[rancid] Curious Cisco ASA problem
Ian Murphy
I’m running into some interesting behavior regarding my Cisco ASA 5520. The device is talking to my TACACS server for authentication just fine. Clogin doesn’t want to finish all the way though. It’s hanging at the enable prompt where all my other devices do not. Here’s the output from the clogin:
rancid@kc-tacacs:~$ clogin kansascityASA5520
kansascityasa5520
spawn telnet kansascityasa5520
Trying 10.103.9.250...
telnet: Unable to connect to remote host: Connection refused
spawn ssh -c 3des -x -l rancid kansascityasa5520
rancid@kansascityasa5520's password:
You are connected to: kansascityASA5520.pop.local
Type help or '?' for a list of available commands.
kansascityASA5520> enable
Password: ********
Invalid password
Password: ********
Invalid password
Password: ********
Invalid password
Access denied.
kansascityASA5520>
Error: Check your Enable passwd
kansascityASA5520>
I gets connected just fine then drops to the unprivileged account.
I have tried to add a specific username and password for this device like this:
#add user kansascityASA5520* {user}
#add password kansascityASA5520* {password} {password}
But, that didn’t work either.
Any help would be greatly appreciated,
thanks
Ian Murphy
The information contained in this electronic communication, as well as in any attachments, may contain confidential or privileged information and may constitute non-public information, and is intended solely for use by the addressee(s). Any other use, disclosure, dissemination, distribution or copying of this electronic communication is strictly prohibited, may constitute an interference with Populous confidential business relationships and may be unlawful. If you received this communication in error, please notify me immediately and permanently delete the original and any electronic or printed copies of this electronic communication (including any attachments). Populous makes no representation regarding the absence of any virus in any attachment and expressly disclaims any responsibility for any damage suffered from the presence of a virus.
Chris Gauthier
You are connected to: kansascityASA5520.pop.local
Type help or '?' for a list of available commands.
kansascityASA5520> enable
Password: ********
Invalid password
Password: ********
Invalid password
Password: ********
Invalid password
Access denied.
kansascityASA5520>
Error: Check your Enable passwd
kansascityASA5520>
I gets connected just fine then drops to the unprivileged account.
I have tried to add a specific username and password for this device like this:
#add user kansascityASA5520* {user}
#add password kansascityASA5520* {password} {password}
-----My reply----
Be sure that the username and password are defined before the "global" username and password. Also, make sure the passwords are the same. Is autoenable turned on? If so, turn it off for that device. Lastly, what is the * used for in the example above? I am not sure that is a permissible character in the hostname field.
Chris
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY NOTICE
Attention: The information contained in this email and/or attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any system and destroy any copies.
_______________________________________________
Rancid-discuss mailing list
Rancid-...@shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Ian Murphy
Thanks for the reply. I added the username and password above the "global" password as you suggested and I still get the same result. Autoenable is not applied to that device. One thing I noticed about the difference between the ASA and another device
Here's a snip from a working device:
edge4503a>enable
Password:
edge4503a#
and from the nonworking device:
kansascityASA5520> enable
Password: ********
Invalid password
Password: ********
Invalid password
Password: ********
Invalid password
Access denied.
kansascityASA5520>
It looks like it's passing the creds differently. Maybe I have the ASA classified wrong in router.db? Is it supposed to be something other than type cisco?
Thanks,
Ian
kansascityASA5520>
Chris
The information contained in this electronic communication, as well as in any attachments, may contain confidential or privileged information and may constitute non-public information, and is intended solely for use by the addressee(s). Any other use, disclosure, dissemination, distribution or copying of this electronic communication is strictly prohibited, may constitute an interference with Populous confidential business relationships and may be unlawful. If you received this communication in error, please notify me immediately and permanently delete the original and any electronic or printed copies of this electronic communication (including any attachments). Populous makes no representation regarding the absence of any virus in any attachment and expressly disclaims any responsibility for any damage suffered from the presence of a virus.
_______________________________________________
Eric Girard
Does your ASA have TACACS turned on for enable access as well as telnet/SSH? All of my ASA's are in RANCID as type 'cisco', I think you just have some sort of password mismatch. Can you log in manually using the credentials you have specificed in your cloginrc?
Eric
Ian Murphy
clogin -u rancid -p loginPW -e enablePW -c "sh ver" kansascityASA5520
and got the expected results. The device returned the version info.
Here's my .cloginrc file:
#custom user name and password for KC ASA
add user kansascityASA5520 {rancid}
add password kansascityASA5520 { loginPW } { enablePW }
add user * {rancid}
add password * { loginPW } { enablePW }
and clogin kansascityASA5520 fail to get eabled.
Chris Gauthier
Username: jdoe
Password: abc123
edge4503a>enable
Password: abc123
edge4503a#
Note the same password is used for both login and enable. That could be part of the problem.
--chris
Ryan West
-ryan
Ian Murphy
clogin -u rancid -p loginPW -e enableSECRET -c "sh ver" kansascityASA5520
and got the expected results. The device returned the version info.
Here's my .cloginrc file:
#custom user name and password for KC ASA
add user kansascityASA5520 {rancid}
add password kansascityASA5520 { loginPW } { enableSECRET }
add user * {rancid}
add password * { loginPW } { enablePW}
and clogin kansascityASA5520 fail to get enabled, but this works on every other device.
Ryan, thanks for the reply. I tried removing whitespace from between the curly braces and it failed to execute the script at all.
-----Original Message-----
From: Eric Girard [mailto:egi...@focustsi.com]
Sent: Friday, February 04, 2011 3:53 PM
To: Ian Murphy; 'Chris Gauthier'; 'rancid-...@shrubbery.net'
Subject: RE: Curious Cisco ASA problem
Ian Murphy
when I manually log in as rancid I can only gain enable by using the local enable secret
-----Original Message-----
From: Eric Girard [mailto:egi...@focustsi.com]
Sent: Friday, February 04, 2011 3:53 PM
To: Ian Murphy; 'Chris Gauthier'; 'rancid-...@shrubbery.net'
Subject: RE: Curious Cisco ASA problem
Ryan West
I meant here -> { loginPW }, unless you're using a special character that would cause the .cloginrc to fail, you can remove the brackets and use a tab between the passwords.
-ryan
Ian Murphy
john heasley
> Ian,
>
> I meant here -> { loginPW }, unless you're using a special character that would cause the .cloginrc to fail, you can remove the brackets and use a tab between the passwords.
please don't tell folks to remove the braces. please stay in the habit
of using them - be consistent and avoid the typical problems.
if you have special characters in your pwds, you must escape them. see
cloginrc(5).
if you still have a problem, use the login script's -d option to see what
it's sending.