04-13-2009 06:15 PM
Hi,
When I have AAA enabled for authentication pointing to my ACS server for domain authentication, the EEM with TCL scripts will not perform. If I configure my routers to utilize local authentication, the scripts successfully execute the commands. Any ideas?
Solved! Go to Solution.
07-06-2009 09:49 AM
I've attached the debug in a text file.
Here's the output you requested.
RTR-LAB-2811-1#show event manager policy registered
No. Class Type Event Type Trap Time Registered Name
1 script user syslog Off Mon Jul 6 13:24:02 2009 sendmail-bgp-mpls-enterprise-test.tcl
occurs 1 pattern {.*BGP-5-ADJCHANGE.*Down.*}
nice 1 queue-priority low maxrun 90.000
07-06-2009 10:00 AM
The debug doesn't run long enough, but it really looks like the problem is with AAA and not EEM. Try configuring local AAA authorization, and see if the policy works:
aaa authorization exec default local none
Of course, you'll need a local username definition.
07-06-2009 10:05 AM
That's the issue I'm experiencing. If I use local authentication, it works fine. If I point AAA to speak to ACS for domain authentication, it won't work.
07-06-2009 10:08 AM
Post the show run and show ver from this router. There may be a AAA bug.
07-06-2009 10:09 AM
Also what output do you get in the ACS failed attempts logs ?
07-06-2009 10:25 AM
There are no failed attempts for this.
07-06-2009 10:24 AM
Here's my show ver:
RTR-LAB-2811-1#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(19), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 29-Feb-08 20:07 by prod_rel_team
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)
RTR-LAB-2811-1 uptime is 13 weeks, 1 hour, 1 minute
System returned to ROM by Reload Command
System restarted at 13:18:56 EDT Mon Apr 6 2009
System image file is "flash:c2800nm-advipservicesk9-mz.124-19.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FCZ10077054
11 FastEthernet interfaces
1 Serial interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
The file attached is the "sh run".
07-06-2009 10:33 AM
I think I see the problem. It IS with EEM. The bug is CSCsz70112. It has to do with the way the prompt handling code works in EEM when AAA is used. Unfortunately, this will not be fixed in 12.4 mainline. If you upgrade to 12.4(22)T or higher, your script will work.
07-06-2009 10:34 AM
Thanks for the update Joe. I will upgrade now and will let you know if this does the trick.
07-09-2009 03:39 AM
That did the trick. Do you know if the bug be resolved in 12.15?
07-09-2009 06:33 AM
Yes. In general, all bug fixes from the previous T train role into the next mainline.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: