From afort at staff.webcentral.com.au  Mon Jun 25 05:03:04 2001
From: afort at staff.webcentral.com.au (Andrew Fort)
Date: Mon, 25 Jun 2001 15:03:04 +1000 (EST)
Subject: alteon support
In-Reply-To: <004801c0fd32$65f4ad60$6d00c1d2@qalacom.com>
Message-ID: <Pine.LNX.4.33.0106251458340.1004-100000@vista.webcentral.com.au>

On Mon, 25 Jun 2001, Hee-Juan Ho wrote:

> Hi John,
> 	OK, the alogin manages to login but the 1st command does not execute :
>
> =============== screen shot ===============
> %alogin -c '/info/sys;/cfg/dump' ad3-backbone
> ad3-backbone
> spawn telnet ad3-backbone
> Trying <IP removed>...
> Connected to ad3-backbone.
> Escape character is '^]'.
>
> Enter password:
> ------------------------------------------------------------
> [Main Menu]
>       info    - Information Menu
>       stats   - Statistics Menu
>       exit    - Exit  [global command, always available]
>
> >> Main>

         ^^

okay, alogin is getting an unpriveliged login, so it is stalling.  it
expects to see >> Main# -- this is probably a bug, it should ideally
finish, but just fail for the /cfg/dump bit (an unpriv'd user can still
/info/sys, kinda like you cant "write term" on a cisco when you're not
enabled).  If John reckons this is not the correct behaviour, I'll fix it
:), but I cant dedicate much time over the next day or so..

for now, make sure your .cloginrc has only one password for this device,
the administrator password, e.g.

add password ad3-backbone {adminpassword}

Regards,

-- 
andrew fort



From afort at staff.webcentral.com.au  Tue Jun 26 00:51:14 2001
From: afort at staff.webcentral.com.au (Andrew Fort)
Date: Tue, 26 Jun 2001 10:51:14 +1000
Subject: alteon support
Message-ID: <415DD4BF903BD311A3D900A0C99F90220960706C@bnc.webcentral.com.au>

>> okay, alogin is getting an unpriveliged login, so it is stalling.  it
>> expects to see >> Main# -- this is probably a bug, it should ideally
>> finish, but just fail for the /cfg/dump bit (an unpriv'd 
>user can still
>> /info/sys, kinda like you cant "write term" on a cisco when 
>you're not
>> enabled).  If John reckons this is not the correct 
>behaviour, I'll fix it
>> :), but I cant dedicate much time over the next day or so..
>
>you'll have to explain the login scenario.  is there a way to "enable"
>once you've logged in with a password other than adminpassword?  either
>way, it should be as "fault" tolerant as possible.

cool -- I'll fix the prompt character dependancy (to make it like > as well
as #), it'll be a few days though.  

Ho's issue was resolved by using the snigle password only in .cloginrc.

i.e.,

add password ad3-core {priv-user-password}

instead of

add password ad3-core {unpriv-user-password} {priv-user-password}

(the second password is ignored by alogin).

For the record, at least as far as I know, there's no way to enable once
logged in.  The password (only) determines your userlevel.  This muddies the
issue when you deal with using TACACS+ or RADIUS for user authentication.
SSH without AAA allows you to use any username, the password only being the
key for authentication.  Yet another reason for standardisation across
vendors, eh :)

-afort