[rancid] Unable to Conduct Cisco Wireless Controller Backup

heasley heas at shrubbery.net
Tue Jul 31 00:44:33 UTC 2018


Mon, Jul 30, 2018 at 10:59:39AM +0000, Piegorsch, Weylin William:
> Hi John,
> 
> I'm still playing around with AAA.  What I'm finding, is that the f*&^% WLC CLI authorization mechanism is all bork bork bork.  I can set a read-only role, but that disables the ability to issue the "config pager disable" command since the entire "config *" command tree is not available.  I can set a higher role, and perhaps the command will appear, but I'm struggling to figure out how to create a custom role definition (I suspect it might be impossible since the Cisco WLC is designed to be GUI-based).   We can discuss another time allowing automation to make changes to the system - I'm fighting this battle internally but it's not going well, for now let's just say I need to demonstrate confidence that rancid will only get data, not change anything more complicated than a "last login" notice.

this is a(nother) design flaw in the o/s, imiho.  as in ios, the pager
should only affect the given vty, not the config of the device.  not needing
to manipulate the pager is very convenient.

> In any event - so, this leaves me with the CLI role I have, and without the "config paging disable" to be used.

you could also change the config to disabled the pager, if most folk just
use the web UI.  or try setting the stty rows to some large number before
initiating the connection to the device; it might honor it, but i've seen
many of these half-baked platforms ignore it if it doesn't lie within some
unspoken acceptable range.

> I'm running rancid 3.4.1, I notice the latest 3.8 is slightly different in wlogin.  But, they're relatively similar, and neither version (I think?) catches the specific prompts that might appear to prompt for paging.  Might they possibly be added?  See below what I did to wlogin v3.4.1 (aka my installation), let me know if I did this wrong (I'm an accomplished network engineer... but a poor excuse for a software engineer).
> 
> Also, wlogin uses "exit" to close the CLI when -c or -x is specified; it needs to be "logout" instead regardless of user role.  Where do I change this?  I suppose I can do this in rancid.types.base (.conf?), but I'd prefer not to since I /do/ use *login with the -p and -u options on occasion with some simple BASH command-line scripts to accomplish manual campus-wide pre-planned changes.  I tried grep'ing through some files, that didn't work too well.

you just need a newer wlogin; current is using logout.

> Weylin
> 
> I modified 3.4.1 bin/wlogin on this line:
> 
>     for {set i 0} {$i < $num_commands} { incr i} {
>         send -- "[subst -nocommands [lindex $commands $i]]\r"
>         expect {
>             -re "\b+"                           { exp_continue }
>             -re "^\[^\n\r *]*$reprompt"         { send_user -- "$expect_out(buffer)"
>                                                 }
>             -re "^\[^\n\r]*$reprompt."          { send_user -- "$expect_out(buffer)"
>                                                   exp_continue
>                                                 }
>             -re "^--More--\[\r\n]+"             { # specific match c1900 pager
>                                                   send " "
>                                                   exp_continue
>                                                 }
>             -re "\[\n\r]+"                      { send_user -- "$expect_out(buffer)"
>                                                   exp_continue
>                                                 }
> +            -re "^--More-- .*"                  { send "q" # note the [[:space:]] between --More-- and the period
> +       	       	       	       	       	       	  exp_continue
> +                                                }

difficult to say if that might cause problems with the output without seeing
the raw input.  it depends upon how the device manipulates the pager prompt.
if that RE is matching too little/much, the line following the prompt will
shift back & forth randomly.

