11-04-2010 10:56 AM
Hi
I`m trying to make eem applet that will triger "isdn test call int brix/x/x xxxxxxx"command. Applet runns, but this command is not applied and test call is not made! I noticed same behaviour for debug commands while show commands works as expected!
Can somebody help me?
This is applet:
event manager applet test
event none maxrun 20
action 1.0 syslog priority critical msg "Start"
action 2.0 cli command "enable"
action 3.0 cli command "debug isdn q931"
action 4.0 cli command "isdn test call int bri 0/0/0 675000"
action 5.0 syslog priority critical msg "Stop"
Solved! Go to Solution.
11-05-2010 09:52 AM
My guess is that you have AAA command authorization enabled, and you need to add the command:
event manager session cli username USER
Where USER is a username authorized to execute all of the CLI commands in your EEM policies.
11-10-2010 08:00 AM
Can you test by making logging in to the router on vty 1. Then configure vty 0 as authorization exec IN, and see if the applet will run? My guess is that there is a problem with the way USER is defined on the AAA server. The fact that "enable" is an unknown command makes me think the authorization is not correct.
11-05-2010 09:52 AM
My guess is that you have AAA command authorization enabled, and you need to add the command:
event manager session cli username USER
Where USER is a username authorized to execute all of the CLI commands in your EEM policies.
11-07-2010 11:23 PM
Thank you for your answer!
Yes, you are right, AAA/Radius is used, and this command cannot be entered in global mode (IOS 12.4(24)T)!
So I tried this command "event manager session cli username USER" where USER is radius user with privilege 15 and then with USER local defined priv 15, but either way behaviour is the same:
Nov 8 08:07:22.510 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : rtrName>
Nov 8 08:07:22.514 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : IN : rtrName>isdn test call int bri0/0/0 xxxxxxx
Nov 8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : ^
Nov 8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Nov 8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : --More--
Nov 8 08:07:22.534 utc: %HA_EM-6-LOG: test : DEBUG(cli_lib) : : OUT : rtrName>
with debug aaa authenitfication I see something strange:
Nov 8 08:07:22.506 utc: AAA/MEMORY: create_user (0x47D4946C) user='USER' ruser='NULL' ds0=0 port='tty515' rem_addr='NULL'authen_type=NONE service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Why is priv=1 here, regardig this command it should be 15 ?
username USER privilege 15 secret xxxxxxxxx
I did`t solved this problem with user levels, so I lowered the privilege level for all isdn commands, and it works that way (but this is plan B solution ):
privilege exec all level 1 isdn
11-08-2010 07:45 AM
Now it looks like you removed the "enable" command from your applet. You'll need the event manager username configured, then make sure you still have:
action 2.0 cli command "enable"
11-09-2010 04:05 AM
again you are right and again my info was not completly clear (sorry for that)!
I`ll try to explain better! On the router, privilege level for enable command is raised to 15 (privilege exec all level 15 enable) and should stay that way.
username USER privilege 15 secret xxxxxxx
privilege exec all level 15 enable
event manager session cli username USER
event manager applet TEST
event none
action 100 cli command enable
action 110 cli command "isdn test call int brix/x/x xxxxxx"
Nov 9 12:54:01.128 utc: AAA: parse name=tty515 idb type=-1 tty=-1
Nov 9 12:54:01.128 utc: AAA: name=tty515 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=515 channel=0
Nov 9 12:54:01.128 utc: AAA/MEMORY: create_user (0x45A3A048) user='USER' ruser='NULL' ds0=0 port='tty515' rem_addr='NULL' authen_type=NONE service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Nov 9 12:54:01.128 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : cli_open called.
Nov 9 12:54:01.128 utc: AAA/BIND(00000160): Bind i/f
Nov 9 12:54:01.132 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : rtrName>
Nov 9 12:54:01.132 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : IN : rtrName>enable
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Translating "enable"
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : % Bad IP address or host name
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : Translating "enable"
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : % Unknown command or computer name, or unable to find computer address
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : rtrName>
Nov 9 12:54:01.152 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : IN : rtrName>isdn test call int bri0/1/0 675000
Nov 9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : ^
Nov 9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : % Invalid input detected at '^' marker.
Nov 9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT :
Nov 9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : OUT : rtrName>
Nov 9 12:54:01.176 utc: AAA/MEMORY: free_user (0x45A3A048) user='USER' ruser='NULL' port='tty515' rem_addr='NULL' authen_type=NONE service=LOGIN priv=1 vrf= (id=0)
Nov 9 12:54:01.176 utc: %HA_EM-6-LOG: TEST : DEBUG(cli_lib) : : CTL : cli_close called.
So it doesn`t work until I lower the privilege for show&isdn commands to level 1, but I don`t understand why!?
Do you see other way for doing this (without changing enable level and without lowering show&isdn levels)?
thank you for your time!
11-09-2010 07:49 AM
Post your entire config less the credentials. It looks like the AAA authorization method is not consulting the local database.
11-09-2010 11:28 PM
11-10-2010 08:00 AM
Can you test by making logging in to the router on vty 1. Then configure vty 0 as authorization exec IN, and see if the applet will run? My guess is that there is a problem with the way USER is defined on the AAA server. The fact that "enable" is an unknown command makes me think the authorization is not correct.
11-11-2010 04:16 AM
Hi
thank you for you time & suggestion, it was really helpfull!
I will stop for now with this test (this is production router ), lowering privilege levels will do the job for me!
br,
Darijo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide