Discussion:
[rancid] Backup Password?
PIERCE, STEVEN T (STEVE), ATTOPS
2008-04-04 16:47:03 UTC
Permalink
I've searched the archives, but I can't seem to find a solution to my
problem.

I have my devices configured with TACACS and have created a "rancid"
account on the server. When everything is properly configured and
functional, RANCID works great.

However, because I work in a dynamic environment, at times there is a
failure (either server or change of remote config) that causes the
TACACS authentication to fail. In this case, I've configured my AAA
authentication line in the remote device to default to enable
authentication:

aaa authentication login default group tacacs+ enable

During these situations, RANCID obviously fails. The enable is not the
same as the TACACS username that RANCID is trying to use.

Is there a way to create a "backup" or "secondary" password that RANCID
can try if the first attempt to reach a device fails? Or, perhaps,
better, a way for RANCID to recognize that it's not being prompted for a
"Username" since AAA isn't working (it gets prompted for "Password:")
and to simply enter the enable password? In this situation, I don't
want RANCID to use it's username password, but the enable password.

I've got to be missing something here.
Andrew W. Henry
2008-04-04 17:28:37 UTC
Permalink
Steve,

We had a similar issue here. Some of our devices support radius, some
don't, and sometimes radius is broken (as in your case). Plus there are a
few unfortunate cases where we share management with another group and thus
must use separate accounts for those devices. Rancid only supports a single
"match" from the .cloginrc file, so there is no built-in way to do what you
(and we) wanted. What we did was added in support to clogin for multiple
usernames/passwords for a given entry in .cloginrc. For instance, for our
catalyst switches, where once we could only have:

# all our catalyst switches that support radius (and the radius server is
up/reachable!)
add user cat-* { radiususer }
add password cat-* { radiuspass } { enablepass }

Now we can have:

# all catalyst switches
add user cat-* { {radiususer} {localuser} }
add password cat-* { {radiuspass} {localuserpass} {someotherpass} {etc} }
{ {enablepass} {otherenablepass} {etc} }

This isn't perfect, but it has worked well for us. One downside is that it
has to iterate through all the possible passwords for each account listed,
so it can take some time if the first login attempt fails and you have a lot
of possible passwords. Since we primarily use it to back up configs,
though, we don’t mind (or notice) the delay. And where we once had a
sprawling .cloginrc where each special case device had to be specifically
enumerated, now we can roll most device classes up into just a few lines.

We modified clogin version 2.3.2a6, and I would be happy to share our diffs
from this version if you or anyone is interested. I haven’t looked at the
latest alpha, so I am not sure how well our changes would mesh with that.
--
****************************************
Andrew W. Henry
Communications Specialist
***@maine.edu
----------------------------------------
University of Maine System
ITS, Communications and Network Services
Voice (207) 561-3587
Fax (207) 561-3531
----------------------------------------
Maine School and Library Network
1-888-FOR-MSLN (1-888-367-6756)
(888 number in-state only)
****************************************


From: rancid-discuss-***@shrubbery.net
[mailto:rancid-discuss-***@shrubbery.net] On Behalf Of PIERCE, STEVEN T
(STEVE), ATTOPS
Sent: Friday, April 04, 2008 12:47 PM
To: rancid-***@shrubbery.net
Subject: [rancid] Backup Password?

I've searched the archives, but I can't seem to find a solution to my
problem.
 
I have my devices configured with TACACS and have created a "rancid" account
on the server.  When everything is properly configured and functional,
RANCID works great.
 
However, because I work in a dynamic environment, at times there is a
failure (either server or change of remote config) that causes the TACACS
authentication to fail.  In this case, I've configured my AAA authentication
line in the remote device to default to enable authentication:
 
aaa authentication login default group tacacs+ enable
 
During these situations, RANCID obviously fails.  The enable is not the same
as the TACACS username that RANCID is trying to use. 
 
Is there a way to create a "backup" or "secondary" password that RANCID can
try if the first attempt to reach a device fails? Or, perhaps, better, a way
for RANCID to recognize that it's not being prompted for a "Username" since
AAA isn't working (it gets prompted for "Password:") and to simply enter the
enable password?  In this situation, I don't want RANCID to use it's
username password, but the enable password.
 
I've got to be missing something here.
 
Jeffrey Ollie
2008-04-04 17:40:44 UTC
Permalink
On Fri, Apr 4, 2008 at 11:47 AM, PIERCE, STEVEN T (STEVE), ATTOPS
Post by Andrew W. Henry
Is there a way to create a "backup" or "secondary" password that RANCID can
try if the first attempt to reach a device fails? Or, perhaps, better, a way
for RANCID to recognize that it's not being prompted for a "Username" since
AAA isn't working (it gets prompted for "Password:") and to simply enter the
enable password? In this situation, I don't want RANCID to use it's
username password, but the enable password.
What you can do is something like this:

username rancid privilege 15 secret blahblahblah
aaa authentication login default group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local

If the TACACS+ servers are unavailable the router will fall back to a
local database of users (the "username" statements). If you keep the
passwords for RANCID synced between the TACACS+ server and the routers
RANCID will never know that the TACACS+ server was down. You could
also create an "emergency" password on your routers for humans to use
when the network is having issues.

Jeff

Loading...