>         }
>     }}
> 
> 
> On 7/27/18, 6:30 PM, "Piegorsch, Weylin William" <weylin at bu.edu> wrote:
> 
>     This might be a tacacs issue.  When I log in as a normal user, the config paging disable command appears when I type "?".  I'll play around with that over the weekend.
>     Weylin
>     
>     
>     (cumm111-wism-aca05) >?   
>                    
>     debug          Manages system debug options.
>     exit           
>     grep           Print lines matching a pattern.
>     help           Help
>     linktest       Perform a link test to a specified MAC address.
>     logout         Exit this session. Any unsaved changes are lost.
>     show           Display switch options and settings.
>                    
>     (cumm111-wism-aca05) >
>     
>     
>     
>     
>     
>     On 7/27/18, 6:29 PM, "Piegorsch, Weylin William" <weylin at bu.edu> wrote:
>     
>         Ah; thanks, I see it there.  Something is amiss with that.  "eval... ; cat -v" output below.
>         Weylin
>         
>         
>         
>         
>         [rancid at nsgv-prod-59 ~]$ eval `rancid -t cisco-wlc5 -C cumm111-wism-aca05.bu.edu` &> output
>         [rancid at nsgv-prod-59 ~]$ cat -v output 
>         cumm111-wism-aca05.bu.edu
>         spawn ssh -2 -c aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc -x -l rancid cumm111-wism-aca05.bu.edu^M
>         ^M
>         Access to this system is permitted for authorized persons only.  All connections are logged and monitored.  By accessing this system, you acknowledge that use of this and any other technology at Boston University is subject to the terms of the Boston University Conditions of Use and Policy on Computing Ethics; please see: http://www.bu.edu/computing/ethics for details.^M
>         (cumm111-wism-aca05) ^M
>         User: rancid^M
>         Password:*******^M
>         (cumm111-wism-aca05) >^M
>         (cumm111-wism-aca05) >config paging disable^M
>         ^M
>         Incorrect usage.  Use the '?' or <TAB> key to list commands.^M
>         ^M
>         (cumm111-wism-aca05) >show udi^M
>         
>         ^MNAME: "Chassis"    , DESCR: "Cisco Wireless Services Module 2"
>         ^MPID: WS-SVC-WISM2-K9,  VID: V01,  SN: SAL172893FZ^M
>         ^M
>         (cumm111-wism-aca05) >show sysinfo^M
>         ^M
>         Manufacturer's Name.............................. Cisco Systems Inc.^M
>         Product Name..................................... Cisco Controller^M
>         Product Version.................................. 8.2.166.0^M
>         Bootloader Version............................... 1.0.20^M
>         Field Recovery Image Version..................... 7.6.101.1^M
>         Firmware Version................................. FPGA 1.7, Env 0.0, USB console 2.2^M
>         Build Type....................................... DATA + WPS
>         ^M
>         System Name...................................... cumm111-wism-aca05^M
>         System Location.................................. 111 Cummington St., Room B05^M
>         System Contact................................... Network Operations Center^M
>         System ObjectID.................................. 1.3.6.1.4.1.9.1.1293^M
>         Redundancy Mode.................................. SSO^M
>         IP Address....................................... 10.123.18.234^M
>         IPv6 Address..................................... ::^M
>         Last Reset....................................... Software reset^M
>         System Up Time................................... 98 days 3 hrs 47 mins 5 secs^M
>         System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)^M
>         System Stats Realtime Interval................... 5^M
>         System Stats Normal Interval..................... 180
>         ^M
>         ^M
>         
>         Error: TIMEOUT reached
>         [rancid at nsgv-prod-59 ~]$
>         
>         
>         
>         
>         
>         On 7/27/18, 11:16 AM, "heasley" <heas at shrubbery.net> wrote:
>         
>             Fri, Jul 27, 2018 at 12:08:37PM +0000, Piegorsch, Weylin William:
>             > I did some experimenting, issuing the "config paging disable" CLI command on initial login seems to eliminate the paging issue, similar to the ASA "terminal pager 0" or the IOS "terminal length 0".
>             > weylin
>             
>             wlogin should have sent this command at the beginning.  please look at
>             the beginning of the transcript with the device.
>             
>             > On 7/27/18, 8:01 AM, "Piegorsch, Weylin William" <weylin at bu.edu> wrote:
>             > 
>             >     When I login as myself and run the "show sysinfo" command, I get the below output.  I notice that rancid (wlogin) gets stuck on the prompt at the end there.  When expect sees the prompt, a <space> would be the appropriate response.  I'm not sure how to disable paging, unfortunately. 
>             >     
>             >     Weylin
>             >     
>             >     (cumm111-wism-aca05) >show sysinfo
>             >     
>             >     Manufacturer's Name.............................. Cisco Systems Inc.
>             >     Product Name..................................... Cisco Controller
>             >     Product Version.................................. 8.2.166.0
>             >     Bootloader Version............................... 1.0.20
>             >     Field Recovery Image Version..................... 7.6.101.1
>             >     Firmware Version................................. FPGA 1.7, Env 0.0, USB console 2.2
>             >     Build Type....................................... DATA + WPS
>             >     
>             >     System Name...................................... cumm111-wism-aca05
>             >     System Location.................................. 111 Cummington St., Room B05
>             >     System Contact................................... Network Operations Center
>             >     System ObjectID.................................. 1.3.6.1.4.1.9.1.1293
>             >     Redundancy Mode.................................. SSO
>             >     IP Address....................................... 10.123.18.234
>             >     IPv6 Address..................................... ::
>             >     Last Reset....................................... Software reset
>             >     System Up Time................................... 97 days 17 hrs 26 mins 34 secs
>             >     System Timezone Location......................... (GMT -5:00) Eastern Time (US and Canada)
>             >     System Stats Realtime Interval................... 5
>             >     System Stats Normal Interval..................... 180
>             >     
>             >     
>             >     --More-- or (q)uit
>             >     
>             >     
>             >     
>             >     
>             >     
>             >     On 7/26/18, 6:43 PM, "heasley" <heas at shrubbery.net> wrote:
>             >     
>             >         Thu, Jul 26, 2018 at 09:20:42PM +0000, Piegorsch, Weylin William:
>             >         > I should note that using the NOPIPE=yes thing causes the "controller wlogin error: Error: Connection closed (ssh): controller" message that I show below.  If I omit the NOPIPE environment variable on the CLI, I get the output I showed in the other email, where it hangs in the middle of output.
>             >         > 
>             >         > weylin
>             >         
>             >         i dont see the problem in what you've provided; you'll have to share more
>             >         output with me.
>             >         
>             >         eval `rancid -t cisco-wlc8 -C hostname` &> output
>             >         
>             >     
>             >     
>             > 
>             
>         
>         
>     
>     
> 



More information about the Rancid-discuss mailing list