[rancid] Re: PIX authentication

sawall sawall at gmail.com
Fri Mar 9 20:50:50 UTC 2007 

The weird thing, I think, is that I don't have autoenable set in my cloginrc
file and it's working great with all of my firewalls.  not that todd
shouldn't try it.  i'm just confused....

chris


On 3/9/07, Todd Heide <Todd at equivoice.com> wrote:
>
> DOH Helps to read the instructions. I added autoenable, but didn't put
> the ip of the device in. It is working from bin.clogin now. Lets see if
> it pulss the config this time. Thanks for everyone who helped!
>
> Thanks
> Todd Heide
> Equivoice Inc.
>
> CCNA CWLSS CS-CISecS
> 847-235-3308
>
> Nothing ever goes as planned, Its a hell of a notion,
> Even pharaohs turn to sand, Like a drop in the ocean
>
> -----Original Message-----
> From: Mike Ashcraft [mailto:mashcraft at omniture.com]
> Sent: Friday, March 09, 2007 12:49 PM
> To: Todd Heide
> Cc: Rancid-discuss at shrubbery.net
> Subject: RE: [rancid] Re: PIX authentication
>
> Todd,
>
> clogin IPADDRESS is 'hanging' because it is waiting for the pix to
> return an enabled prompt.  While you can type at the user prompt, the
> clogin program is still in control and will not pass your keystrokes on
> to the PIX.  Notice that after the timeout, your 'en' is entered at the
> shell prompt.  Setting autoenable to 0 will tell clogin that it will
> have to use the enable command to get the enabled prompt.
>
> Unlike other Cisco devices, the PIX will not allow a tacacs+
> authenticated user to go straight to enable mode.
>
> Mike
>
> -----Original Message-----
> From: rancid-discuss-bounces at shrubbery.net
> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide
> Sent: Friday, March 09, 2007 10:33 AM
> To: Manuel Noriega
> Cc: Rancid-discuss at shrubbery.net
> Subject: [rancid] Re: PIX authentication
>
> OK, I didn't have the autoenable in there, I will see if that helps, but
> I am still puzzled as to why it is hanging when I try clogin IPADDRESS
> to the pix'
>
> Thanks
> Todd Heide
> Equivoice Inc.
>
> CCNA CWLSS CS-CISecS
> 847-235-3308
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn
> to sand, Like a drop in the ocean
>
> -----Original Message-----
> From: Manuel Noriega [mailto:mnoriega at amnetcorp.com]
> Sent: Friday, March 09, 2007 11:19 AM
> To: Todd Heide
> Cc: sawall; Rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Re: PIX authentication
>
> Are you using autoenable? I had troule at the beginning. This is what I
> have in my .clogonrc file.
>
> add autoenable  pix*     0
> add method      pixsps  ssh
> add cyphertype  pixsps   des
> add user        pixsps   pix
> add password    pixsps   vtypassword        enablepassword
>
>
>
> Regards,
>
> Manuel
>
> On Mar 9, 2007, at 10:45 AM, Todd Heide wrote:
>
> > Yep, the logs indicate basically the same thing that running clogin
> > does, error: TIMEOUT reached. It is hanging when trying to get to
> > privileged exec mode on the PIX. All the routers work fine with ssh,
> > so I am not sure what the problem is, and why it hangs, but I can ssh
> > to the pix from the command prompt and get all the way in.
> >
> >
> >
> >
> >
> > Nothing ever goes as planned, Its a hell of a notion,
> >
> > Even pharaohs turn to sand, Like a drop in the ocean
> >
> > From: sawall [mailto:sawall at gmail.com]
> > Sent: Friday, March 09, 2007 10:25 AM
> > To: Todd Heide
> > Subject: Re: [rancid] Re: PIX authentication
> >
> >
> >
> > sorry.  i'm not the greatest rancid guy.  i modified my bin/rancid and
>
> > bin/clogin files slightly.  and i'm not having any issues.
> >
> > what if you run "bin/rancid -d {fw ip addr}"
> >
> > should show some debug.
> >
> >
> >
> > On 3/9/07, Todd Heide <Todd at equivoice.com> wrote:
> >
> >
> >
> > add user 67.1x.x.x           rancid
> > add password 67.1x.x.x       {********}          {*********}
> > add method 67.1x.x.x        ssh
> >
> >
> > This login setup works fine on a router, all our routers use Tacacs
> > + as
> > well.
> > ________________________________________
> > From: sawall [mailto:sawall at gmail.com]
> > Sent: Friday, March 09, 2007 10:10 AM
> > To: Todd Heide
> > Subject: Re: [rancid] Re: PIX authentication
> >
