[rancid] Re: PIX authentication

Mike Ashcraft mashcraft at omniture.com
Fri Mar 9 21:06:53 UTC 2007


Chris,
 
Because Todd is using tacacs+ for authentication, he set autoenable to 1
to get all the cisco routers/switches working.  The hostname glob he
used for this setting also matched his PIX causing this problem.
 
As autoenable needs to be 0 [the default] for a PIX to work, you don't
need to set it.
 
Mike

________________________________

From: sawall [mailto:sawall at gmail.com] 
Sent: Friday, March 09, 2007 1:51 PM
To: Todd Heide
Cc: Mike Ashcraft; Rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: PIX authentication


The weird thing, I think, is that I don't have autoenable set in my
cloginrc file and it's working great with all of my firewalls.  not that
todd shouldn't try it.  i'm just confused....

chris



On 3/9/07, Todd Heide <Todd at equivoice.com> wrote: 

	DOH Helps to read the instructions. I added autoenable, but
didn't put
	the ip of the device in. It is working from bin.clogin now. Lets
see if
	it pulss the config this time. Thanks for everyone who helped!
	
	Thanks
	Todd Heide
	Equivoice Inc.
	
	CCNA CWLSS CS-CISecS
	847-235-3308
	
	Nothing ever goes as planned, Its a hell of a notion,
	Even pharaohs turn to sand, Like a drop in the ocean
	
	-----Original Message----- 
	From: Mike Ashcraft [mailto:mashcraft at omniture.com]
	Sent: Friday, March 09, 2007 12:49 PM
	To: Todd Heide
	Cc: Rancid-discuss at shrubbery.net 
	Subject: RE: [rancid] Re: PIX authentication
	
	Todd,
	
	clogin IPADDRESS is 'hanging' because it is waiting for the pix
to
	return an enabled prompt.  While you can type at the user
prompt, the
	clogin program is still in control and will not pass your
keystrokes on
	to the PIX.  Notice that after the timeout, your 'en' is entered
at the
	shell prompt.  Setting autoenable to 0 will tell clogin that it
will 
	have to use the enable command to get the enabled prompt.
	
	Unlike other Cisco devices, the PIX will not allow a tacacs+
	authenticated user to go straight to enable mode.
	
	Mike
	
	-----Original Message----- 
	From: rancid-discuss-bounces at shrubbery.net
	[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd
Heide 
	Sent: Friday, March 09, 2007 10:33 AM
	To: Manuel Noriega
	Cc: Rancid-discuss at shrubbery.net
	Subject: [rancid] Re: PIX authentication
	
	OK, I didn't have the autoenable in there, I will see if that
helps, but 
	I am still puzzled as to why it is hanging when I try clogin
IPADDRESS
	to the pix'
	
	Thanks
	Todd Heide
	Equivoice Inc.
	
	CCNA CWLSS CS-CISecS
	847-235-3308
	
	Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs turn 
	to sand, Like a drop in the ocean
	
	-----Original Message-----
	From: Manuel Noriega [mailto:mnoriega at amnetcorp.com]
	Sent: Friday, March 09, 2007 11:19 AM
	To: Todd Heide 
	Cc: sawall; Rancid-discuss at shrubbery.net
	Subject: Re: [rancid] Re: PIX authentication
	
	Are you using autoenable? I had troule at the beginning. This is
what I 
	have in my .clogonrc file.
	
	add autoenable  pix*     0
	add method      pixsps  ssh
	add cyphertype  pixsps   des
	add user        pixsps   pix
	add password    pixsps   vtypassword        enablepassword 
	
	
	
	Regards,
	
	Manuel
	
	On Mar 9, 2007, at 10:45 AM, Todd Heide wrote:
	
	> Yep, the logs indicate basically the same thing that running
clogin
	> does, error: TIMEOUT reached. It is hanging when trying to get
to 
	> privileged exec mode on the PIX. All the routers work fine
with ssh,
	> so I am not sure what the problem is, and why it hangs, but I
can ssh
	> to the pix from the command prompt and get all the way in. 
	>
	>
	>
	>
	>
	> Nothing ever goes as planned, Its a hell of a notion,
	>
	> Even pharaohs turn to sand, Like a drop in the ocean
	>
	> From: sawall [mailto: sawall at gmail.com
<mailto:sawall at gmail.com> ]
	> Sent: Friday, March 09, 2007 10:25 AM
	> To: Todd Heide
	> Subject: Re: [rancid] Re: PIX authentication
	>
	>
	>
	> sorry.  i'm not the greatest rancid guy.  i modified my
bin/rancid and 
	
