Solved: Re: EEM With TCL Script - Page 2

s-pirrello · ‎04-13-2009

Hi,

When I have AAA enabled for authentication pointing to my ACS server for domain authentication, the EEM with TCL scripts will not perform. If I configure my routers to utilize local authentication, the scripts successfully execute the commands. Any ideas?

s-pirrello · ‎07-06-2009

I've attached the debug in a text file.

Here's the output you requested.

RTR-LAB-2811-1#show event manager policy registered

No. Class Type Event Type Trap Time Registered Name

1 script user syslog Off Mon Jul 6 13:24:02 2009 sendmail-bgp-mpls-enterprise-test.tcl

occurs 1 pattern {.*BGP-5-ADJCHANGE.*Down.*}

nice 1 queue-priority low maxrun 90.000

Joe Clarke · ‎07-06-2009

The debug doesn't run long enough, but it really looks like the problem is with AAA and not EEM. Try configuring local AAA authorization, and see if the policy works:

aaa authorization exec default local none

Of course, you'll need a local username definition.

s-pirrello · ‎07-06-2009

That's the issue I'm experiencing. If I use local authentication, it works fine. If I point AAA to speak to ACS for domain authentication, it won't work.

Joe Clarke · ‎07-06-2009

Post the show run and show ver from this router. There may be a AAA bug.

Lucien Avramov · ‎07-06-2009

Also what output do you get in the ACS failed attempts logs ?

s-pirrello · ‎07-06-2009

There are no failed attempts for this.

s-pirrello · ‎07-06-2009

Here's my show ver:

RTR-LAB-2811-1#sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(19), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Fri 29-Feb-08 20:07 by prod_rel_team

ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)

RTR-LAB-2811-1 uptime is 13 weeks, 1 hour, 1 minute

System returned to ROM by Reload Command

System restarted at 13:18:56 EDT Mon Apr 6 2009

System image file is "flash:c2800nm-advipservicesk9-mz.124-19.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.

Processor board ID FCZ10077054

11 FastEthernet interfaces

1 Serial interface

1 Virtual Private Network (VPN) Module

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

The file attached is the "sh run".

Joe Clarke · ‎07-06-2009

I think I see the problem. It IS with EEM. The bug is CSCsz70112. It has to do with the way the prompt handling code works in EEM when AAA is used. Unfortunately, this will not be fixed in 12.4 mainline. If you upgrade to 12.4(22)T or higher, your script will work.

s-pirrello · ‎07-06-2009

Thanks for the update Joe. I will upgrade now and will let you know if this does the trick.

s-pirrello · ‎07-09-2009

That did the trick. Do you know if the bug be resolved in 12.15?

Joe Clarke · ‎07-09-2009

Yes. In general, all bug fixes from the previous T train role into the next mainline.