> > what does your cloginrc file look like?
> >
> >
> > On 3/9/07, Todd Heide <Todd at equivoice.com> wrote:
> > I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x
> >
> > ________________________________________
> > From: sawall [mailto:sawall at gmail.com]
> > Sent: Friday, March 09, 2007 9:50 AM
> > To: Todd Heide
> > Subject: Re: [rancid] Re: PIX authentication
> >
> > what version of pix? does the user "rancid" have rights to call
> > enable?
> >
> > just trying to figure out your issue....
> >
> >
> > On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
> > [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x
>
> > -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password:
> > Type help or '?' for a list of available commands.
> > pixfirewall>
> > pixfirewall> en
> >
> > Error: TIMEOUT reached
> > [rancid at server ~]$ en
> >
> > Thanks
> > Toddc.
> >
> >
> > CCNA CWLSS CS-CISecS
> >
> > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs
> > turn to sand, Like a drop in the ocean
> > ________________________________________
> > From: sawall [mailto:sawall at gmail.com ]
> > Sent: Friday, March 09, 2007 9:39 AM
> > To: Todd Heide
> > Subject: Re: [rancid] Re: PIX authentication
> >
> > what does the output look like when you try it manually. below is what
>
> > i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i
>
> > could limit the commands that could run for this user).
> >
> > # su - rancid
> >
> > > clogin pixver63
> > pixver63
> > spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password:
> > Type help or '?' for a list of available commands.
> > pixver63>
> > pixver63> enable 5
> > Password: *******
> > pixver63#
> > pixver63# exit
> >
> > Logoff
> >
> > Connection to pixver63 closed.
> >
> >
> > > clogin pixver72
> > pixver72
> > spawn ssh -c 3des -x -l pixbkup pixver72
> > pixbkup at pixver72 's password:
> > Type help or '?' for a list of available commands.
> > pixcof01p> enable 5
> > Password: *******
> > pixcof01p#
> > pixcof01p# exit
> >
> > Logoff
> >
> > Connection to pixver72 closed.
> >
> > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> > Running it manually is when I found the problem. It hangs when I enter
>
> > enable, then times out.
> >
> > Thanks
> > Todd Heide
> > Equivoice Inc.
> >
> >
> > CCNA CWLSS CS-CISecS
> > 847-235-3308
> >
> > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs
> > turn to sand, Like a drop in the ocean
> > ________________________________________
> > From: sawall [mailto: sawall at gmail.com]
> > Sent: Friday, March 09, 2007 9:01 AM
> > To: Todd Heide
> > Cc: Rancid-discuss at shrubbery.net
> > Subject: Re: [rancid] Re: PIX authentication
> >
> > are you using the default clogin files? i am backing up 60+ pix
> > firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any
> > problems at all.
> >
> > have you run clogin manually to see how it's connecting to the pix and
>
> > to see if that works.
> >
> > chris
> > On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> > I found a second issue, another pix I log into, if I type enable it
> > hangs!
> >
> > Thanks
> > Todd Heide
> > Equivoice Inc.
> >
> > CCNA CWLSS CS-CISecS
> > 847-235-3308
> >
> > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs
> > turn to sand, Like a drop in the ocean -----Original Message-----
> > From: rancid-discuss-bounces at shrubbery.net [mailto:
> > rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide
> > Sent: Friday, March 09, 2007 8:49 AM
> > To: Rancid-discuss at shrubbery.net
> > Subject: [rancid] PIX authentication
> >
> > I have been wondering why I never get an update when trying to get
> > rancid to pull a config from a PIX and discovered that when Rancid
> > logs in, it doesn't put in enable and password, so the device times
> > out.
> > Where can I fix that?
> >
> > Thanks
> > Todd
> >
> >
> > CCNA CWLSS CS-CISecS
> >
> >
> > Nothing ever goes as planned, Its a hell of a notion, Even pharaohs
> > turn to sand, Like a drop in the ocean
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> >
> >
> >
> >
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/c0ff2553/attachment.html

More information about the Rancid-discuss mailing list