Solved: Re: netsim Failed to authenticate - bad password

ben_piret · ‎06-19-2018

Hi NSO community,

I am trying to establis a netsim device called netsimC1111-4P.

This device is under authgroup default as per :

admin@ncs% show devices device netsimC1111-4P

...

authgroup default;

...

then, I define the username to login on the netsim device by :

admin@ncs% set devices authgroups group default default-map same-user remote-password cisco

(followed by commit)

with this I should be able to connect to my netsim device as I have a user admin/cisco defined in it via the ios.xml file :

cisco@nsopoc:~/win$ ncs-netsim restart netsimC1111-4P
DEVICE netsimC1111-4P STOPPED
DEVICE netsimC1111-4P RESET
DEVICE netsimC1111-4P OK STARTED
cisco@nsopoc:~/win$ ncs-netsim cli-c netsimC1111-4P

admin connected from 10.14.32.234 using ssh on nsopoc
netsimC1111-4P# show run
no service pad
username admin secret cisco
username cisco secret cisco
no ip domain-lookup
no ip http server
no ip http secure-server

However when I try to connect to this netsim device with admin user, I get a bad password message. See log below - any idea of what I am doing wrong ?

admin@ncs% request devices device netsimC1111-4P connect
result false
info Failed to authenticate towards device netsimC1111-4P: Bad password for local/remote user admin/admin Auth failed
[ok][2018-06-19 12:37:01]

[edit]
admin@ncs%

rogaglia · ‎06-19-2018

Hi Benoit,

I believe what is happening is that you are changing the IOS config in the netsim device and expect that the change will have any effect in the NETSIM SSH server credentials.

You need to remember that NETSIM does not analyse the config it receives, so, the username/password you are setting is not changing the SSH server credentials.

The credentials for the netsim devices are created in a XML file in the device cdb folder as seen here. I am not sure if this could be modified via the confd CLI of the device or you would need to re-create your device with the new XML file in the right folder or simply "load merge" the new values.

