[rancid] Cisco ISE/ADE-OS backups

AJ Schroeder ajschro at cdw.com
Thu Jul 21 21:07:10 UTC 2022



-----Original Message-----
From: heasley <heas at shrubbery.net> 
Sent: Thursday, July 21, 2022 3:04 PM
To: AJ Schroeder <ajschro at cdw.com>
Cc: rancid-discuss at www.shrubbery.net
Subject: Re: [rancid] Cisco ISE/ADE-OS backups

EXTERNAL EMAIL

Thu, Jul 21, 2022 at 07:27:07PM +0000, AJ Schroeder:
>> I'll just get this out of the way, I have inherited a customized version of RANCID (v2.3.8) that we use to backup a bunch of different devices from all kinds of manufacturers. From what I can tell the customization that has been done was to redact a bunch of "unstable" things to stop versions from incrementing. A bunch of different devices have been added into our rancid repo and things are humming along. That's not really my question, just wanted to level set.

>You can upgrade to recent code and still use your altered versions by adding them to rancid.types.conf with your own device type names (and possibly some renaming of the scripts).

You might at time try the current versions to see if they have fixed whatever output was oscillating from the 2.3.8 version.

That is in the plan to get rancid upgraded - in the process of planning it out.

>> Has anyone successfully gotten Cisco ISE (a.k.a. ADE-OS) working with RANCID? Someone had written a "iselogin" script and "ciscoise" interpreter working but it was quite unstable and had tons of duplicate output. So I wrote a different "ciscoise" script to use "clogin" rather than having yet another login script. I can get certain parts of the output but the output of "show run" seems to be sent all at once in one big blob. I am not sure how I would go about pulling that apart, so I figured I'd ask if anyone has gotten Cisco ISE working with RANCID before I sink more time and effort into this.

>I know nothing about ade-os, but I am not sure that I understand what you mean by 'one big blob'.  Do you mean it is one line?  To have it output w/o a pager is perfect.  maybe an example or more information about the format/representation of the config

When I run my custom "ciscoise" interpreter in debug mode I see that RANCID logs in, disables paging with "term length 0", sets the terminal type to vt100, then sends the "show running-config", it pauses for a couple seconds, then the prompt appears and RANCID sends over "exit" and the script ends. However the running config output does not appear on the screen. When I'm logged into the CLI interactively it displays like a "normal" cisco config, but it looks like the entire config gets sent as one line. As a side note, it looks like Cisco ISE is using screen instead of vt100, but I don't think that is causing a problem.

Below is a redacted version of the config that I am seeing when I run the custom 'iselogin' in debug mode:

expect: does "!        \r\nhostname ise-server01\r\n!        \r\nip domain-name ad.example.com\r\n!        \r\nipv6 enable\r\n!        \r\ninterface GigabitEthernet 0\r\n  ip address 10.20.30.40 255.255.254.0\r\n  ipv6 address autoconfig\r\n  ipv6 enable\r\n!        \r\nip name-server 1.1.1.1 8.8.8.8 8.8.4.4\r\n!        \r\nip default-gateway 10.20.30.1\r\n!        \r\n!        \r\nclock timezone America/Chicago\r\n!        \r\nntp server time.nist.gov \r\nntp server time.google.com \r\n!\u0008\nusername rancid-user password hash <password> role admin \r\n!\u0008\nmax-ssh-sessions 5\r\n!\u0008\nservice sshd enable\r\nservice sshd encryption-algorithm aes128-gcm at openssh.com chacha20-poly1305 at openssh.com aes256-gcm at openssh.com aes128-ctr aes256-ctr\r\n!\u0008\nrepository ISE_Reports\r\n  url sftp://x.x.x.x/backups/\r\n  user backup password hash **********\r\n!\u0008\npassword-policy\r\n  lower-case-required\r\n  upper-case-required\r\n  digit-required\r\n  no-username\r\n  no-previous-password\r\n  min-password-length 4\r\n  password-lock-enabled\r\n  password-lock-timeout 15\r\n  password-lock-retry-count 3\r\n!\u0008\nlogging loglevel 6\r\n!\u0008\nsnmp-server enable\r\nsnmp-server contact "SysAdmin"\r\nsnmp-server engineID ABCDEFGHIJK\r\nsnmp-server user snmp-user v3 hash <hashed password>\r\n!\u0008\nconn-limit 30 port 9060 \r\nconn-limit 5 port 9061 \r\n!\u0008\n!\u0008\nicmp echo on\r\n!\u0008\nise-server01/rancid-user#



More information about the Rancid-discuss mailing list