RME Telnet authentication failed

jromanov · ‎07-13-2006

I have the following abnormal bahaviour of RME (LMS 2.5.1).

After discovering and adding devices to DCR, I defined telnet community for each device (I add the user "cwuser" at the ACS and each device use ACS primary authentication). When I try to fetch startup, running and vlan.dat files from the devices, there is the tlenet authentication failure and RME switches from telnet to TFTP protocol for fetching startup and runnibg. But it cannot fetch the vlan.dat using TFTP (???).

The question is: why there is telnet authentication failure? If I try telnet from the command line of this server (or from Device Center), it successe!

This situation invokes some devices, and others (with the same configuration) is ok..

Ihad this problem twice with different customers.

miheg · ‎07-13-2006

I have not yet intergrated Ciscoworks and ACS. ACS is just used to authenticate at our clients.

Until now whenever I, using the telnet from the ciscoworks server, could log on to a device, ciscoworks could also.

Have you tried the credetial verification report?

Cheers,

Michel

jromanov · ‎07-13-2006

Yes, I tried! The credentials varification is OK!

When I trid ro fetch configs first time, the authentication was really failed because of ACS was down. But after ACS is OK, the situation was not corrected.

P.S. In this situation CW and ACS are not integrated! Only Network devices use ACS when LMS telnetting to them.

miheg · ‎07-13-2006

Have you tried yourself from the ciscoworks server with the cwuser?

Maybe there is a restriction stopping this server from accessing the device?

Cheers,

jromanov · ‎07-13-2006

Yes, I tried. IT was OK from the cmd.

Well, then I have additional questions:

1. Is the logging of it exists? (what protocols were used by RME... what credentials was sent...)?

2. In LMS 2.2 I could define local credentials and remote (ACS) and the remote authentication tried first... Could I do it in LMS 2.5? I saw only the primary credential fields...

Thanks a lot!

miheg · ‎07-13-2006

strange indeed,

I don't think you will find a logging with the actual password that was sent.

But if you go \CSCOpx\files\rme\jobs\ArchiveMgmt\

and then into the directory of your job you will find logfiles.

Under Admin System -> Preferences -> loglevels you can increase debuging

And about the protocols, if you go to:

RME -> Admin -> Config Mgmt -> Transport Settings

You see the protocols he will use in the order he should use them.

I don't know what you mean with local and remote credetails.

I have little and mostly bad experience with LMS 2.2.

Cheers

Michel

jromanov · ‎07-13-2006

Thanks!

About protocols. Yes, I did it. The first time I had this problem, I just added the SSH protocol to telnet. And the problem was resolved (but not clear about the cause of it). Last time the soft didn't support SSH :(

What is Local and remote credentials...

For example. Each devise use ACS authentication (user cwuser) for line access. And each device has local account (localuser) in the local database (configured "aaa authentication ... tacacs local). In LMS 2.2 we could define user "cwuser" and the secondary user "localuser". Than LMS try to log into device using "cwuser". But if the ACS in not accessable by device, than LMS use secondary "localuser" which is in the local device database.

In LMS 2.5... If we define in credentials field username defined at the ACS. And the ACS will be down. CW LMS will not be able to log in to device! (user "cwuser" is absent in lcoal database. "localuser" present insted!).

Joe Clarke · ‎07-13-2006

Correct on the last point. LMS 2.5 does not currently support backup or fallback credentials. Work is being done to fix this, and it should be available in LMS 3.0 due out next year. In order for this scenario to work currently, both the ACS and the local databases need to agree at least in terms of the user CiscoWorks is using to log into the device.