Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
797
Views
0
Helpful
6
Replies

Passwords for devices to import into ANM 4.2

patrik.spiess
Level 1
Level 1

‎04-04-2011 06:57 AM

Hi Everybody

Whenever I try to import our ACE-Modules (within a Cat6500) to ANM 4.2 I get an error, that the import failed.

In the RADIUS-Logs on our AuthServer I can see that there was a login failure for the user I configured to use for the import. With a testuser it worked for the user, but failed on the enable password.

Our "normal" accounts and the enable password both contain several special characters. The testuser don't.

So this means for me, that special characters (or at least some of them) are not supported within ANM, although they are on the CAT/ACE platform.

Does anybody know which characters for passwords are supported by ANM for the import of devices?

If we are not able to use our accounts or enable passwords, ANM seems to be useless for us. Changing our passwords/enable passwords is not that easy! And, this is most important, we don't want to have passwords without theese special characters for security reasons.

Thanks

Patrik

Labels:
0 Helpful
6 Replies 6

stmccabe
Cisco Employee
Cisco Employee

‎04-04-2011 07:11 AM

Patrik,

Can you tell me if you are using Cisco-AV pair when logging via radius. Moreover, do you have custom attributes defined in the Radius server?  To test this out bypassing ANM, can you login directly to the ACE and ellivate yoru privelage to exec level and grab the output for show user-account and add the output to this thread?

0 Helpful

patrik.spiess
Level 1
Level 1
In response to stmccabe

‎04-04-2011 07:44 AM

Hi stmccabe

The sh aser-account output looks as followed:

/Admin# sh user-account

user:admin

        this user account has no expiry date

        roles: Admin

        domain: default-domain

        Context: Admin

user:www

        this user account has no expiry date

        roles: Admin

        domain: default-domain

        Context: Admin

user:nwproc1

        roles: Admin

        domain: default-domain

        Context: Admin

account created through REMOTE authentication

Local login not possible

user:zinw

        roles: Admin

        domain: default-domain

        Context: Admin

account created through REMOTE authentication

Local login not possible

And, yes: we use cisco-avpair in the RADIUS-config:
DEFAULT   NAS-IP-Address ==
                  Service-Type = NAS-Prompt-User,
                  cisco-avpair = "shell:Admin=Admin",
                  Fall-Through = Yes
With this configuration SSH-login with a 'normal' SSH-client works as expected with both users (zinw & nwproc1). But in ANM only nwproc1 works. This user has no special characters (at the moment and just for testing purposes). With zinw we get login failures.
But with nwproc1 I'm still not able to import a device into ANM as it fails during enable authentication. Our enable password also has special characters.
regards
Patrik
0 Helpful

stmccabe
Cisco Employee
Cisco Employee
In response to patrik.spiess

‎04-04-2011 07:57 AM

I would agree ANM does appear to have issues with the special characters.. Would you be able to setup a "dummy" account that contains special characters, and gather a packet capture from ANM?  Maybe ANM is currupting the special characters in the Radius response?  I'd be happy to look at the capture if you can set this up.

Thanks,

Stephen McCabe

0 Helpful

patrik.spiess
Level 1
Level 1
In response to stmccabe

‎04-06-2011 05:36 AM

Hi Stephen

Great Idea ... but:

How can I capture packets on the ANM itself?

I use the virtual appliance which gives me no capture command.

And I'm not able to capture between the hosts, because it's ssh (telnet is not allowed by our network devices)

Thanks for clairification

Patrik

0 Helpful

stmccabe
Cisco Employee
Cisco Employee
In response to patrik.spiess

‎04-06-2011 12:29 PM

Hi Patrik,

Yes this makes it difficult.  You could setup a capture device spanning the vlan where the LDAP server resides.  Since we don't actually need to see the ssh-to-ssh communication, but rather the authentication requests/responses over LDAP (if SSL based ldap, just need cert/key do decode flow).

For the virtual appliance you can ssh into the ova and run a tcpdump > sendtofile.pcap .. You can filter capture based on source/destination.

HTH.

Let me know. thanks.

0 Helpful

patrik.spiess
Level 1
Level 1
In response to stmccabe

‎04-06-2011 11:55 PM

Hi Stephen

After wiresharking between router and radius-server I've seen that whenever I log into the router, the encrypted password string within the radius packet is different. So I cannot yet say that ANM submits a wrong password or not. I just assume it.

At the moment I'm very disappointed about ANM. I'm not willing to do a lot of debugging because of faulty ANM code. This is cisco's part. I'm only evaluating this tool. And for the moment it seems useless for us because of that bug.

but, thanks for the try anyway.

regards

Patrik

0 Helpful
Customers Also Viewed These Support Documents