search

napalm-automation / napalm-ios

Apache License 2.0
31 stars 40 forks source link

Is AAA (TACACS) Supported? Not able to login nor test. #216

Closed foats closed 7 years ago

foats commented 7 years ago

Description of Issue/Question

Did you follow the steps from https://github.com/napalm-automation/napalm#faq

Setup

napalm-ios version

(Paste verbatim output from pip freeze | grep napalm-ios between quotes below)

napalm-ios==0.8.1

IOS version

(Paste verbatim output from show version between quotes below)

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

400USW04003 uptime is 1 year, 10 weeks, 4 days, 20 hours, 58 minutes
System returned to ROM by power-on
System restarted at 16:20:06 UTC Fri Aug 5 2016
System image file is "flash:c3750-ipservicesk9-mz.122-55.SE10.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C3750-48P (PowerPC405) processor (revision J0) with 131072K bytes of memory.
Processor board ID CAT1050ZHJ0
Last reset from power-on
5 Virtual Ethernet interfaces
48 FastEthernet interfaces
4 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address       : 00:1A:A1:4A:7A:80
Motherboard assembly number     : 73-9675-11
Power supply part number        : 341-0029-05
Motherboard serial number       : CAT1050535L
Power supply serial number      : LIT104201TJ
Model revision number           : J0
Motherboard revision number     : A0
Model number                    : WS-C3750-48PS-S
System serial number            : CAT1050ZHJ0
SFP Module assembly part number : 73-7757-03
SFP Module revision Number      : A0
SFP Module serial number        : CAT10495J1F
Top Assembly Part Number        : 800-25858-03
Top Assembly Revision Number    : G0
Version ID                      : V05
CLEI Code Number                : COM1W00ARB
Hardware Board Revision Number  : 0x01

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 52    WS-C3750-48P       12.2(55)SE10          C3750-IPSERVICESK9-M

Configuration register is 0xF

Steps to Reproduce the Issue

Error Traceback

(Paste the complete traceback of the exception between quotes below)

cl_napalm_test --vendor ios --user jloatman --password <pass-with-special-char> --debug 400usw04003
/usr/lib/python2.7/site-packages/napalm_base/clitools/helpers.py:24: DeprecationWarning: This tool has been deprecated, please use `napalm` instead

  DeprecationWarning)
2017-10-19 06:21:17,426 - cl_napalm_test.py - DEBUG - Getting driver for OS "ios"
2017-10-19 06:21:17,512 - cl_napalm_test.py - DEBUG - Connecting to device "400usw04003" with user "jloatman" and optional_args={}
Traceback (most recent call last):
  File "/bin/cl_napalm_test", line 11, in <module>
    sys.exit(main())
  File "/usr/lib/python2.7/site-packages/napalm_base/clitools/cl_napalm_test.py", line 41, in main
    optional_args=optional_args) as device:
  File "/usr/lib/python2.7/site-packages/napalm_base/base.py", line 47, in __enter__
    self.open()
  File "/usr/lib/python2.7/site-packages/napalm_ios/ios.py", line 140, in open
    **self.netmiko_optional_args)
  File "/usr/lib/python2.7/site-packages/netmiko/ssh_dispatcher.py", line 131, in ConnectHandler
    return ConnectionClass(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/netmiko/base_connection.py", line 151, in __init__
    self.establish_connection()
  File "/usr/lib/python2.7/site-packages/netmiko/base_connection.py", line 541, in establish_connection
    raise NetMikoAuthenticationException(msg)
netmiko.ssh_exception.NetMikoAuthenticationException: Authentication failure: unable to connect cisco_ios 400usw04003:22
Authentication failed.

This switch uses TACACS - I can login fine, password is not wrong - I even tested netmiko script below from netmiko import ConnectHandler

cisco_3750 = {'device_type': 'cisco_ios', 'ip': '25.4.232.9', 'username': 'jloatman', 'password': '', 'port': 22,}

net_connect = ConnectHandler(**cisco_3750)

output = net_connect.send_command('show ip int brief') print(output)

ktbyers commented 7 years ago

@foats Can you show me what a manual CLI session looks like (I want to see how the login interaction looks like)?

Obviously just remove/hide the password.

So the Netmiko login works fine?

Kirk

foats commented 7 years ago

$ssh 400usw04003 password: 400USW04003>en password: 400USW04003#

Is this what you are looking for? It might not even be AAA could just be the fact that I have to got to enable mode separately, this works fine for me on my other switch that has no AAA and just a priv 15 user configured.

So netmiko technically doesn't work! Just checked with a show run command, Netmiko is not going into enable mode.

ktbyers commented 7 years ago

@foats This error indicates it failed authentication i.e. didn't successfully SSH in:

netmiko.ssh_exception.NetMikoAuthenticationException: Authentication failure: unable to connect cisco_ios 400usw04003:22
Authentication failed.

I see you said:

--password <pass-with-special-char>

I don't know what special character means but did you single quote this entire string?

--password '<pass-with-special-char>'

(with the assumption that you have no single quotes in your password).

You will also need to pass the secret as an optional argument.

Your code should look something like this:

#!/usr/bin/env python
from getpass import getpass

from napalm_base import get_network_driver

ip_addr = '10.10.10.10'
username = 'admin'
password = getpass()
optional_args = {}
optional_args['secret'] = getpass("Enter your secret: ")

driver = get_network_driver('ios')
device = driver(ip_addr, username, password, optional_args=optional_args)

print(">>>Test device open")
device.open()

print(">>>Test get facts")
device_facts = device.get_facts()
print(device_facts)
mirceaulinic commented 7 years ago

Hi @foats - we are currently in the process of reunification, please check https://napalm-automation.net/reunification/. For the time being, we have moved this issue to https://github.com/napalm-automation/napalm/issues/472 so we can discuss further. Going forward, we'd like to ask you to submit Pull Requests and Issues to the main repository: https://github.com/napalm-automation/napalm

Thanks for understanding!