[rancid] Re: PIX authentication

Mike Ashcraft mashcraft at omniture.com
Fri Mar 9 18:49:10 UTC 2007 

Todd,

clogin IPADDRESS is 'hanging' because it is waiting for the pix to
return an enabled prompt.  While you can type at the user prompt, the
clogin program is still in control and will not pass your keystrokes on
to the PIX.  Notice that after the timeout, your 'en' is entered at the
shell prompt.  Setting autoenable to 0 will tell clogin that it will
have to use the enable command to get the enabled prompt.      

Unlike other Cisco devices, the PIX will not allow a tacacs+
authenticated user to go straight to enable mode.

Mike

-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide
Sent: Friday, March 09, 2007 10:33 AM
To: Manuel Noriega
Cc: Rancid-discuss at shrubbery.net
Subject: [rancid] Re: PIX authentication

OK, I didn't have the autoenable in there, I will see if that helps, but
I am still puzzled as to why it is hanging when I try clogin IPADDRESS
to the pix' 

Thanks
Todd Heide
Equivoice Inc.

CCNA CWLSS CS-CISecS
847-235-3308
 
Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn
to sand, Like a drop in the ocean

-----Original Message-----
From: Manuel Noriega [mailto:mnoriega at amnetcorp.com]
Sent: Friday, March 09, 2007 11:19 AM
To: Todd Heide
Cc: sawall; Rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: PIX authentication

Are you using autoenable? I had troule at the beginning. This is what I
have in my .clogonrc file.

add autoenable  pix*     0
add method      pixsps  ssh
add cyphertype  pixsps   des
add user        pixsps   pix
add password    pixsps   vtypassword        enablepassword



Regards,

Manuel

On Mar 9, 2007, at 10:45 AM, Todd Heide wrote:

> Yep, the logs indicate basically the same thing that running clogin 
> does, error: TIMEOUT reached. It is hanging when trying to get to 
> privileged exec mode on the PIX. All the routers work fine with ssh, 
> so I am not sure what the problem is, and why it hangs, but I can ssh 
> to the pix from the command prompt and get all the way in.
>
>
>
>
>
> Nothing ever goes as planned, Its a hell of a notion,
>
> Even pharaohs turn to sand, Like a drop in the ocean
>
> From: sawall [mailto:sawall at gmail.com]
> Sent: Friday, March 09, 2007 10:25 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
>
>
> sorry.  i'm not the greatest rancid guy.  i modified my bin/rancid and

> bin/clogin files slightly.  and i'm not having any issues.
>
> what if you run "bin/rancid -d {fw ip addr}"
>
> should show some debug.
>
>
>
> On 3/9/07, Todd Heide <Todd at equivoice.com> wrote:
>
>
>
> add user 67.1x.x.x           rancid
> add password 67.1x.x.x       {********}          {*********}
> add method 67.1x.x.x        ssh
>
>
> This login setup works fine on a router, all our routers use Tacacs
> + as
> well.
> ________________________________________
> From: sawall [mailto:sawall at gmail.com]
> Sent: Friday, March 09, 2007 10:10 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what does your cloginrc file look like?
>
>
> On 3/9/07, Todd Heide <Todd at equivoice.com> wrote:
> I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x
>
> ________________________________________
> From: sawall [mailto:sawall at gmail.com]
> Sent: Friday, March 09, 2007 9:50 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what version of pix? does the user "rancid" have rights to call 
> enable?
>
> just trying to figure out your issue....
>
>
> On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
> [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x

> -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password:
> Type help or '?' for a list of available commands.
> pixfirewall>
> pixfirewall> en
>
> Error: TIMEOUT reached
> [rancid at server ~]$ en
>
> Thanks
> Toddc.
>
>
> CCNA CWLSS CS-CISecS
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs 
> turn to sand, Like a drop in the ocean 
> ________________________________________
> From: sawall [mailto:sawall at gmail.com ]
> Sent: Friday, March 09, 2007 9:39 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what does the output look like when you try it manually. below is what

> i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i

> could limit the commands that could run for this user).
>
> # su - rancid
>
> > clogin pixver63
> pixver63
> spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password:
> Type help or '?' for a list of available commands.
> pixver63>
> pixver63> enable 5
> Password: *******
> pixver63#
> pixver63# exit
>
> Logoff
>
> Connection to pixver63 closed.
>
>
> > clogin pixver72
> pixver72
> spawn ssh -c 3des -x -l pixbkup pixver72
> pixbkup at pixver72 's password:
> Type help or '?' for a list of available commands.
> pixcof01p> enable 5
> Password: *******
> pixcof01p#
> pixcof01p# exit
>
> Logoff
>
> Connection to pixver72 closed.
>
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> Running it manually is when I found the problem. It hangs when I enter

> enable, then times out.
>
> Thanks
> Todd Heide
> Equivoice Inc.
>
>
> CCNA CWLSS CS-CISecS
> 847-235-3308
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs 
> turn to sand, Like a drop in the ocean 
> ________________________________________
> From: sawall [mailto: sawall at gmail.com]
> Sent: Friday, March 09, 2007 9:01 AM
> To: Todd Heide
> Cc: Rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Re: PIX authentication
>
> are you using the default clogin files? i am backing up 60+ pix 
> firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any 
> problems at all.
>
> have you run clogin manually to see how it's connecting to the pix and

> to see if that works.
>
> chris
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> I found a second issue, another pix I log into, if I type enable it 
> hangs!
>
> Thanks
> Todd Heide
> Equivoice Inc.
>
> CCNA CWLSS CS-CISecS
> 847-235-3308
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs 
> turn to sand, Like a drop in the ocean -----Original Message-----
> From: rancid-discuss-bounces at shrubbery.net [mailto:
> rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide
> Sent: Friday, March 09, 2007 8:49 AM
> To: Rancid-discuss at shrubbery.net
> Subject: [rancid] PIX authentication
>
> I have been wondering why I never get an update when trying to get 
> rancid to pull a config from a PIX and discovered that when Rancid 
> logs in, it doesn't put in enable and password, so the device times 
> out.
> Where can I fix that?
>
> Thanks
> Todd
>
>
> CCNA CWLSS CS-CISecS
>
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs 
> turn to sand, Like a drop in the ocean
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list