Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1415
Views
0
Helpful
8
Replies

eem applet problem with isdn test call command

Go to solution
darijohorvat
Level 1
Level 1

‎11-04-2010 10:56 AM

Hi

I`m trying to make eem applet that will triger "isdn test call int brix/x/x xxxxxxx"command. Applet runns, but this command is not applied and test call is not made! I noticed same behaviour for debug commands while show commands works as expected!

Can somebody help me?

This is applet:

event manager applet test
event none maxrun 20
action 1.0 syslog priority critical msg "Start"
action 2.0 cli command "enable"
action 3.0 cli command "debug isdn q931"
action 4.0 cli command "isdn test call int bri 0/0/0 675000"
action 5.0 syslog priority critical msg "Stop"

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎11-05-2010 09:52 AM

My guess is that you have AAA command authorization enabled, and you need to add the command:

event manager session cli username USER

Where USER is a username authorized to execute all of the CLI commands in your EEM policies.

View solution in original post

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to darijohorvat

‎11-10-2010 08:00 AM

Can you test by making logging in to the router on vty 1.  Then configure vty 0 as authorization exec IN, and see if the applet will run?  My guess is that there is a problem with the way USER is defined on the AAA server.  The fact that "enable" is an unknown command makes me think the authorization is not correct.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎11-05-2010 09:52 AM

My guess is that you have AAA command authorization enabled, and you need to add the command:

event manager session cli username USER

Where USER is a username authorized to execute all of the CLI commands in your EEM policies.

0 Helpful

Go to solution
darijohorvat
Level 1
Level 1
In response to Joe Clarke

‎11-07-2010 11:23 PM

Thank you for your answer!

Yes, you are right, AAA/Radius is used, and this command cannot be entered in global mode (IOS 12.4(24)T)!

So I tried this command "event manager session cli username USER" where USER is radius user with privilege 15 and then with USER local defined priv 15, but either way behaviour is the same:

Nov  8 08:07:22.510 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : rtrName>
Nov  8 08:07:22.514 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN  : rtrName>isdn test call int bri0/0/0 xxxxxxx
Nov  8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :         ^

Nov  8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Nov  8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT :  --More--

Nov  8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : rtrName>

with debug aaa authenitfication I see something strange:

Nov  8 08:07:22.506 utc: AAA/MEMORY: create_user (0x47D4946C) user='USER' ruser='NULL' ds0=0 port='tty515' rem_addr='NULL'authen_type=NONE service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)

Why is priv=1 here, regardig this command it should be 15 ?

username USER privilege 15 secret xxxxxxxxx

I did`t solved this problem with user levels, so I lowered the privilege level for all isdn commands, and it works that way (but this is plan B solution ):

privilege exec all level 1 isdn

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to darijohorvat

‎11-08-2010 07:45 AM

Now it looks like you removed the "enable" command from your applet.  You'll need the event manager username configured, then make sure you still have:

action 2.0 cli command "enable"

0 Helpful

Go to solution
darijohorvat
Level 1
Level 1
In response to Joe Clarke

‎11-09-2010 04:05 AM

again you are right and again my info was not completly clear (sorry for that)!

I`ll try to explain better! On the router, privilege level for enable command is raised to 15 (privilege exec all level 15 enable) and should stay that way.

username USER privilege 15 secret xxxxxxx

privilege exec all level 15 enable

event manager session cli username USER

event manager applet TEST

event none

action 100 cli command enable

action 110 cli command "isdn test call int brix/x/x xxxxxx"

Nov  9 12:54:01.128 utc: AAA: parse name=tty515 idb type=-1 tty=-1
Nov  9 12:54:01.128 utc: AAA: name=tty515 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=515 channel=0
Nov  9 12:54:01.128 utc: AAA/MEMORY: create_user (0x45A3A048) user='USER' ruser='NULL' ds0=0 port='tty515' rem_addr='NULL' authen_type=NONE service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Nov  9 12:54:01.128 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : cli_open called.
Nov  9 12:54:01.128 utc: AAA/BIND(00000160): Bind i/f
Nov  9 12:54:01.132 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : rtrName>
Nov  9 12:54:01.132 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : IN  : rtrName>enable
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Translating "enable"
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : % Bad IP address or host name
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Translating "enable"
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : % Unknown command or computer name, or unable to find computer address
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : rtrName>
Nov  9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : IN  : rtrName>isdn test call int bri0/1/0 675000
Nov  9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :         ^
Nov  9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Nov  9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :
Nov  9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : rtrName>
Nov  9 12:54:01.176 utc: AAA/MEMORY: free_user (0x45A3A048) user='USER' ruser='NULL' port='tty515' rem_addr='NULL' authen_type=NONE service=LOGIN priv=1 vrf= (id=0)
Nov  9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : cli_close called.

So it doesn`t work until I lower the privilege for show&isdn commands to level 1, but I don`t understand why!?

Do you see other way for doing this  (without changing enable level and without lowering show&isdn levels)?

thank you for your time!

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to darijohorvat

‎11-09-2010 07:49 AM

Post your entire config less the credentials.  It looks like the AAA authorization method is not consulting the local database.

0 Helpful

Go to solution
darijohorvat
Level 1
Level 1
In response to Joe Clarke

‎11-09-2010 11:28 PM

Here it is (some irrelevant parts are removed (int configurations, access&service policy list, ip sec..))

74977-rtr-confg.txt.zip
0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to darijohorvat

‎11-10-2010 08:00 AM

Can you test by making logging in to the router on vty 1.  Then configure vty 0 as authorization exec IN, and see if the applet will run?  My guess is that there is a problem with the way USER is defined on the AAA server.  The fact that "enable" is an unknown command makes me think the authorization is not correct.

0 Helpful

Go to solution
darijohorvat
Level 1
Level 1
In response to Joe Clarke

‎11-11-2010 04:16 AM

Hi

thank you for you time & suggestion, it was really helpfull!

I will stop for now with this test (this is production router ), lowering privilege levels will do the job for me!

br,

Darijo

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card