04-04-2011 06:57 AM
Hi Everybody
Whenever I try to import our ACE-Modules (within a Cat6500) to ANM 4.2 I get an error, that the import failed.
In the RADIUS-Logs on our AuthServer I can see that there was a login failure for the user I configured to use for the import. With a testuser it worked for the user, but failed on the enable password.
Our "normal" accounts and the enable password both contain several special characters. The testuser don't.
So this means for me, that special characters (or at least some of them) are not supported within ANM, although they are on the CAT/ACE platform.
Does anybody know which characters for passwords are supported by ANM for the import of devices?
If we are not able to use our accounts or enable passwords, ANM seems to be useless for us. Changing our passwords/enable passwords is not that easy! And, this is most important, we don't want to have passwords without theese special characters for security reasons.
Thanks
Patrik
04-04-2011 07:11 AM
Patrik,
Can you tell me if you are using Cisco-AV pair when logging via radius. Moreover, do you have custom attributes defined in the Radius server? To test this out bypassing ANM, can you login directly to the ACE and ellivate yoru privelage to exec level and grab the output for show user-account and add the output to this thread?
04-04-2011 07:44 AM
Hi stmccabe
The sh aser-account output looks as followed:
user:admin
this user account has no expiry date
roles: Admin
domain: default-domain
Context: Admin
user:www
this user account has no expiry date
roles: Admin
domain: default-domain
Context: Admin
user:nwproc1
roles: Admin
domain: default-domain
Context: Admin
account created through REMOTE authentication
Local login not possible
user:zinw
roles: Admin
domain: default-domain
Context: Admin
account created through REMOTE authentication
Local login not possible
04-04-2011 07:57 AM
I would agree ANM does appear to have issues with the special characters.. Would you be able to setup a "dummy" account that contains special characters, and gather a packet capture from ANM? Maybe ANM is currupting the special characters in the Radius response? I'd be happy to look at the capture if you can set this up.
Thanks,
Stephen McCabe
04-06-2011 05:36 AM
Hi Stephen
Great Idea ... but:
How can I capture packets on the ANM itself?
I use the virtual appliance which gives me no capture command.
And I'm not able to capture between the hosts, because it's ssh (telnet is not allowed by our network devices)
Thanks for clairification
Patrik
04-06-2011 12:29 PM
Hi Patrik,
Yes this makes it difficult. You could setup a capture device spanning the vlan where the LDAP server resides. Since we don't actually need to see the ssh-to-ssh communication, but rather the authentication requests/responses over LDAP (if SSL based ldap, just need cert/key do decode flow).
For the virtual appliance you can ssh into the ova and run a tcpdump
HTH.
Let me know. thanks.
04-06-2011 11:55 PM
Hi Stephen
After wiresharking between router and radius-server I've seen that whenever I log into the router, the encrypted password string within the radius packet is different. So I cannot yet say that ANM submits a wrong password or not. I just assume it.
At the moment I'm very disappointed about ANM. I'm not willing to do a lot of debugging because of faulty ANM code. This is cisco's part. I'm only evaluating this tool. And for the moment it seems useless for us because of that bug.
but, thanks for the try anyway.
regards
Patrik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide