Re: [rancid] Enterasys Switches help

2018-01-02 Thread heasley 
Thu, Dec 28, 2017 at 06:08:57PM -0800, Azher:
> Hi Chris,
> 
> I added following lines in the "rancid.types.base " otherwise there is just
> a reference of enterasys to rivrancid.
> 
> enterasys;script;xrancid
> enterasys;login;xlogin
> enterasys;command;enterasys::ShowVersion;show version
> enterasys;command;enterasys::WriteTerm;show config

you should not need that; there is already an entry in rancid.types.base
for this device type - use that.

> Running in debug mode:
> 
> [rancid@rancid ~/etc]$ rancid -d -t enterasys cal3-n7
> loadtype: device type enterasys
> loadtype: found device type enterasys in /opt/rancid/etc/rancid.types.base
> loadtype: undefined function in enterasys: enterasys::ShowVersion
> Couldn't load device type spec for enterasys
> 
> I am not sure why it is complaining because xrancid does have this function
> defined:
> 
> # This routine parses "show version"
> sub ShowVersion {
> print STDERR "In ShowVersion: $_" if ($debug);
> 
> And in the main routine:
> 
> # Main
> @commandtable = (
> {'show version' => 'ShowVersion'},
> ### {'show memory'  => 'ShowMemory'},
> ### {'show diag'=> 'ShowDiag'},
> ### {'show switch'  => 'ShowSwitch'},
> ### {'show slot'=> 'ShowSlot'},
> # way too confusing {'show configuration detail'=> 'WriteTerm'},
> {'show config'  => 'WriteTerm'},
> );
> 
> Trying rivrancid also complains about no commands:
> 
> [rancid@rancid ~]$ rivrancid -d cal3-n7
> executing rivlogin -t 90 -c"system show uptime;system show version;system
> show hardware;system show active-config" cal3-n7

manually run the rivlogin command that is there to see if there is a
failure in that login script.

> cal3-n7: missed cmd(s): all commands
> cal3-n7: End of run not found
> cal3-n7: clean_run is false
> !
> 
> Thanks
> -Azher
> 
> 
> 
> 
> On Thu, Dec 28, 2017 at 2:39 PM, Gauthier, Chris 
> wrote:
> 
> > I would take a look at the rancid types file to make sure it’s running the
> > commands you need.  It seems like it’s throwing up in the very beginning of
> > its run.
> >
> >
> >
> > There are several emails in the list on how to get into a “debugging” mode
> > if you’re not already familiar.  That will help completely isolate the
> > issue.
> >
> >
> >
> > --Chris
> >
> >
> >
> >
> > Chris  Gauthier  Senior Network Engineer  |  comScore, Inc.
> > t +1 *(503) 331-2704* <(503)%20331-2704>  |
> > *cgauth...@comscore.com* 
> > 317
> > 
> >  SW
> > 
> >  Alder
> > 
> >  Street,
> > 
> >  Suite
> > 
> >  700
> > 
> >  |
> > 
> >   Portland,
> > 
> >  OR
> > 
> >  97204
> > 
> >United
> > 
> >  States
> > 
> > *comscore.com* 
> > ​​​This e-mail (including any attachments) may contain information that is
> > private, confidential, or protected by attorney-client or other privilege.
> > If you received this e-mail in error,

Re: [rancid] ASA-5585 Enable mode

2018-01-02 Thread heasley 
Mon, Jan 01, 2018 at 06:41:56PM -0800, Azher:
> In the ASA version 9.8.X , there are sending out the "Last login: " and the
> "Last failed Login: " as default. There is no way to disable this.
> 
> I tried adding following lines in .cloginrc but no luck:
> 
> add prompt sslvpna {"sslvpna>"}
> add enableprompt sslvpna {"sslvpna>"}
> 
> Is there a way to skip login: for this specific device ?
> 
> Thanks
> -Azher

Does this work?

Index: bin/clogin.in
===
--- bin/clogin.in   (revision 3754)
+++ bin/clogin.in   (working copy)
@@ -248,6 +248,12 @@
  send_user "\nError: Check your passwd for 
$router\n"
  catch {close}; catch {wait}; return 1
}
+   -nocase -re "last login:"   {
+ exp_continue
+   }
+   -nocase -re "failed login:" {
+ exp_continue
+   }
"Login failed"  {
  send_user "\nError: Check your passwd for 
$router\n"
  catch {close}; catch {wait}; return 1
@@ -267,9 +273,6 @@
  send "K\r"
  exp_continue
}
-   -re "Last login:"   {
- exp_continue
-   }
-re "Press the  key \[^\r\n]+\[\r\n]+" {
  exp_continue
}


> 
> 
> On Sun, Dec 31, 2017 at 1:19 PM, heasley  wrote:
> 
> > Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> > > Hi All,
> > >
> > > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with
> > RANCID.
> > >
> > > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> > > sending "admin" twice and later it sends "enable" at the prompt  Any
> > > suggestions ?
> > >
> > > add user sslvpnb admin
> > > add password sslvpnb pass1 pass2
> > > add autoenable sslvpnb 0
> > > add method sslvpnb ssh
> > >
> > > [rancid@rancid ~]$ more var/asa/router.db
> > > sslvpn1;cisco;up
> > > sslvpn2;cisco;up
> > > sslvpna;cisco;up
> > > sslvpnb;cisco;up
> > >
> > > [rancid@rancid ~]$ clogin sslvpnb
> > > sslvpnb
> > > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> > > admin@sslvpnb's password:
> > > User admin logged in to sslvpnb
> > > Logins over the last 44 days: 29.  Last login: 18:09:41 PST Dec 28 2017
> > > from 68.181.191.19
> > > Failed logins since the last login: 0.  Last failed login: 06:47:32 PST
> > Dec
> > > 28 2017 from 68.181.191.19
> >
> > its sending admin again because it sees "login:" before a prompt.  why
> > is it displaying this?
> >
> > > Type help or '?' for a list of available commands.
> > > sslvpnb> admin
> > >  ^
> > > ERROR: % Invalid input detected at '^' marker.
> > >
> > > Error: Unrecognized command, check your enable command
> > > sslvpnb> admin
> > >  ^
> > > ERROR: % Invalid input detected at '^' marker.
> > > sslvpnb> enable
> > > Password:
> > > Invalid password
> > > Password:
> > > Invalid password
> > > Password:
> > > Invalid password
> > > Access denied.
> > > sslvpnb>
> > >
> > >
> > > Thanks
> > > -Azher
> >
> > > ___
> > > Rancid-discuss mailing list
> > > Rancid-discuss@shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> >
> >

