[rancid] Re: PIX authentication

Todd Heide Todd at equivoice.com
Sat Mar 10 01:13:24 UTC 2007


Yes it is working finally, both of the Pix' I have in there are now
drawing the configuration down, I finally have backups of them. 

 

Thanks

Todd Heide

Equivoice Inc.

       

 

CCNA CWLSS CS-CISecS

847-235-3308

 

Nothing ever goes as planned, Its a hell of a notion, 

Even pharaohs turn to sand, Like a drop in the ocean

________________________________

From: Mike Ashcraft [mailto:mashcraft at omniture.com] 
Sent: Friday, March 09, 2007 3:07 PM
To: sawall; Todd Heide
Cc: Rancid-discuss at shrubbery.net
Subject: RE: [rancid] Re: PIX authentication

 

Chris,

 

Because Todd is using tacacs+ for authentication, he set autoenable to 1
to get all the cisco routers/switches working.  The hostname glob he
used for this setting also matched his PIX causing this problem.

 

As autoenable needs to be 0 [the default] for a PIX to work, you don't
need to set it.

 

Mike

 

________________________________

From: sawall [mailto:sawall at gmail.com] 
Sent: Friday, March 09, 2007 1:51 PM
To: Todd Heide
Cc: Mike Ashcraft; Rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: PIX authentication

The weird thing, I think, is that I don't have autoenable set in my
cloginrc file and it's working great with all of my firewalls.  not that
todd shouldn't try it.  i'm just confused....

chris



On 3/9/07, Todd Heide <Todd at equivoice.com> wrote: 

DOH Helps to read the instructions. I added autoenable, but didn't put
the ip of the device in. It is working from bin.clogin now. Lets see if
it pulss the config this time. Thanks for everyone who helped!

Thanks
Todd Heide
Equivoice Inc.

CCNA CWLSS CS-CISecS
847-235-3308

Nothing ever goes as planned, Its a hell of a notion,
Even pharaohs turn to sand, Like a drop in the ocean

-----Original Message----- 
From: Mike Ashcraft [mailto:mashcraft at omniture.com]
Sent: Friday, March 09, 2007 12:49 PM
To: Todd Heide
Cc: Rancid-discuss at shrubbery.net 
Subject: RE: [rancid] Re: PIX authentication

Todd,

clogin IPADDRESS is 'hanging' because it is waiting for the pix to
return an enabled prompt.  While you can type at the user prompt, the
clogin program is still in control and will not pass your keystrokes on
to the PIX.  Notice that after the timeout, your 'en' is entered at the
shell prompt.  Setting autoenable to 0 will tell clogin that it will 
have to use the enable command to get the enabled prompt.

Unlike other Cisco devices, the PIX will not allow a tacacs+
authenticated user to go straight to enable mode.

Mike

-----Original Message----- 
From: rancid-discuss-bounces at shrubbery.net
[mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide 
Sent: Friday, March 09, 2007 10:33 AM
To: Manuel Noriega
Cc: Rancid-discuss at shrubbery.net
Subject: [rancid] Re: PIX authentication

OK, I didn't have the autoenable in there, I will see if that helps, but

I am still puzzled as to why it is hanging when I try clogin IPADDRESS
to the pix'

Thanks
Todd Heide
Equivoice Inc.

CCNA CWLSS CS-CISecS
847-235-3308

Nothing ever goes as planned, Its a hell of a notion, Even pharaohs turn

to sand, Like a drop in the ocean

-----Original Message-----
From: Manuel Noriega [mailto:mnoriega at amnetcorp.com]
Sent: Friday, March 09, 2007 11:19 AM
To: Todd Heide 
Cc: sawall; Rancid-discuss at shrubbery.net
Subject: Re: [rancid] Re: PIX authentication

Are you using autoenable? I had troule at the beginning. This is what I 
have in my .clogonrc file.

add autoenable  pix*     0
add method      pixsps  ssh
add cyphertype  pixsps   des
add user        pixsps   pix
add password    pixsps   vtypassword        enablepassword 



Regards,

Manuel

On Mar 9, 2007, at 10:45 AM, Todd Heide wrote:

> Yep, the logs indicate basically the same thing that running clogin
> does, error: TIMEOUT reached. It is hanging when trying to get to 
> privileged exec mode on the PIX. All the routers work fine with ssh,
> so I am not sure what the problem is, and why it hangs, but I can ssh
> to the pix from the command prompt and get all the way in. 
>
>
>
>
>
> Nothing ever goes as planned, Its a hell of a notion,
>
> Even pharaohs turn to sand, Like a drop in the ocean
>
> From: sawall [mailto: sawall at gmail.com <mailto:sawall at gmail.com> ]
> Sent: Friday, March 09, 2007 10:25 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
>
>
> sorry.  i'm not the greatest rancid guy.  i modified my bin/rancid and


