04-13-2009 06:15 PM
Hi,
When I have AAA enabled for authentication pointing to my ACS server for domain authentication, the EEM with TCL scripts will not perform. If I configure my routers to utilize local authentication, the scripts successfully execute the commands. Any ideas?
Solved! Go to Solution.
07-06-2009 10:33 AM
I think I see the problem. It IS with EEM. The bug is CSCsz70112. It has to do with the way the prompt handling code works in EEM when AAA is used. Unfortunately, this will not be fixed in 12.4 mainline. If you upgrade to 12.4(22)T or higher, your script will work.
07-09-2009 06:33 AM
Yes. In general, all bug fixes from the previous T train role into the next mainline.
04-13-2009 06:50 PM
Make sure you have the following command configured:
event manager session cli username USER
Where USER is a username which has access to execute the CLI commands within your EEM policy (e.g. YOUR username).
05-01-2009 12:55 AM
Jclarke, any chance you could provide a config example on this?
I've tried the exact same thing, but it still doesnt work.
Router is setup to Tacacs auth, and the USER is a local router user, with priv 15.
Thx
05-01-2009 08:02 AM
The command is quite simple. If I have a user, jclarke, who is authorized to run all of the CLI commands I need to have run in my EEM policy, I would configure:
event manager session cli username jclarke
Then, every time the policy ran, it would send the username jclarke to the AAA server when requesting command authorization.
06-15-2009 05:04 AM
Thanks jclarke, I ran into the same problem. I will setup a 'AD service account' for this.
07-02-2009 10:30 AM
Sorry for the late response, I guess my anti-spam server block the reply. I will try this and I thank you again for the help.
PS
I took your IOS Instrumentation class today at Networkers and was very impressed on how in-depth you went into covering TCL and EEM. Thanks and I hope I'm able to come back next year.
07-02-2009 10:44 AM
07-02-2009 10:56 AM
It's taking too long to authorize the user. You need to increase the maxrun for this policy. Add the following to the end of your event registration line:
maxrun 90
That should be sufficient.
07-02-2009 11:32 AM
07-02-2009 12:08 PM
It doesn't look like the maxrun change was made properly. when you made the change, did you re-register your policy?
If you're at Networkers, come by the Technical Solutions Clinic, and I can look at this in realtime.
07-02-2009 01:35 PM
I fixed my issue by adding the username as a local user, with privi 15 on the router.
But please update this post as you come up with further findings :)
07-06-2009 09:19 AM
Joe,
Here's a copy of my event register within my TCL script:
::cisco::eem::event_register_syslog occurs 1 pattern .*BGP-5-ADJCHANGE.*Down.* maxrun 90 queue_priority low nice 1 maxrun 90
Does this look correct?
Update:
I've added my event user to the router with privilege 15 but still no log. One thing I've noticed on the Administration logs of my ACS I am seeing that the user account is entering "configure terminal" when the script launches but I don't see anything else show up in the logs.
"07/06/2009 13:11:42 netaccount Network Admin configure terminal
Here are the latest in the errors I'm seeing.
011158: Jul 6 13:12:14.274 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Error reading from vty error from operating system
011141: Jul 6 13:11:41.494 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Process Forced Exit
011142: Jul 6 13:11:41.494 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: Tcl policy execute failed: error reading the channel: Process Forced Exit
011143: Jul 6 13:12:14.274 EDT: %HA_EM-6-LOG: sendmail-bgp-mpls-enterprise-test.tcl: error reading the channel: Error reading from vty error from operating system
07-06-2009 09:22 AM
Right, and you wouldn't because after "config t" is sent, the script times out. The event registration line is correct, but you're most likely not reregistering the policy. Simply making the change is not enough. You need to then unregister the policy, then reregister it:
config t
no event manager policy POLICY
event manager policy POLICY
Only then will changes take effect.
07-06-2009 09:24 AM
Forgot to mention that I did re-register it with the procedure you're showing:
config t
no event manager policy POLICY
event manager policy POLICY
Still no dice.
07-06-2009 09:27 AM
Then post the latest debug log. The last log still showed the policy timing out after 20 seconds.
Also, post the output of "show event manager policy registered".
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: