10-11-2013 01:45 PM
Hi,
Would really appreciate some assistance in what I 'thought' is a simple task
This is what I want to do via TCL / EEM :
1.) Enumerate all interfaces on the switch or just query the running config
2.) Query each interface config
3.) If the interface config doesn't contain the sting 'authentication port-control auto' - send an email with the resulting interface name etc
I'm starting to lose my mind trying to do this
Thanks and regards,
Bill
Solved! Go to Solution.
10-13-2013 11:53 AM
This applet assumes EEM 3.0. If you're IOS version is less than 12.4(22)T, then go to http://www.marcuscom.com/convert_applet to convert it into an EEM Tcl policy (note: this is not a tclsh script). Then you can register it as an EEM Tcl policy and run it with:
event manager run POLNAME
Where POLNAME is the name of the Tcl file you used.
10-12-2013 09:22 PM
Try this:
event manager applet intf-auth
event none
action 001 cli command "enable"
action 002 cli command "show ip int brie"
action 003 set output "$_cli_result"
action 004 set intfs ""
action 005 foreach line "$output" "\n"
action 006 string trim $line
action 007 set line $_string_result
action 008 string length $line
action 009 if $_string_result eq 0
action 010 continue
action 011 end
action 012 regexp "^Interface" "$line"
action 013 if $_regexp_result eq "1"
action 014 continue
action 015 end
action 016 regexp "#" "$line"
action 017 if $_regexp_result eq "1"
action 018 continue
action 019 end
action 020 regexp "^([^[:space:]]+)[[:space:]]" "$line" match intf
action 021 cli command "show run interface $intf"
action 022 regexp "authentication port-control auto" "$_cli_result"
action 023 if $_regexp_result eq "0"
action 024 append intfs " $intf"
action 025 end
action 026 end
action 027 string length "$intfs"
action 028 if $_string_result gt "0"
action 029 mail from "user@example.com" to "user@example.com" server "10.1.1.1" subject "Interfaces missing auth port-control" body "The following interfaces are missing 'auth port-control auto': $intfs"
action 030 end
10-13-2013 07:01 AM
I just get 1 error with the above on action 004:
action 004 set intfs ""
Thanks
10-13-2013 11:53 AM
This applet assumes EEM 3.0. If you're IOS version is less than 12.4(22)T, then go to http://www.marcuscom.com/convert_applet to convert it into an EEM Tcl policy (note: this is not a tclsh script). Then you can register it as an EEM Tcl policy and run it with:
event manager run POLNAME
Where POLNAME is the name of the Tcl file you used.
10-14-2013 02:45 AM
Thanks - doesn't seem to run
#show event manager history events detailed
No. Job Id Proc Status Time of Event Event Type Name
1 1 Actv abort Mon Oct14 10:38:36 2013 none applet: intf-auth
argc 0
10-14-2013 03:11 AM
It works fine on a switch with 12 interfaces but doesn't on a switch with 48 interfaces.
Could this be a timeout etc ?
Thanks
10-14-2013 06:11 AM
Event none maxrun 900 :-)
Thanks for your help Joseph.
06-19-2015 09:27 AM
Today I tired this config on my Cat3850, stack of 4 but it didn't work. EEM version is 3.20 :(
I received the email from switch ("The following interfaces are missing 'auth port-control auto': Command"), but there's no interfaces which do not have port-control enabled.
Has anybody tried this configure before and worked for you?
06-21-2015 02:13 AM
You probably need to change action 002 to:
action 002 "show ip int brief | inc Ethernet"
06-22-2015 11:11 AM
Still no luck :(
After this change, the email has stopped coming as well. The event history shows success though.
9 12 Actv success Mon Jun22 10:59:48 2015 none applet: intf-auth
10 13 Actv success Mon Jun22 11:00:32 2015 none applet: intf-auth
Is there anything that you could think of and make it successful? Sorry, my knowledge is little on EEM.
Thanks!
/j
06-22-2015 11:11 AM
Still no luck :(
After this change, the email has stopped coming as well. The event history shows success though.
9 12 Actv success Mon Jun22 10:59:48 2015 none applet: intf-auth
10 13 Actv success Mon Jun22 11:00:32 2015 none applet: intf-auth
Is there anything that you could think of and make it successful? Sorry, my knowledge is little on EEM.
Thanks!
/j
06-22-2015 11:45 AM
Right, it's working now. You said all your interfaces already have "authentication port-control auto" on them, so now that the policy only looks at Ethernet interfaces, you shouldn't see any email. You would need to have at least one Ethernet interface that does not have the config "authentication port-control auto" on it in order to see the email.
06-22-2015 12:54 PM
I was actually debugging the eem event recently and found:
Jun 22 11:33:24.071 PDT: %HA_EM-6-LOG: intf-auth : DEBUG(cli_lib) : : IN : xx-sw01#enable
Jun 22 11:33:24.289 PDT: %HA_EM-6-LOG: intf-auth : DEBUG(cli_lib) : : OUT : Command authorization failed.
Jun 22 11:33:24.289 PDT: %HA_EM-6-LOG: intf-auth : DEBUG(cli_lib) : : OUT :
After noticing this failure on the debug output, I went ahead and bypassed AAA authorization for the policy. Now I am receiving the email with list of interfaces that do not have a port-control auto enabled :)
Thanks a lot for your help! Your script works amazingly!
/j
01-29-2020 09:59 AM
This was a great find for me. Its a common problem for staff members to disable authentication and never turn it back on.
Anyhow,
When I execute this, it matches every interface. The only thing I see that might be wrong is I get command authorization failure even with enable.
Debugging: Can't copy paste here sorry.
#show ip int brie | inc Ethernet
Command works
#show run interface GigabitEthernet0/2
Command authorization failed
Thanks all
01-29-2020 12:19 PM
I sorted it out. The fix was (config)#event manager session cli username USER.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide