzani
If you figure out please post the solution. I have same exact issue with
Radius services for over an year now and haven't figured out a solution yet.
Thanks,
Sam

that shouldnt be a problem. I cant see the problem in the code. First
ensure that you're using the most recent clogin and I presume you've not
set passprompt in .cloginrc; if that does not work, run clogin -d -c
'show clock' c3560-24-sw1 > log 2>&1

that'l produce a lot of debugging information, but should indicate the
problem.

Post by Sam Munzani

Post by Oglum AVD
if I removed the device from ACS and use local account, everything
work great!
Any help greatly appreciated!
OglumAVD
------------------------------------------------------------------------
_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Chris Bell

2008-12-09 12:04:42 UTC

Permalink

I've been using RANCID with the Cisco ACS server for a while now with no
issues after the initial setup for authenticating to my devices (HP,
Cisco, Force 10). I used NDG's and added my RANCID user to the Domain.
Mapped the ACS group to the AD group and Voila!!

One problem I have noticed however with Cisco ACS is that if the user is
a member of more than once user group with different types of
authentication (TACACS or RADIUS), one or the other will work but not
both. For example:

User has access to all network devices using AD account and TACACS
authentication over the ACS.

Same user has VPN access and firewall points RADIUS authentication to
the ACS.

It don't work - I have a TAC case open, but no word yet.

________________________________

From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Oglum AVD
Sent: Sunday, December 07, 2008 9:07 PM
To: rancid-***@shrubbery.net
Subject: [rancid] Rancid with Cisco ACS 4.x Issue

I have been running Rancid a while and everything has been great until
recent.
We purchased Cisco ACS 4.x and of-course authentication is going thru
the ACS server. I have been having issue with when Rancid access the
router, nothing displays;

Example:
***@linux804:/var/lib/rancid# /var/lib/rancid/bin/clogin -c 'sho
clock' c3560-24-sw1
hsparkeast-c3560-24-sw1
spawn ssh -c 3des -x -l netman c3560-24-sw1
***@c3560-24-sw1's password:
Error: TIMEOUT reached
***@linux804:/var/lib/rancid#

if I removed the device from ACS and use local account, everything work
great!

Any help greatly appreciated!

OglumAVD

Oglum AVD

2008-12-31 06:14:25 UTC

Permalink

Here's latest update on this;

/var/lib/rancid/bin/clogin -t -c 'show clock'
test-c3560-48-sw.mydomain.comlog 2>&1
show clock
*Error: no password for show clock in /root/.cloginrc.*
test-c3560-48-sw.mydomain.com
spawn ssh -c 3des -x -l ddnetman test-c3560-48-sw.mydomain.com
*Error: TIMEOUT reached log
Error: no password for log in /root/.cloginrc*
**
*Password Verification:*
nano .cloginrc
add autoenable *.mydomain.com 1
add user *.mydomain.com testacc
add password *.mydomain.com password
add method *.mydomain.com {ssh}

*Test ssh from this device to switch;*
***@804:~# ssh -l testacc test-c3560-48-sw.mydomain.com
***@test-c3560-48-sw.mydomain.com's password:
test-c3560-48-sw.mydomain.com#*show clock*
22:07:13.168 PST Tue Dec 30 2008
test-c3560-48-sw.mydomain.com#
it works OK.

using Cisco ACS 4.x and ACS local account.
Any suggestion?

Mike Ashcraft

2008-12-31 18:29:40 UTC

Permalink

Your test command line needs some work. For example, clogin is trying
to connect to the routers 'show clock' and 'log'.

Start by removing all spaces between the -c and the command string. You
also need to set a value for the timeout or remove the -t option. Your
output redirection needs some work as well, you can test without it.

For example:

/var/lib/rancid/bin/clogin -t30 -c'show clock' test-c3560-48-sw.mydomain

Hope that helps,

Mike

From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Oglum AVD
Sent: Tuesday, December 30, 2008 11:14 PM
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Rancid with Cisco ACS 4.x Issue

Here's latest update on this;

/var/lib/rancid/bin/clogin -t -c 'show clock'
test-c3560-48-sw.mydomain.com log 2>&1
show clock

Error: no password for show clock in /root/.cloginrc.
test-c3560-48-sw.mydomain.com
spawn ssh -c 3des -x -l ddnetman test-c3560-48-sw.mydomain.com
Error: TIMEOUT reached log
Error: no password for log in /root/.cloginrc

Password Verification:
nano .cloginrc
add autoenable *.mydomain.com 1
add user *.mydomain.com testacc
add password *.mydomain.com password
add method *.mydomain.com {ssh}

Test ssh from this device to switch;
***@804:~# ssh -l testacc test-c3560-48-sw.mydomain.com
***@test-c3560-48-sw.mydomain.com's password:
test-c3560-48-sw.mydomain.com# <http://test-c3560-48-sw.mydomain.com>
show clock
22:07:13.168 PST Tue Dec 30 2008
test-c3560-48-sw.mydomain.com# <http://test-c3560-48-sw.mydomain.com>
it works OK.

using Cisco ACS 4.x and ACS local account.

Any suggestion?

