Ciscoworks Device Credential Verification

Unanswered Question

I have a Catalyst 4003 with a locauser configured and local authentication enabled as backup.  Tacacs is primary auth method.  If I perform a "Device Credential Verification" for "Telner Enable Mode Username and Password" with the Tacacs server reachable the job is "Successful" and the details are "Ok(Primary Successful)".  If I check "Fallback to Secondary Credentials" in RME and disable access to the Tacacs server, then perform the same test it tells me the job is "Successful" with the details again being "Ok(Primary Successful)".  If I perform the same check but uncheck "Fallback to Secondary Credentials" with no access to Tacacs, the job is again Successful with the details stating "Did Not Try".

I seem to be getting Successful jobs when I should have failures (the third test above).  I also would expect that for the second test it would be "Successful" and the details would say "Ok (Fallback Successful)".  I need to verify password changes but can't seem to get Ciscoworks to help with this job.

Ideas?

LMS version is 4.3.1.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Fri, 01/15/2010 - 13:41

This does not sound right.  Can you capture a sniffer trace of all telnet (tcp/23) traffic between the RME server and the device when running the Device Credential Verification job with the various configurations you describe?  This would be helpful in spotting the problem.  Unfortunately, debugging DCV via logs is not very easy to do.

If the purpose of the trace is to verify that the appropriate credentials were used between RME and the device then the log buffer on the device confirms they were.  For test 1 the tacacs acccount was used.  For test 2 the local account was used.  For test 3 nothing was tried.  It seems as if the job is working correctly.  What isn't is the info for the successful job.

If you still need to see something else from a trace let me know.  It will take me a little while since this switch isn't close.  I can attempt the same test on a switch closer to my location if necessary.

Thanks,

Jim

Joe Clarke Sat, 01/23/2010 - 09:07

I would still like to see the sniffer trace to confirm exactly what set of credentials RME is using in each test.  This will help determine if the job results really are wrong.

A bug has been filed for this issue.

Quote from e-mail:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

This bug has been filed:

CSCtf29843    Device Credential Verification Job should show Failed with Tacacs failed

Symptom:

Device Credential Verification Job should show Failed with Tacacs failed

Conditions:

Catalyst 4003 with a localuser configured and local authentication enabled as backup.  Tacacs is primary auth method.  By performing a CDA job for "Telnet

Enable Mode Username and Password" with the Tacacs server reachable the job is "Successful" and the details are "Ok(Primary Successful)".

Workaround:

none

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} Note: This bug will be addressed part of LMS, which is planned to be released around June 2010.

My understanding is that what will be addressed is the second test that claims "OK(Primary Successful)"  which should say "OK(Secondary Successful)".

I've been told the third test which claims Successful (did not try) is by design and considered acceptable although I couldn't disagree more.

Actions

This Discussion