[rancid] Curious Cisco ASA problem

Ian Murphy Ian.Murphy at populous.com
Fri Feb 4 22:24:35 UTC 2011


Oh, I see. Sorry, I verified that there are no spaces in inside the curly braces. I typed it up that way in the email though. 

-----Original Message-----
From: Ryan West [mailto:rwest at zyedge.com] 
Sent: Friday, February 04, 2011 4:15 PM
To: Ian Murphy; Eric Girard; 'Chris Gauthier'; 'rancid-discuss at shrubbery.net'
Subject: RE: Curious Cisco ASA problem

Ian,

I meant here -> { loginPW }, unless you're using a special character that would cause the .cloginrc to fail, you can remove the brackets and use a tab between the passwords.

-ryan

-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Ian Murphy
Sent: Friday, February 04, 2011 5:12 PM
To: Eric Girard; 'Chris Gauthier'; 'rancid-discuss at shrubbery.net'
Subject: Re: [rancid] Curious Cisco ASA problem

I'm only using TACACS for authentication and accounting.. . no authorization. The rancid user logon and enable passwords are the same in tac_plus.conf.  the ASA has an enable secret that is different, call it enableSECRET. So the last email I sent needs a little more explanation. Here it is:

clogin -u rancid -p loginPW -e enableSECRET -c "sh ver" kansascityASA5520

and got the expected results. The device returned the version info.

Here's my .cloginrc file:

#custom user name and password for KC ASA add user kansascityASA5520 {rancid} add password kansascityASA5520 { loginPW } { enableSECRET } add user * {rancid} add password * { loginPW } { enablePW}

and clogin kansascityASA5520 fail to get enabled, but this works on every other device.

Ryan, thanks for the reply. I tried removing whitespace from between the curly braces and it failed to execute the script at all.


-----Original Message-----
From: Eric Girard [mailto:egirard at focustsi.com]
Sent: Friday, February 04, 2011 3:53 PM
To: Ian Murphy; 'Chris Gauthier'; 'rancid-discuss at shrubbery.net'
Subject: RE: Curious Cisco ASA problem

Ian,
	Does your ASA have TACACS turned on for enable access as well as telnet/SSH?  All of my ASA's are in RANCID as type 'cisco', I think you just have some sort of password mismatch.  Can you log in manually using the credentials you have specificed in your cloginrc?

Eric

-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Ian Murphy
Sent: Friday, February 04, 2011 4:24 PM
To: Chris Gauthier; rancid-discuss at shrubbery.net
Subject: Re: [rancid] Curious Cisco ASA problem

Hi Chris,

Thanks for the reply. I added the username and password above the "global" password as you suggested and I still get the same result. Autoenable is not applied to that device. One thing I noticed about the difference between the ASA and another device

Here's a snip from a working device:

edge4503a>enable
Password: 
edge4503a#

and from the nonworking device:

kansascityASA5520> enable
Password: ********
Invalid password
Password: ********
Invalid password
Password: ********
Invalid password
Access denied.
kansascityASA5520>

It looks like it's passing the creds differently. Maybe I have the ASA classified wrong in router.db? Is it supposed to be something other than type cisco?

Thanks,

Ian


-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Chris Gauthier
Sent: Friday, February 04, 2011 3:09 PM
To: rancid-discuss at shrubbery.net
Subject: Re: [rancid] Curious Cisco ASA problem

<snip>
You are connected to:  kansascityASA5520.pop.local  

Type help or '?' for a list of available commands.
kansascityASA5520> enable
Password: ********
Invalid password
Password: ********
Invalid password
Password: ********
Invalid password
Access denied.
kansascityASA5520> 
Error: Check your Enable passwd

kansascityASA5520>


I gets connected just fine then drops to the unprivileged account. 

I have tried to add a specific username and password for this device like this:

#add user kansascityASA5520* {user}
#add password kansascityASA5520* {password} {password}


-----My reply----
Be sure that the username and password are defined before the "global" username and password.  Also, make sure the passwords are the same.  Is autoenable turned on?  If so, turn it off for that device.  Lastly, what is the * used for in the example above?  I am not sure that is a permissible character in the hostname field.

Chris

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE
Attention: The information contained in this email and/or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


The information contained in this electronic communication, as well as in any attachments, may contain confidential or privileged information and may constitute non-public information, and is intended solely for use by the addressee(s). Any other use, disclosure, dissemination, distribution or copying of this electronic communication is strictly prohibited, may constitute an interference with Populous confidential business relationships and may be unlawful. If you received this communication in error, please notify me immediately and permanently delete the original and any electronic or printed copies of this electronic communication (including any attachments). Populous makes no representation regarding the absence of any virus in any attachment and expressly disclaims any responsibility for any damage suffered from the presence of a virus.

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


More information about the Rancid-discuss mailing list