Open nullpointer28 opened 2 years ago
Hi Arne, First of all, thanks a lot for your feedback! I'm glad you like it.
This is strange, as I am looking for either "source template XXXXX
" or "dot1x pae authenticator
" - and should catch either.
Which switch are you using, and what version?
Here's the interface config on the Catalyst 9300 I tested it on:
interface GigabitEthernet1/0/8
switchport mode access
device-tracking attach-policy IPDT_POLICY
dot1x timeout tx-period 7
dot1x max-reauth-req 3
source template DefaultWiredDot1xClosedAuth
spanning-tree portfast
spanning-tree bpduguard enable
I am using a Cisco 9300-24P switch. My port template contains the dot1x command (I don't tend to configure the dot1x timeouts/re-auths) - I think if you parsed the output of a show derived instead of show running, then the dot1x would be come visible unconditionally. The error explicitly refers to the inability to find the "dot1x" command(s)
2022-06-02 08:25:58,020: %UNICON-INFO: +++ RNOCORE01 with via 'cli': executing command 'show running-config interface GigabitEthernet1/0/20' +++
show running-config interface GigabitEthernet1/0/20
Building configuration...
Current configuration : 312 bytes
!
interface GigabitEthernet1/0/20
description Test-LAB-Laptop
switchport access vlan 600
switchport mode access
switchport nonegotiate
device-tracking attach-policy IPDT_POLICY
source template 802.1X_PORT_AUTH_TEMPLATE
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
RNOCORE01#
ERROR: No dot1x command found on 172.22.136.1.
ERROR: No dot1x command found on 172.22.136.1.
And my template is as follows
template 802.1X_PORT_AUTH_TEMPLATE
dot1x pae authenticator
mab
access-session control-direction in
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PORT-AUTH-POLICY
Let's try and test the parsing. In backend.py
at line 752, can you kindly add:
pp(50*"*")
pp(interface_config)
pp(50*"*")
and then try bypassing an interface. This will print us the parsed data of the interface's configuration.
I am leveraging pyATS for the parsing, and it never failed me before.
Hello,
here are the debugs after adding those three commands
2022-06-06 06:36:12,857: %UNICON-INFO: +++ RNOCORE01 with via 'cli': configure +++
config term
Enter configuration commands, one per line. End with CNTL/Z.
RNOCORE01(config)#no logging console
RNOCORE01(config)#line console 0
RNOCORE01(config-line)#exec-timeout 0
RNOCORE01(config-line)#end
RNOCORE01#
2022-06-06 06:36:13,545: %UNICON-INFO: +++ RNOCORE01 with via 'cli': executing command 'show running-config interface GigabitEthernet1/0/20' +++
show running-config interface GigabitEthernet1/0/20
Building configuration...
Current configuration : 312 bytes
!
interface GigabitEthernet1/0/20
description Test-LAB-Laptop
switchport access vlan 600
switchport mode access
switchport nonegotiate
device-tracking attach-policy IPDT_POLICY
source template 802.1X_PORT_AUTH_TEMPLATE
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
RNOCORE01#
**************************************************
{
'interfaces': {
'GigabitEthernet1/0/20': {
'description': 'Test-LAB-Laptop',
'switchport_access_vlan': '600',
'switchport_mode': 'access',
'switchport_nonegotiate': 'nonegotiate',
'device_tracking_attach_policy': 'IPDT_POLICY',
'spanning_tree_portfast': True,
'spanning_tree_bpduguard': 'enable'
}
}
}
**************************************************
ERROR: No dot1x command found on 172.22.136.1.
ERROR: No dot1x command found on 172.22.136.1.
127.0.0.1 - - [06/Jun/2022 06:36:14] "GET /portAction?ip_address=172.22.136.1&interface=GigabitEthernet1/0/20&action=bypass HTTP/1.1" 200 -
Thank you.
It seems like the dot (.
) in the template's name is not appreciated by the Regex argument in the pyATS parser.
Let me work on it.
Submitted a pull request for the pyATS/Genie parsers.
This issue will be resolved once I have the time to get the pyATS PR approved.
Thank you. Looking forward to that. I got inspired again after watching your CiscoLive 2023 Las Vegas DEVNET-2106 session.
Thank you very much!
On Tue, Aug 1, 2023 at 4:54 PM Arne Bier @.***> wrote:
Thank you. Looking forward to that. I got inspired again after watching your CiscoLive 2023 Las Vegas DEVNET-2106 session.
— Reply to this email directly, view it on GitHub https://github.com/obrigg/Vanilla-ISE/issues/6#issuecomment-1661258065, or unsubscribe https://github.com/notifications/unsubscribe-auth/AL6WX4AAHV3CMCPFPCOSAGLXTGJNBANCNFSM5XQRCVVQ . You are receiving this because you commented.Message ID: @.***>
Hello there,
I love this tool - used it for the first time ever. I noticed a small bug that you can fix very easily. I used interface templates which is a very common thing in IOS switches. Essentially the template is a collection of commands and inthe interface of the port you reference the template with the command "source template name_of_template". This is handy because it reduces the lines in the running config for large switches and it's more flexible/modular. Sadly it breaks your tool. when I right-click on a port and try to bypass the 802.1X.. The error message " An error has occurred. (Details: ERROR: No dot1x command found on 172.22.136.1.) " The reason is that the show run doesn't show the command "dot1x pae authenticator" - it's hidden from show run. You should update your command to be more generic - show derived-config interface xyx
cheers Arne