> bin/clogin files slightly.  and i'm not having any issues.
>
> what if you run "bin/rancid -d {fw ip addr}"
>
> should show some debug.
>
>
>
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
>
>
>
> add user 67.1x.x.x           rancid
> add password 67.1x.x.x       {********}          {*********}
> add method 67.1x.x.x        ssh
>
>
> This login setup works fine on a router, all our routers use Tacacs
> + as
> well.
> ________________________________________
> From: sawall [mailto: sawall at gmail.com <mailto:sawall at gmail.com> ]
> Sent: Friday, March 09, 2007 10:10 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what does your cloginrc file look like?
>
>
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> I get the same issue whether it is a pix or an ASA, version 6.3 or 7.x
>
> ________________________________________
> From: sawall [mailto: sawall at gmail.com]
> Sent: Friday, March 09, 2007 9:50 AM
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what version of pix? does the user "rancid" have rights to call 
> enable?
>
> just trying to figure out your issue....
>
>
> On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
> [rancid at server ~]$ bin/clogin 67.1x.x.x 67.1x.x.x spawn ssh -c 3des -x

> -l rancid 67.1x.x.x rancid at 67.1x.x.x 's password:
> Type help or '?' for a list of available commands.
> pixfirewall> 
> pixfirewall> en
>
> Error: TIMEOUT reached
> [rancid at server ~]$ en
>
> Thanks
> Toddc.
>
>
> CCNA CWLSS CS-CISecS
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs 
> turn to sand, Like a drop in the ocean
> ________________________________________
> From: sawall [mailto:sawall at gmail.com ]
> Sent: Friday, March 09, 2007 9:39 AM 
> To: Todd Heide
> Subject: Re: [rancid] Re: PIX authentication
>
> what does the output look like when you try it manually. below is what

> i have for version 6.3 and 7.2. (i changed the enable to enable 5 so i


> could limit the commands that could run for this user).
>
> # su - rancid
>
> > clogin pixver63
> pixver63
> spawn ssh -c 3des -x -l pixbkup pixver63 pixbkup at pixver63's password: 
> Type help or '?' for a list of available commands.
> pixver63>
> pixver63> enable 5
> Password: *******
> pixver63#
> pixver63# exit
>
> Logoff
>
> Connection to pixver63 closed. 
>
>
> > clogin pixver72
> pixver72
> spawn ssh -c 3des -x -l pixbkup pixver72
> pixbkup at pixver72 's password:
> Type help or '?' for a list of available commands.
> pixcof01p> enable 5
> Password: *******
> pixcof01p#
> pixcof01p# exit
>
> Logoff
>
> Connection to pixver72 closed.
>
> On 3/9/07, Todd Heide < Todd at equivoice.com> wrote:
> Running it manually is when I found the problem. It hangs when I enter

> enable, then times out.
>
> Thanks
> Todd Heide
> Equivoice Inc.
> 
>
> CCNA CWLSS CS-CISecS
> 847-235-3308
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs
> turn to sand, Like a drop in the ocean
> ________________________________________ 
> From: sawall [mailto: sawall at gmail.com]
> Sent: Friday, March 09, 2007 9:01 AM
> To: Todd Heide
> Cc: Rancid-discuss at shrubbery.net 
> Subject: Re: [rancid] Re: PIX authentication
>
> are you using the default clogin files? i am backing up 60+ pix
> firewalls. 515s and 525s. version 6.3 - 7.2. i'm not having any
> problems at all. 
>
> have you run clogin manually to see how it's connecting to the pix and

> to see if that works.
>
> chris
> On 3/9/07, Todd Heide < Todd at equivoice.com > wrote:
> I found a second issue, another pix I log into, if I type enable it
> hangs!
>
> Thanks
> Todd Heide
> Equivoice Inc.
>
> CCNA CWLSS CS-CISecS
> 847-235-3308 
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs
> turn to sand, Like a drop in the ocean -----Original Message-----
> From: rancid-discuss-bounces at shrubbery.net [mailto:
> rancid-discuss-bounces at shrubbery.net] On Behalf Of Todd Heide
> Sent: Friday, March 09, 2007 8:49 AM 
> To: Rancid-discuss at shrubbery.net
> Subject: [rancid] PIX authentication
>
> I have been wondering why I never get an update when trying to get
> rancid to pull a config from a PIX and discovered that when Rancid
> logs in, it doesn't put in enable and password, so the device times
> out.
> Where can I fix that?
>
> Thanks
> Todd
>
>
> CCNA CWLSS CS-CISecS
>
>
> Nothing ever goes as planned, Its a hell of a notion, Even pharaohs
> turn to sand, Like a drop in the ocean
>
> _______________________________________________ 
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss 
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

_______________________________________________ 
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss 
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/430ccabc/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1450 bytes
Desc: image001.jpg
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/430ccabc/attachment.jpe 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 3203 bytes
Desc: image002.gif
Url : http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20070309/430ccabc/attachment.gif 


More information about the Rancid-discuss mailing list