Re: LMS 3.2 and RME 4.3.1 telnet with tacacs+ fails

tomeq82 · ‎01-31-2011

Hi everyone,

I'm having issue with credentials verification for telnet with TACACS+ enabled. Verification job fails with "Telnet: Incorrect" and an exception to daemons.log:

om.cisco.nm.lib.cmdsvc.CmdSvcException: com.cisco.nm.lib.cmdsvc.telnet.TelnetException: Unable to read from socket

at com.cisco.nm.lib.cmdsvc.TelnetSession.connect(TelnetSession.java:89)

at com.cisco.nm.lib.cmdsvc.Session.connect(Session.java:152)

at com.cisco.nm.lib.cmdsvc.AuthHandler.connect(AuthHandler.java:254)

at com.cisco.nm.lib.cmdsvc.OpConnect.invoke(OpConnect.java:56)

at com.cisco.nm.lib.cmdsvc.SessionContext.invoke(SessionContext.java:299)

at com.cisco.nm.lib.cmdsvc.Engine.process(Engine.java:57)

at com.cisco.nm.lib.cmdsvc.LocalProxy.process(LocalProxy.java:22)

at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:190)

at com.cisco.nm.lib.cmdsvc.CmdSvc.connect(CmdSvc.java:166)

at com.cisco.nm.xms.xdi.pkgs.LibDcma.persistor.CliOperator.<init>(CliOperator.java:214)

at com.cisco.nm.xms.xdi.pkgs.SharedDcmaIOS.transport.IOSCliOperator.<init>(IOSCliOperator.java:116)

at com.cisco.nm.xms.xdi.pkgs.SharedDcmaIOS.transport.CatIOSSwitchCliOperator.<init>(CatIOSSwitchCliOperator.java:56)

at com.cisco.nm.xms.xdi.pkgs.SharedDcmaIOS.transport.Cat6kIOSCliOperator.<init>(Cat6kIOSCliOperator.java:32)

at com.cisco.nm.xms.xdi.pkgs.SharedDcmaIOS.transport.Cat6kIOSConfigOperator.getOperator(Cat6kIOSConfigOperator.java:35)

at com.cisco.nm.xms.xdi.pkgs.LibDcma.persistor.OperatorCacheManager.getOperatorForDevice(OperatorCacheManager.java:50)

at com.cisco.nm.xms.xdi.pkgs.LibDcma.persistor.ConfigOperation.doConfigOperation(ConfigOperation.java:99)

at com.cisco.nm.xms.xdi.pkgs.SharedDcmaIOS.transport.IOSConfigOperator.fetchConfig(IOSConfigOperator.java:73)

at com.cisco.nm.rmeng.dcma.configmanager.ConfigManager.updateArchiveForDevice(ConfigManager.java:658)

at com.cisco.nm.rmeng.dcma.configmanager.ConfigManager.performCollection(ConfigManager.java:1646)

at com.cisco.nm.rmeng.dcma.configmanager.CfgUpdateThread.run(CfgUpdateThread.java:27)

I've tried to edit TacacsPrompts.ini also with suggestion to enter "," after last space character

I'm using only TACACS so all prompts are the same. I'm using MOTD also.

TACACS prompt looks like this example : "TEST username: ,TEST password: " so this looks obvious.

The issue started to appear after some patching done to RME and CiscoView, but I'm not sure that this is connected anyhow.

Thanks for all the help

Gaganjeet Chug · ‎01-31-2011

Hi,

Kindly check the sniffer trace and see if the CiscoWorks is sending the correct credentials for the device.

Its good that you have already check the tacasprompt.ini. Kindly make sure that the Username: and Passsword: is the actual prompt that you will be getting on the device too and its case sensitive.

If possible kindly post tacasprompt.ini file and screenshot of the username and password prompt on the device.

Thanks

Gaganjeet

tomeq82 · ‎02-01-2011

Hi!

The TACACS prompt looks exactly like this:

TEST username:

TEST password:

with spaces after ":"

From the packet dump the conversation is quite strange. I don't see any proper credentials sent. I see only "do echo" parameter from LMS, then a "cisco" word sent char by char, both from LMS and device side (which is wrong, because credentials are properly set in LMS, I tried reapplying them but no success) and at the end I got "% TEST username: timeout expired!"

After that I've got few repeats and the same failure...

Greets,

Tomek

Gaganjeet Chug · ‎02-01-2011

Hi Tomek,

Kindly try this on tacasprompt.ini and check that casuser have full rights on this file. After making the changes, kindly restart the daemon manager if possible for you.

[TELNET]
USERNAME_PROMPT=username:
PASSWORD_PROMPT=password:

Thanks,
Gaganjeet

tomeq82 · ‎02-01-2011

Thanks for the reply. I'd like to clarify one thing - is this required to restart daemon manager every time I change anything in TacacsPrompts.ini file? I've read that this is not required, but it looks like any changes I've made did nothing at all... but I didn't restart the stuff.

tomeq82 · ‎02-03-2011

Ok. I've restarted DM. No success at all. Still getting "telnet incorrect", abnormal packet dumps with no credentials send from LMS and getting java exceptions to daemons.log

I assume that TacacsPrompts.ini does nothing at all in this case...

Gaganjeet Chug · ‎02-03-2011

Hi,

Right, if possible kindly post the screenshot the way prompt appear on telnet screen while logging to device.

Otherwise we need to enable the debugging for Device Credentials job .

Thanks,

Gaganjeet

tomeq82 · ‎02-04-2011

Hi,

I can't disclose prompt to public but it looks EXACTLY like that, treat it as a template:

**********************
* some sort of MOTD *
**********************

TEST username:
TEST password:

nothing more. Nothing seems out of ordinary. Does MOTD causes any possible problems? Like special characters (*, -, = and so on) ?

TEST is a prefix to lowercased "username" and "password". There is no space at the beginning of the line, but there is space after colon. There is newline present betweend MOTD and login prompt.

Greets,

Tomek

Gaganjeet Chug · ‎02-05-2011

Hi,

Thanks for update. I will suggest TAC case is required to troubleshoot this issue further and I hope you have open TAC case with SR - 616680889.

Thanks,

Gaganjeet

tomeq82 · ‎02-06-2011

Hi,

Yes, this is the case I've opened, but unfortunately it stalled and we REALLY need assistance on that...

Thanks for the help.

best regards,

Tomek

Rodrigo Gurriti · ‎02-24-2011

Sorry for stilling your post but I'm having the same problem, but do not have custom prompts, I do use tacacs+ but did not configure the "aaa authentication username-prompt" or "aaa authentication password-prompt" on my devices.

I do also have a TAC open for the case but they havent solved. Do you have any response about your case ?

Vinod Arya · ‎02-24-2011

If you have PAM configured for your devices and telnet fails, even though you dont have the custom login and password entry, you may need to configure the tacacsprompt.ini file with the prompt you get.

Also, sometime if the PAM takes time to respond the device you can try to increase the telnet timeout on device itslef (device(config-line)#timeout login response 90).

-Thanks Vinod **Rating Encourages contributors, and its really free. **

Gaganjeet Chug · ‎02-24-2011

Hi,

After increasing the timeout login response to 90, if you still getting the same error, then try to increase the telnet timeout in CiscoWorks from location :-

RME -> Admin -> System Preferences -> RME Device Attributes -> Increase the telnet timeout to 100

Thanks,

Gaganjeet

Rodrigo Gurriti · ‎02-24-2011

Gaganjeet,

Done that with TAC on the webex, increased to 120s on RME and did not work.

By the way I know how to change the prompt on the device using the AAA "aaa authentication username-prompt" or "aaa authentication password-prompt".

Is there a way to change on the ACS using TACACS+ ? cant find a doc about it.

Thank you !

Rodrigo Gurriti · ‎02-24-2011

Vinarya,

What do you mean by PAM? Port to Application Mapping? My devices don't have PAM. Tired increase the time out but did not work

Thank you !