special chars in TACACS passwords

Unanswered Question
Feb 6th, 2007

Do special chars such as $ or ! present a problem for CiscoWorks LMS 2.2 (RME 3.5)? After Export to File as csv, I see ! is used internally by CWK in "!{[NOVALUE]}!" and the $ sign is escaped like this: "\$". Do these special chars get presented correctly to TACACS, or is Cisco Secure ACS having trouble with them too?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
David Stanford Tue, 02/06/2007 - 07:54

Not sure abou ACS, but LMS usually does't like special characters like $, !, or @ in its passwords or comm strings. Its better to stick to alpha-numeric.

yjdabear Tue, 02/06/2007 - 09:13

Is there any way to turn on debug to see how exactly RME NetConfig is conversing with the device? I have another NetConfig job that claims it couldn't get the telnet prompt, even though I got the prompt fine telnetting to it manually.

David Stanford Tue, 02/06/2007 - 10:40

You can enable debugging for Netconfig - Netconfig Client under Loglevel settings and then have a look at the netcnofigclient.log.

A packet capture while the netconfig job is running is also a useful tool

If it can't get the telnet prompt then it won't even attempt to send a password and will timeout.

Are your telnet prompts custom or do they have any whitespace like:

Username :

yjdabear Tue, 02/06/2007 - 10:45

I'm running LMS 2.2 RME 3.5 here. I believe those debug options/logfile are for LMS 2.5 or higher. I think there's a config file that needs to be modified for debug in LMS 2.2. Is this correct?

The telnet prompt is the default, I believe:

cat6509idf>

This prompt problem only happens with the two CatOS devices attempted.

yjdabear Tue, 02/06/2007 - 11:53

Yup, getting rid of the ! and $ got CWK auth'ing to TACACS successfully again.

Still need to figure out the telnet prompt issue though.

David Stanford Tue, 02/06/2007 - 19:07

To enable debugs for RME 3.5 do the following:

Turning on the debugs :

-----------------------

* ConfigArchive (Used by NetConfig to view device configurations)

Change the DebugLevel parameter to 5 in

\cscopx\www\classpath\com\cisco\nm\config\archive\config.properties

Edit the config.properties file to read DEBUG_LEVEL=5

* NetConfig, MakerChecker, ConfigCategory:

Change the DebugLevel parameter in

\cscopx\www\classpath\com\cisco\nm\cmf\debug.properties

Just change the line "NetConfig=1" to "NetConfig=5".

* Change the CDLDebugLevel parameter to 5 in

\CSCOpx\www\classpath\com\cisco\nm\config\cjm\downloader\downloader.properti

es

CDLDebugLevel=1 to CDLDebugLevel=5

Restart the ChangeAudit & JRunProxyServer processes

You will need to restart/refresh the browser window before running the

NetConfig job. Now run the NetConfig Job

Look at the following log files for info:

1) ..\CSCOpx\lib\jrun\jsm-cw2000\logs\stdout.log

2) ..\CSCOpx\lib\jrun\jsm-cw2000\logs\stderr.log

NetConfig jobs logs as well

3) ../CSCOpx/files/jobs/config/

Remember to turn off debugs

yjdabear Wed, 02/07/2007 - 08:23

It doesn't seem like JRunProxyServer can be stopped/started. It does not appear in the dropdown list of processes in Stop Process, although I do see it running in Process Status.

yjdabear Wed, 02/07/2007 - 08:53

Well, I tricked the JRunProxyServer into restarting by updating a few CiscoView device support packages.

But... NetConfig whines in the /var/adm/CSCOpx/files/jobs/config//log:

CDL:writeResultsToFile: /var/adm/CSCOpx/files/jobs/config/1104/results.20070207113503.txt with error: Job failed: Error: PGM_NM=Configuration Archive:6413:TYPE=unassigned message type::Change Audit process not running.

Cause: PGM_NM=Configuration Archive:6414:TYPE=unassigned message type::The Change Audit process has to be running to do the operation.

Action: Start the Change Audit process.

CDL:writeResultsToFile: got resultsFile

CDL:writeResultsToFile: num of devices: 2

CDL:writeResultsToFile: currDeviceIdx = 0

CDL:writeResultsToFile: currDeviceIdx = 1

CDL:writeResultsToFile: Wrote Results file

CDL:doEncaseLogging: Finished Downloading Job 1104: EDT-CATOS test (Owner=admin)

NMCS:Inserted row #176869 into CAS_LOG

***********************

I had forgotten to restart ChangeAudit before running a previous NetConfig job, but I had started ChangeAudit before running this particular job. I verified it's running.

In NetConfig Job Details, I find one device was updated successfully (which also failed with the telnet prompt yesterday), another one failed again, not because of ChangeAudit not running or telnet prompt:

*****************************8

<<< Update Failed (1) >>>

*** Device Details for cat6509idf1***Transport==>Telnet***

Device failed during update.

===> Update Result: failed

Error: PGM_NM=Configuration Archive:6377:TYPE=unassigned message type::Resource /var/adm/CSCOpx/files/archive/config/831/20070206113037running.cfg was checked by another user under application Function Id:302 - Config Editor

Cause: PGM_NM=Configuration Archive:6378:TYPE=unassigned message type::The resource was already checked out.

Action: Only one user can checkout a resource.

Error: PGM_NM=Configuration Archive:6377:TYPE=unassigned message type::Resource /var/adm/CSCOpx/files/archive/config/831/20070206113037running.cfg was checked by another user under application Function Id:302 - Config Editor

Cause: PGM_NM=Configuration Archive:6378:TYPE=unassigned message type::The resource was already checked out.

Action: Only one user can checkout a resource.

- CLI Output -

Seems it's because I had tried to have Config Editor update this switch's config yesterday. I don't see any obvious way to release the "checkout" on this switch. Several earlier NetConfig jobs against this switch failed with the same error.

/opt/CSCOpx/objects/jrun/jsm-cw2000/logs/stdout.log is full of Java exceptions about the SMTP server.

The last entry in /opt/CSCOpx/objects/jrun/jsm-cw2000/logs/stderr.log is from 9/1/2005.

yjdabear Wed, 02/07/2007 - 12:35

I found the List Checked out Files option but Undo Checkout just closed the window without unlocking the devices.

Anand S Wed, 02/07/2007 - 00:55

even cisco acs also doesn't accept those special charecters, because i have cisco acs 4.1 installed in organization.

yjdabear Wed, 02/07/2007 - 05:53

That's interesting. I was able to log in to the TACACS-enabled devices manually using those passwords with ! and $ in them. We have some version of Cisco Secure 3.x.

Actions

This Discussion