___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] ASA-5585 Enable mode

2018-01-02 Thread Charles T. Brooks 
Last login notification (and last failed login) has been a computing best 
practice for 30 years.  It provides simple, easy detection of some forms of 
man-in-the-middle password trapping.  It's not foolproof but it's an important 
protection that is valued by the informed users that it serves.

If you're federally regulated in the USA (HIPPAA/HiTECH, SOX, GLB, FDA, DOD, 
NIST FIPS, ) you are probably legally required to enable last login and 
failed login notifications, simply because it's an industry best practice and 
blowing off industry best practices is (arguably) negligence.

--Charlie

On Mon, Jan 1, 2018 at 11:41 PM Azher Amin wrote:


I think so. Having this detected by clogin would definitely help many others.
-Azher


On Mon, Jan 1, 2018 at 8:36 PM, Piegorsch, Weylin William 
> wrote:

Awesome.  Though, since it’s the default parameter, would it make sense to 
account for it in clogin?
weylin

From: Azher >
Date: Monday, January 1, 2018 at 23:09
To: Weylin Piegorsch >

Subject: Re: [rancid] ASA-5585 Enable mode

Thanks, that fixed it.

no aaa authentication login-history
-Azher

On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William 
> wrote:
This is a behavior change to the ASA made in version 9.8.  I believe it’s a 
response to a US DOD mandate, to aid in detecting unauthorized logins.  At 
least, that was a requirement implemented sometime around 2005 (for systems 
that supported the capability), though I can’t find a .mil URL more recent than 
2008 discussing the requirement (though I can find it referenced in some 
current commercial locations like Red Hat’s site).

I noticed it recently in lab trials; I had assumed Cisco decided it made sense 
to make this the normal behavior for all deployments, given ASA stands for 
Adaptive Security Appliance.  I hadn’t noticed it in rancid, since I’m still in 
lab trials.

Luckily, it’s configurable, see “Enable and View the Login History” at this URL:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf

weylin

-Original Message-
From: heasley >
Date: Sunday, December 31, 2017 at 16:19
To: Azher >
Cc: >
Subject: Re: [rancid] ASA-5585 Enable mode

Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> Hi All,
>
> Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
>
> Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> sending "admin" twice and later it sends "enable" at the prompt  Any
> suggestions ?
>
> add user sslvpnb admin
> add password sslvpnb pass1 pass2
> add autoenable sslvpnb 0
> add method sslvpnb ssh
>
> [rancid@rancid ~]$ more var/asa/router.db
> sslvpn1;cisco;up
> sslvpn2;cisco;up
> sslvpna;cisco;up
> sslvpnb;cisco;up
>
> [rancid@rancid ~]$ clogin sslvpnb
> sslvpnb
> spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> admin@sslvpnb's password:
> User admin logged in to sslvpnb
> Logins over the last 44 days: 29.  Last login: 18:09:41 PST Dec 28 2017
> from 68.181.191.19
> Failed logins since the last login: 0.  Last failed login: 06:47:32 PST 
Dec
> 28 2017 from 68.181.191.19

its sending admin again because it sees "login:" before a prompt.  why
is it displaying this?

> Type help or '?' for a list of available commands.
> sslvpnb> admin
>  ^
> ERROR: % Invalid input detected at '^' marker.
>
> Error: Unrecognized command, check your enable command
> sslvpnb> admin
>  ^
> ERROR: % Invalid input detected at '^' marker.
> sslvpnb> enable
> Password:
> Invalid password
> Password:
> Invalid password
> Password:
> Invalid password
> Access denied.
> sslvpnb>
>
>
> Thanks
> -Azher


--  CONFIDENTIALITY NOTICE  ---

  This message, including any attachments, is for the sole use of the
intended recipient(s) and may contain privileged confidential information
protected by law. Any unauthorized review, use, disclosure or distribution
of this message is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of this message.
 
 --  CONFIDENTIALITY NOTICE  ---
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Re: [rancid] Coriant Groove platform support

2018-01-02 Thread Jimmy Lim 
Hi Nick,

Happy new year! Thanks for your update. I have just built the custom rancid
script for that and it works fine. Let me know whether Coriant support is
going to be incorporated in future release or not. Thanks again.

Cheers,
Jimmy

On Fri, Dec 29, 2017 at 9:36 PM, Nick Hilliard  wrote:

> Jimmy Lim wrote:
> > Does rancid support Coriant Groove platform like G30? I don't see it in
> > bin directory.
>
> no but it should be pretty easy to add.  It's a straightforward
> ssh/no-enable login, with the following commands issued:
>
> set -f cli-config cli-columns 65535
> show inventory
> show softwareload
> show config | display commands
> quit -f
>
> just make sure you're not using fp2.0.0 because that eats the CRS config
> lines when you use the "display commands" pipe (fixed in fp2.0.1)
>
> Nick
>
___
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss