[rancid] Re: PIX authentication
Mike Ashcraft
mashcraft at omniture.com
Fri Mar 9 21:06:53 UTC 2007
Chris,
Because Todd is using tacacs+ for authentication, he set autoenable to 1
to get all the cisco routers/switches working. The hostname glob he
used for this setting also matched his PIX causing this problem.
As autoenable needs to be 0 [the default] for a PIX to work, you don't
need to set it.
Mike
________________________________
From: sawall [mailto:sawall at gmail.com]
Sent: Friday, March 09, 2007 1:51 PM
To: Todd Heide
Cc: Mike Ashcraft; Rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: PIX authentication
The weird thing, I think, is that I don't have autoenable set in my
cloginrc file and it's working great with all of my firewalls. not that
todd shouldn't try it. i'm just confused....
chris
On 3/9/07, Todd Heide <Todd at equivoice.com> wrote:
DOH Helps to read the instructions. I added autoenable, but
didn't put
the ip of the device in. It is working from bin.clogin now. Lets
see if
it pulss the config this time. Thanks for everyone who helped!
Thanks
Todd Heide
Equivoice Inc.
CCNA CWLSS CS-CISecS
847-235-3308
Nothing ever goes as planned, Its a hell of a notion,
Even pharaohs turn to sand, Like a drop in the ocean
-----Original Message-----
From: Mike Ashcraft [mailto:mashcraft at omniture.com]
Sent: Friday, March 09, 2007 12:49 PM
To: Todd Heide
Cc: Rancid-discuss at shrubbery.net
Subject: RE: [rancid] Re: PIX authentication
Todd,
clogin IPADDRESS is 'hanging' because it is waiting for the pix
to
return an enabled prompt. While you can type at the user
prompt, the
clogin program is still in control and will not pass your
keystrokes on
to the PIX. Notice that after the timeout, your 'en' is entered
at the
shell prompt. Setting autoenable to 0 will tell clogin that it
will
have to use the enable command to get the enabled prompt.
Unlike other Cisco devices, the PIX will not allow a tacacs+
authenticated user to go straight to enable mode.
Mike
-----Original Message-----
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd
Heide
Sent: Friday, March 09, 2007 10:33 AM
To: Manuel Noriega
Cc: Rancid-discuss at shrubbery.net
Subject: [rancid] Re: PIX authentication
OK, I didn't have the autoenable in there, I will see if that
helps, but
I am still puzzled as to why it is hanging when I try clogin
IPADDRESS
to the pix'
Thanks
Todd Heide
Equivoice Inc.
CCNA CWLSS CS-CISecS
847-235-3308
Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs turn
to sand, Like a drop in the ocean
-----Original Message-----
From: Manuel Noriega [mailto:mnoriega at amnetcorp.com]
Sent: Friday, March 09, 2007 11:19 AM
To: Todd Heide
Cc: sawall; Rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: PIX authentication
Are you using autoenable? I had troule at the beginning. This is
what I
have in my .clogonrc file.
add autoenable pix* 0
add method pixsps ssh
add cyphertype pixsps des
add user pixsps pix
add password pixsps vtypassword enablepassword
Regards,
Manuel
On Mar 9, 2007, at 10:45 AM, Todd Heide wrote:
> Yep, the logs indicate basically the same thing that running
clogin
> does, error: TIMEOUT reached. It is hanging when trying to get
to
> privileged exec mode on the PIX. All the routers work fine
with ssh,
> so I am not sure what the problem is, and why it hangs, but I
can ssh
> to the pix from the command prompt and get all the way in.
>
>
>
>
>
> Nothing ever goes as planned, Its a hell of a notion,
>
> Even pharaohs turn to sand, Like a drop in the ocean
>
> From: sawall [mailto: sawall at gmail.com
<mailto:sawall at gmail.com> ]
> Sent: Friday, March 09, 2007 10:25 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
>
>
> sorry. i'm not the greatest rancid guy. i modified my
bin/rancid and
> bin/clogin files slightly. and i'm not having any issues.
>
> what if you run "bin/rancid -d {fw ip addr}"
>
> should show some debug.
>
>
>
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
>
>
>
> add user 67.1x.x.x rancid
> add password 67.1x.x.x {********} {*********}
> add method 67.1x.x.x ssh
>
>
> This login setup works fine on a router, all our routers use
Tacacs
> + as
> well.
> ________________________________________
> From: sawall [mailto: sawall at gmail.com
<mailto:sawall at gmail.com> ]
> Sent: Friday, March 09, 2007 10:10 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what does your cloginrc file look like?
>
>
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> I get the same issue whether it is a pix or an ASA, version
6.3 or 7.x
>
> ________________________________________
> From: sawall [mailto: sawall at gmail.com]
> Sent: Friday, March 09, 2007 9:50 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what version of pix? does the user "rancid" have rights to
call
> enable?
>
> just trying to figure out your issue....
>
>
> On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
> [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c
3des -x
> -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password:
> Type help or '?' for a list of available commands.
> pixfirewall>
> pixfirewall> en
>
> Error: TIMEOUT reached
> [rancid at server ~]$ en
>
> Thanks
> Toddc.
>
>
> CCNA CWLSS CS-CISecS
>
> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs
> turn to sand, Like a drop in the ocean
> ________________________________________
> From: sawall [mailto:sawall at gmail.com ]
> Sent: Friday, March 09, 2007 9:39 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what does the output look like when you try it manually. below
is what
> i have for version 6.3 and 7.2. (i changed the enable to
enable 5 so i
> could limit the commands that could run for this user).
>
> # su - rancid
>
> > clogin pixver63
> pixver63
> spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's
password:
> Type help or '?' for a list of available commands.
> pixver63>
> pixver63> enable 5
> Password: *******
> pixver63#
> pixver63# exit
>
> Logoff
>
> Connection to pixver63 closed.
>
>
> > clogin pixver72
> pixver72
> spawn ssh -c 3des -x -l pixbkup pixver72
> pixbkup at pixver72 's password:
> Type help or '?' for a list of available commands.
> pixcof01p> enable 5
> Password: *******
> pixcof01p#
> pixcof01p# exit
>
> Logoff
>
> Connection to pixver72 closed.
>
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> Running it manually is when I found the problem. It hangs when
I enter
> enable, then times out.
>
> Thanks
> Todd Heide
> Equivoice Inc.
>
>
> CCNA CWLSS CS-CISecS
> 847-235-3308
>
> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs
> turn to sand, Like a drop in the ocean
> ________________________________________
> From: sawall [mailto: sawall at gmail.com]
> Sent: Friday, March 09, 2007 9:01 AM
> To: Todd Heide
> Cc: Rancid-discuss at shrubbery.net
> Subject: Re: [rancid] Re: PIX authentication
>
> are you using the default clogin files? i am backing up 60+
pix
> firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having
any
> problems at all.
>
> have you run clogin manually to see how it's connecting to the
pix and
> to see if that works.
>
> chris
> On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
> I found a second issue, another pix I log into, if I type
enable it
> hangs!
>
> Thanks
> Todd Heide
> Equivoice Inc.
>
> CCNA CWLSS CS-CISecS
> 847-235-3308
>
> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs
> turn to sand, Like a drop in the ocean -----Original
Message-----
> From: rancid-discuss-bounces at shrubbery.net [mailto:
> rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide
> Sent: Friday, March 09, 2007 8:49 AM
> To: Rancid-discuss at shrubbery.net
> Subject: [rancid] PIX authentication
>
> I have been wondering why I never get an update when trying to
get
> rancid to pull a config from a PIX and discovered that when
Rancid
> logs in, it doesn't put in enable and password, so the device
times
> out.
> Where can I fix that?
>
> Thanks
> Todd
>
>
> CCNA CWLSS CS-CISecS
>
>
> Nothing ever goes as planned, Its a hell of a notion, Even
pharaohs
> turn to sand, Like a drop in the ocean
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/5f39ab09/attachment.html
More information about the Rancid-discuss
mailing list