search

obrigg / Vanilla-ISE

Vanilla ISE is a lightweight, simplified UI for operating Cisco's Identity Services Engine (Cisco ISE)
Other
52 stars 16 forks source link

dot1x not found because show running-config used instead of show derived-config #6

Open nullpointer28 opened 2 years ago

nullpointer28 commented 2 years ago

Hello there,

I love this tool - used it for the first time ever. I noticed a small bug that you can fix very easily. I used interface templates which is a very common thing in IOS switches. Essentially the template is a collection of commands and inthe interface of the port you reference the template with the command "source template name_of_template". This is handy because it reduces the lines in the running config for large switches and it's more flexible/modular. Sadly it breaks your tool. when I right-click on a port and try to bypass the 802.1X.. The error message " An error has occurred. (Details: ERROR: No dot1x command found on 172.22.136.1.) " The reason is that the show run doesn't show the command "dot1x pae authenticator" - it's hidden from show run. You should update your command to be more generic - show derived-config interface xyx

RNOCORE01#show run int gi 1/0/22
Building configuration...

Current configuration : 327 bytes
!
interface GigabitEthernet1/0/22
 description Arne's Raspberry Pi NAC client
 switchport access vlan 600
 switchport mode access
 switchport nonegotiate
 device-tracking attach-policy IPDT_POLICY
 source template 802.1X_PORT_AUTH_TEMPLATE
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
end

RNOCORE01#show derived-config interface gig 1/0/22
Building configuration...

Derived configuration : 511 bytes
!
interface GigabitEthernet1/0/22
 description Arne's Raspberry Pi NAC client
 switchport access vlan 600
 switchport mode access
 switchport nonegotiate
 device-tracking attach-policy IPDT_POLICY
 authentication periodic
 authentication timer reauthenticate server
 access-session control-direction in
 access-session port-control auto
 mab
 dot1x pae authenticator
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
 service-policy type control subscriber PORT-AUTH-POLICY
end

cheers Arne

obrigg commented 2 years ago

Hi Arne, First of all, thanks a lot for your feedback! I'm glad you like it.

This is strange, as I am looking for either "source template XXXXX" or "dot1x pae authenticator" - and should catch either. Which switch are you using, and what version?

Here's the interface config on the Catalyst 9300 I tested it on:

interface GigabitEthernet1/0/8
 switchport mode access
 device-tracking attach-policy IPDT_POLICY
 dot1x timeout tx-period 7
 dot1x max-reauth-req 3
 source template DefaultWiredDot1xClosedAuth
 spanning-tree portfast
 spanning-tree bpduguard enable
nullpointer28 commented 2 years ago

I am using a Cisco 9300-24P switch. My port template contains the dot1x command (I don't tend to configure the dot1x timeouts/re-auths) - I think if you parsed the output of a show derived instead of show running, then the dot1x would be come visible unconditionally. The error explicitly refers to the inability to find the "dot1x" command(s) 

2022-06-02 08:25:58,020: %UNICON-INFO: +++ RNOCORE01 with via 'cli': executing command 'show running-config interface GigabitEthernet1/0/20' +++
show running-config interface GigabitEthernet1/0/20
Building configuration...

Current configuration : 312 bytes
!
interface GigabitEthernet1/0/20
 description Test-LAB-Laptop
 switchport access vlan 600
 switchport mode access
 switchport nonegotiate
 device-tracking attach-policy IPDT_POLICY
 source template 802.1X_PORT_AUTH_TEMPLATE
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
end

RNOCORE01#
ERROR: No dot1x command found on 172.22.136.1.
ERROR: No dot1x command found on 172.22.136.1.

And my template is as follows

template 802.1X_PORT_AUTH_TEMPLATE
 dot1x pae authenticator
 mab
 access-session control-direction in
 access-session port-control auto
 authentication periodic
 authentication timer reauthenticate server
 service-policy type control subscriber PORT-AUTH-POLICY
obrigg commented 2 years ago

Let's try and test the parsing. In backend.py at line 752, can you kindly add:

pp(50*"*")
pp(interface_config)
pp(50*"*")

and then try bypassing an interface. This will print us the parsed data of the interface's configuration.

I am leveraging pyATS for the parsing, and it never failed me before.

nullpointer28 commented 2 years ago

Hello,

here are the debugs after adding those three commands

2022-06-06 06:36:12,857: %UNICON-INFO: +++ RNOCORE01 with via 'cli': configure +++
config term
Enter configuration commands, one per line.  End with CNTL/Z.
RNOCORE01(config)#no logging console
RNOCORE01(config)#line console 0
RNOCORE01(config-line)#exec-timeout 0
RNOCORE01(config-line)#end
RNOCORE01#

2022-06-06 06:36:13,545: %UNICON-INFO: +++ RNOCORE01 with via 'cli': executing command 'show running-config interface GigabitEthernet1/0/20' +++
show running-config interface GigabitEthernet1/0/20
Building configuration...

Current configuration : 312 bytes
!
interface GigabitEthernet1/0/20
 description Test-LAB-Laptop
 switchport access vlan 600
 switchport mode access
 switchport nonegotiate
 device-tracking attach-policy IPDT_POLICY
 source template 802.1X_PORT_AUTH_TEMPLATE
 spanning-tree portfast
 spanning-tree bpduguard enable
 spanning-tree guard root
end

RNOCORE01#
**************************************************
{
    'interfaces': {
        'GigabitEthernet1/0/20': {
            'description': 'Test-LAB-Laptop',
            'switchport_access_vlan': '600',
            'switchport_mode': 'access',
            'switchport_nonegotiate': 'nonegotiate',
            'device_tracking_attach_policy': 'IPDT_POLICY',
            'spanning_tree_portfast': True,
            'spanning_tree_bpduguard': 'enable'
        }
    }
}
**************************************************
ERROR: No dot1x command found on 172.22.136.1.
ERROR: No dot1x command found on 172.22.136.1.
127.0.0.1 - - [06/Jun/2022 06:36:14] "GET /portAction?ip_address=172.22.136.1&interface=GigabitEthernet1/0/20&action=bypass HTTP/1.1" 200 -
obrigg commented 2 years ago

Thank you. It seems like the dot (.) in the template's name is not appreciated by the Regex argument in the pyATS parser. Let me work on it.

obrigg commented 2 years ago

Submitted a pull request for the pyATS/Genie parsers.

obrigg commented 1 year ago

This issue will be resolved once I have the time to get the pyATS PR approved.

nullpointer28 commented 1 year ago

Thank you. Looking forward to that. I got inspired again after watching your CiscoLive 2023 Las Vegas DEVNET-2106 session.

obrigg commented 1 year ago

Thank you very much!

On Tue, Aug 1, 2023 at 4:54 PM Arne Bier @.***> wrote:

Thank you. Looking forward to that. I got inspired again after watching your CiscoLive 2023 Las Vegas DEVNET-2106 session.

— Reply to this email directly, view it on GitHub https://github.com/obrigg/Vanilla-ISE/issues/6#issuecomment-1661258065, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL6WX4AAHV3CMCPFPCOSAGLXTGJNBANCNFSM5XQRCVVQ . You are receiving this because you commented.Message ID: @.***>