Oglum AVD

2009-01-03 09:20:26 UTC

Permalink

Hello Mike,

*Thanks for you reply and suggestions!!!*
/var/lib/rancid/bin/clogin -t30 -c'show clock' test-c3560-48-sw.mydomain --
worked
/var/lib/rancid/bin/clogin -c'show clock' test-c3560-48-sw.mydomain --
worked

Thank you,

Oglumavd

Post by Mike Ashcraft
Your test command line needs some work. For example, clogin is trying
to connect to the routers 'show clock' and 'log'.
Start by removing all spaces between the -c and the command string. You
also need to set a value for the timeout or remove the -t option. Your
output redirection needs some work as well, you can test without it.
/var/lib/rancid/bin/clogin -t30 -c'show clock' test-c3560-48-sw.mydomain
Hope that helps,
Mike
*Sent:* Tuesday, December 30, 2008 11:14 PM
*Subject:* [rancid] Re: Rancid with Cisco ACS 4.x Issue
Here's latest update on this;
/var/lib/rancid/bin/clogin -t -c 'show clock'
test-c3560-48-sw.mydomain.com log 2>&1
show clock
*Error: no password for show clock in /root/.cloginrc.*
test-c3560-48-sw.mydomain.com
spawn ssh -c 3des -x -l ddnetman test-c3560-48-sw.mydomain.com
*Error: TIMEOUT reached log**
Error: no password for log in /root/.cloginrc*
*Password Verification:*
nano .cloginrc
add autoenable *.mydomain.com 1
add user *.mydomain.com testacc
add password *.mydomain.com password
add method *.mydomain.com {ssh}
*Test ssh from this device to switch;*
test-c3560-48-sw.mydomain.com# <http://test-c3560-48-sw.mydomain.com/>*show
clock*
22:07:13.168 PST Tue Dec 30 2008
test-c3560-48-sw.mydomain.com# <http://test-c3560-48-sw.mydomain.com/>
it works OK.
using Cisco ACS 4.x and ACS local account.
Any suggestion?

Chris Bell

2008-12-31 11:05:11 UTC

Permalink

Is your password enclosed in {password} ?

Did you try with IP rather than DNS?

________________________________

From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Oglum AVD
Sent: Wednesday, December 31, 2008 1:14 AM
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Rancid with Cisco ACS 4.x Issue

Here's latest update on this;

/var/lib/rancid/bin/clogin -t -c 'show clock'
test-c3560-48-sw.mydomain.com log 2>&1
show clock
Error: no password for show clock in /root/.cloginrc.
test-c3560-48-sw.mydomain.com
spawn ssh -c 3des -x -l ddnetman test-c3560-48-sw.mydomain.com
Error: TIMEOUT reached log
Error: no password for log in /root/.cloginrc

Password Verification:
nano .cloginrc
add autoenable *.mydomain.com 1
add user *.mydomain.com testacc
add password *.mydomain.com password
add method *.mydomain.com {ssh}

Test ssh from this device to switch;
***@804:~# ssh -l testacc test-c3560-48-sw.mydomain.com
***@test-c3560-48-sw.mydomain.com's password:
test-c3560-48-sw.mydomain.com#show clock
22:07:13.168 PST Tue Dec 30 2008
test-c3560-48-sw.mydomain.com#
it works OK.

using Cisco ACS 4.x and ACS local account.

Any suggestion?

Todd Heide

2008-12-31 15:25:37 UTC

Permalink

Not exactly sure what you are doing wrong there, but there shouldn't be
any issues using ACS as the tacacs server, provided you are using Tacacs
and not radius for authentication, are you also using authorization?
When you log in manually are you doing it as the rancid user account or
a different server account? I have found if I log in as root and do test
connections they always worked, but not always as rancid. I would go
through your logs on ACS instead of rancid since it looks like your
.clogin is correct, with the exception of the @domain, mine is the same.

Thanks

Todd

From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Chris Bell
Sent: Wednesday, December 31, 2008 5:05 AM
To: Oglum AVD; rancid-***@shrubbery.net
Subject: [rancid] Re: Rancid with Cisco ACS 4.x Issue

Is your password enclosed in {password} ?

Did you try with IP rather than DNS?

________________________________

From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Oglum AVD
Sent: Wednesday, December 31, 2008 1:14 AM
To: rancid-***@shrubbery.net
Subject: [rancid] Re: Rancid with Cisco ACS 4.x Issue

Here's latest update on this;

/var/lib/rancid/bin/clogin -t -c 'show clock'
test-c3560-48-sw.mydomain.com log 2>&1
show clock

Error: no password for show clock in /root/.cloginrc.
test-c3560-48-sw.mydomain.com
spawn ssh -c 3des -x -l ddnetman test-c3560-48-sw.mydomain.com
Error: TIMEOUT reached log
Error: no password for log in /root/.cloginrc

Password Verification:
nano .cloginrc
add autoenable *.mydomain.com 1
add user *.mydomain.com testacc
add password *.mydomain.com password
add method *.mydomain.com {ssh}

Test ssh from this device to switch;
***@804:~# ssh -l testacc test-c3560-48-sw.mydomain.com
***@test-c3560-48-sw.mydomain.com's password:
test-c3560-48-sw.mydomain.com# <http://test-c3560-48-sw.mydomain.com>
show clock
22:07:13.168 PST Tue Dec 30 2008
test-c3560-48-sw.mydomain.com# <http://test-c3560-48-sw.mydomain.com>
it works OK.

using Cisco ACS 4.x and ACS local account.

Any suggestion?