Roque

ROGAGLIA-M-M0VW:simple-mpls-vpn rogaglia$ more netsim/ce/ce0/cdb/aaa_init.xml

<users>

<user>

<name>admin</name>

<password>$0$admin</password>

<ssh_keydir>/var/confd/homes/admin/.ssh</ssh_keydir>

<homedir>/var/confd/homes/admin</homedir>

</user>

<user>

<ssh_keydir>/var/confd/homes/oper/.ssh</ssh_keydir>

<homedir>/var/confd/homes/oper</homedir>

</user>

<user>

<name>public</name>

<password>$0$public</password>

<ssh_keydir>/var/confd/homes/public/.ssh</ssh_keydir>

<homedir>/var/confd/homes/public</homedir>

</user>

<user>

<name>private</name>

<password>$0$private</password>

<ssh_keydir>/var/confd/homes/private/.ssh</ssh_keydir>

<homedir>/var/confd/homes/private</homedir>

</user>

</users>

</authentication>

<ios>

<level>

</level>

<level>

</level>

<level>

</command>

<name>action</name>

</command>

</command>

<name>autowizard</name>

</command>

<name>enable</name>

</command>

<name>startup</name>

</command>

</level>

<level>

<name>configure</name>

</command>

</level>

</privilege>

</ios>

</aaa>

<write-default>permit</write-default>

<group>

<name>admin</name>

<user-name>admin</user-name>

<user-name>private</user-name>

</group>

<group>

<user-name>oper</user-name>

<user-name>public</user-name>

</group>

</groups>

<rule-list>

<name>admin</name>

<group>admin</group>

<rule>

<name>any-access</name>

<action>permit</action>

</rule>

</rule-list>

<rule-list>

<name>any-group</name>

<rule>

<name>tailf-aaa-authentication</name>

<module-name>tailf-aaa</module-name>

<path>/aaa/authentication/users/user[name='$USER']</path>

<access-operations>read update</access-operations>

<action>permit</action>

</rule>

<rule>

<name>tailf-aaa-user</name>

<module-name>tailf-aaa</module-name>

<access-operations>create read update delete</access-operations>

<action>permit</action>

</rule>

<rule>

<name>tailf-webui-user</name>

<module-name>tailf-webui</module-name>

<path>/webui/data-stores/user-profile[username='$USER']</path>

<access-operations>create read update delete</access-operations>

<action>permit</action>

</rule>

</rule-list>

</nacm>

</config>

ROGAGLIA-M-M0VW:simple-mpls-vpn rogaglia$

View solution in original post

rogaglia · ‎06-19-2018

Hi Benoit,

I believe what is happening is that you are changing the IOS config in the netsim device and expect that the change will have any effect in the NETSIM SSH server credentials.

You need to remember that NETSIM does not analyse the config it receives, so, the username/password you are setting is not changing the SSH server credentials.

The credentials for the netsim devices are created in a XML file in the device cdb folder as seen here. I am not sure if this could be modified via the confd CLI of the device or you would need to re-create your device with the new XML file in the right folder or simply "load merge" the new values.

Roque

ROGAGLIA-M-M0VW:simple-mpls-vpn rogaglia$ more netsim/ce/ce0/cdb/aaa_init.xml

<users>

<user>

<name>admin</name>

<password>$0$admin</password>

<ssh_keydir>/var/confd/homes/admin/.ssh</ssh_keydir>

<homedir>/var/confd/homes/admin</homedir>

</user>

<user>

<ssh_keydir>/var/confd/homes/oper/.ssh</ssh_keydir>

<homedir>/var/confd/homes/oper</homedir>

</user>

<user>

<name>public</name>

<password>$0$public</password>

<ssh_keydir>/var/confd/homes/public/.ssh</ssh_keydir>

<homedir>/var/confd/homes/public</homedir>

</user>

<user>

<name>private</name>

<password>$0$private</password>

<ssh_keydir>/var/confd/homes/private/.ssh</ssh_keydir>

<homedir>/var/confd/homes/private</homedir>

</user>

</users>

</authentication>

<ios>

<level>

</level>

<level>

</level>

<level>

</command>

<name>action</name>

</command>

</command>

<name>autowizard</name>

</command>

<name>enable</name>

</command>

<name>startup</name>

</command>

</level>

<level>

<name>configure</name>

</command>

</level>

</privilege>

</ios>

</aaa>

<write-default>permit</write-default>

<group>

<name>admin</name>

<user-name>admin</user-name>

<user-name>private</user-name>

</group>

<group>

<user-name>oper</user-name>

<user-name>public</user-name>

</group>

</groups>

<rule-list>

<name>admin</name>

<group>admin</group>

<rule>

<name>any-access</name>

<action>permit</action>

</rule>

</rule-list>

<rule-list>

<name>any-group</name>

<rule>

<name>tailf-aaa-authentication</name>

<module-name>tailf-aaa</module-name>

<path>/aaa/authentication/users/user[name='$USER']</path>

<access-operations>read update</access-operations>

<action>permit</action>

</rule>

<rule>

<name>tailf-aaa-user</name>

<module-name>tailf-aaa</module-name>

<access-operations>create read update delete</access-operations>

<action>permit</action>

</rule>

<rule>

<name>tailf-webui-user</name>

<module-name>tailf-webui</module-name>

<path>/webui/data-stores/user-profile[username='$USER']</path>

<access-operations>create read update delete</access-operations>

<action>permit</action>

</rule>

</rule-list>

</nacm>

</config>

ROGAGLIA-M-M0VW:simple-mpls-vpn rogaglia$

ben_piret · ‎06-19-2018

Hi Roque,

It sounds fully logic ... after this explanation and indeed I hadn't spotted that...

I simply changed to :

admin@ncs% set devices authgroups group default default-map remote-name admin remote-password admin

(commit)

and I can now connect.

Many thanks !

Alessandro Veras · ‎01-16-2020

Thanks. Helped a lot.