[rancid] Problems with Rancid and Privilege Levels

Daniel Schmidt daniel.schmidt at wyo.gov
Mon Jan 27 17:11:18 UTC 2014 

Personally, I think the absence of Tacacs is harder to manage.  Granted, my
previous reply was pretty unintelligible, so I'd understand if you didn't
heed my opinion.  Apparently "recommenced" is a real word. (#*@& spell
check)


On Mon, Jan 27, 2014 at 9:20 AM, Jethro R Binks
<jethro.binks at strath.ac.uk>wrote:

> At the time I did it, many years ago, it was easier to type those lines
> than setup tacacs.  For the sake of anyone else looking for a solution who
> also does not have tacacs, that's mine; hard or otherwise, the reader can
> determine for themselves!
>
> Jethro.
>
> On 27 Jan 2014, at 15:59, Daniel Schmidt <daniel.schmidt at wyo.gov> wrote:
>
> You're making it hard.  I'd recommenced you you look into tacacs
> authorization.
>
>
> On Mon, Jan 27, 2014 at 7:12 AM, Jethro R Binks <jethro.binks at strath.ac.uk
> > wrote:
>
>> On Fri, 24 Jan 2014, Gordon Ross wrote:
>>
>> > I didn't want to give the Level 15 enable password for my ASAs to
>> > Rancid, so I've tried to configure Rancid to use a customer privilege
>> > level, but I'm stuck at the last hurdle and Rancid doesn't seem able to
>> > get the config.
>>
>> I can't remember if this is all of what is required, but I have an ASA
>> that looks like this:
>>
>> username rancid password PASSWORD encrypted privilege 7
>> privilege cmd level 7 mode exec command more
>> privilege cmd level 7 mode exec command dir
>> privilege cmd level 7 mode exec command write
>> privilege cmd level 7 mode exec command terminal
>> privilege show level 7 mode exec command running-config
>> privilege show level 7 mode exec command version
>> privilege show level 7 mode exec command bootvar
>> privilege show level 7 mode exec command names
>> privilege show level 7 mode exec command vlan
>> privilege show level 7 mode exec command module
>>
>> I'm running an old version of clogin specified as "cisco" in router.db,
>> but I also have a note that I modified it to send "terminal pager 0" as
>> well as "terminal length 0".
>>
>> To find out where yours is going wrong though, you'll need to run rancid
>> in debug mode, along the lines of:
>>
>> env NOPIPE=YES PATH=${PATH}:/usr/local/libexec/rancid rancid -d devicename
>>
>> and inspect the *.raw file to see where it went wrong.
>>
>> Jethro.
>>
>>
>>
>> > The steps I took were:
>> >
>> > * Copied bin/clogin to asa-clogin.
>> >
>> > * Changed the 'send "enable\r"' command to be 'send "enable 4\r"' in
>> asa-clogin
>> >
>> > * In rancid-fe, I added an entry of "'asa'               =>
>> 'asa-clogin',"
>> >
>> > * In my router.db I added "asa1.example.com:asa:up"
>> >
>> >  * Added the asa's credentials to .clogin
>> >
>> > If I run (as the rancid user) "asa-clogin asa1.example.com" I end up at
>> > an enable prompt on my asa:
>> >
>> > asa-1/act#
>> >
>> > But when rancid runs, the logs show:
>> >
>> > Trying to get all of the configs.
>> > asa-1.example.com
>> > spawn ssh -c 3des -x -l rancid asa-1.example.com
>> > rancid at asa-1.example.com's password:
>> > Type help or '?' for a list of available commands.
>> > asa-1/act> enable 4
>> > Password: ***********
>> > asa-1/act#
>> > asa-1/act# =====================================
>> > Getting missed routers: round 1.
>> > ....
>> >
>> > The rancid ASA can do show ver, show run, etc.
>> >
>> > How can I find out what's wrong?
>> >
>> > Thanks,
>> >
>> > GTG
>> > _______________________________________________
>> > Rancid-discuss mailing list
>> > Rancid-discuss at shrubbery.net
>> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>> >
>>
>> .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
>> Jethro R Binks, Network Manager,
>> Information Services Directorate, University Of Strathclyde, Glasgow, UK
>>
>> The University of Strathclyde is a charitable body, registered in
>> Scotland, number SC015263.
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>>
>
> E-Mail to and from me, in connection with the transaction
> of public business, is subject to the Wyoming Public Records
> Act and may be disclosed to third parties.
>
>
>


E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20140127/0111282b/attachment.html>

More information about the Rancid-discuss mailing list