	> bin/clogin files slightly.  and i'm not having any issues.
	>
	> what if you run "bin/rancid -d {fw ip addr}"
	>
	> should show some debug.
	>
	>
	>
	> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
	>
	>
	>
	> add user 67.1x.x.x           rancid
	> add password 67.1x.x.x       {********}          {*********}
	> add method 67.1x.x.x        ssh
	>
	>
	> This login setup works fine on a router, all our routers use
Tacacs
	> + as
	> well.
	> ________________________________________
	> From: sawall [mailto: sawall at gmail.com
<mailto:sawall at gmail.com> ]
	> Sent: Friday, March 09, 2007 10:10 AM
	> To: Todd Heide
	> Subject: Re: [rancid] Re: PIX authentication
	>
	> what does your cloginrc file look like?
	>
	>
	> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
	> I get the same issue whether it is a pix or an ASA, version
6.3 or 7.x
	>
	> ________________________________________
	> From: sawall [mailto: sawall at gmail.com]
	> Sent: Friday, March 09, 2007 9:50 AM
	> To: Todd Heide
	> Subject: Re: [rancid] Re: PIX authentication
	>
	> what version of pix? does the user "rancid" have rights to
call 
	> enable?
	>
	> just trying to figure out your issue....
	>
	>
	> On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
	> [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c
3des -x
	
	> -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password:
	> Type help or '?' for a list of available commands.
	> pixfirewall> 
	> pixfirewall> en
	>
	> Error: TIMEOUT reached
	> [rancid at server ~]$ en
	>
	> Thanks
	> Toddc.
	>
	>
	> CCNA CWLSS CS-CISecS
	>
	> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs 
	> turn to sand, Like a drop in the ocean
	> ________________________________________
	> From: sawall [mailto:sawall at gmail.com ]
	> Sent: Friday, March 09, 2007 9:39 AM 
	> To: Todd Heide
	> Subject: Re: [rancid] Re: PIX authentication
	>
	> what does the output look like when you try it manually. below
is what
	
	> i have for version 6.3 and 7.2. (i changed the enable to
enable 5 so i 
	
	> could limit the commands that could run for this user).
	>
	> # su - rancid
	>
	> > clogin pixver63
	> pixver63
	> spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's
password: 
	> Type help or '?' for a list of available commands.
	> pixver63>
	> pixver63> enable 5
	> Password: *******
	> pixver63#
	> pixver63# exit
	>
	> Logoff
	>
	> Connection to pixver63 closed. 
	>
	>
	> > clogin pixver72
	> pixver72
	> spawn ssh -c 3des -x -l pixbkup pixver72
	> pixbkup at pixver72 's password:
	> Type help or '?' for a list of available commands.
	> pixcof01p> enable 5
	> Password: *******
	> pixcof01p#
	> pixcof01p# exit
	>
	> Logoff
	>
	> Connection to pixver72 closed.
	>
	> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
	> Running it manually is when I found the problem. It hangs when
I enter
	
	> enable, then times out.
	>
	> Thanks
	> Todd Heide
	> Equivoice Inc.
	> 
	>
	> CCNA CWLSS CS-CISecS
	> 847-235-3308
	>
	> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs
	> turn to sand, Like a drop in the ocean
	> ________________________________________ 
	> From: sawall [mailto: sawall at gmail.com]
	> Sent: Friday, March 09, 2007 9:01 AM
	> To: Todd Heide
	> Cc: Rancid-discuss at shrubbery.net 
	> Subject: Re: [rancid] Re: PIX authentication
	>
	> are you using the default clogin files? i am backing up 60+
pix
	> firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having
any
	> problems at all. 
	>
	> have you run clogin manually to see how it's connecting to the
pix and
	
	> to see if that works.
	>
	> chris
	> On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
	> I found a second issue, another pix I log into, if I type
enable it
	> hangs!
	>
	> Thanks
	> Todd Heide
	> Equivoice Inc.
	>
	> CCNA CWLSS CS-CISecS
	> 847-235-3308 
	>
	> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs
	> turn to sand, Like a drop in the ocean -----Original
Message-----
	> From: rancid-discuss-bounces at shrubbery.net [mailto:
	> rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide
	> Sent: Friday, March 09, 2007 8:49 AM 
	> To: Rancid-discuss at shrubbery.net
	> Subject: [rancid] PIX authentication
	>
	> I have been wondering why I never get an update when trying to
get
	> rancid to pull a config from a PIX and discovered that when
Rancid
	> logs in, it doesn't put in enable and password, so the device
times
	> out.
	> Where can I fix that?
	>
	> Thanks
	> Todd
	>
	>
	> CCNA CWLSS CS-CISecS
	>
	>
	> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs
	> turn to sand, Like a drop in the ocean
	>
	> _______________________________________________ 
	> Rancid-discuss mailing list
	> Rancid-discuss at shrubbery.net
	> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss 
	> _______________________________________________
	> Rancid-discuss mailing list
	> Rancid-discuss at shrubbery.net
	> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
	>
	>
	>
	>
	> _______________________________________________
	> Rancid-discuss mailing list
	> Rancid-discuss at shrubbery.net
	> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
	
	_______________________________________________ 
	Rancid-discuss mailing list
	Rancid-discuss at shrubbery.net
	http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss 
	_______________________________________________
	Rancid-discuss mailing list
	Rancid-discuss at shrubbery.net
	http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
	


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/5f39ab09/attachment.html 


More information about the Rancid-discuss mailing list