Couldnot enter ENABLE Mode from USER Mode on Device

lvravikrishna · ‎07-27-2010

Hi All,

I am facing a problem while performing Sync Archive jobs from RME 4.3.1. The following are the details:

All the devices are integrated with CACS 5.0.

In common services -- Device and Credentials i configured the username/password and enable password. The username is already in CACS 5.0 for cli administration of the devices.

I am getting the following error while performing Sync Archive Job

Protocol ==> Unknown / Not Applicable

Selected Protocols with order ==> SSH,RCP,HTTPS

Execution Result:

RUNNING

CM0151 PRIMARY RUNNING Config fetch failed for RO-DISTRIBUTION2-4900 Cause: Couldnot enter ENABLE Mode from USER Mode on Device.

Failed to fetch config using RCP.Verify RCP is enabled or not.

Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.

VLAN

CM0151 VLAN RUNNING Config fetch failed for RO-DISTRIBUTION2-4900 Cause: Couldnot enter ENABLE Mode from USER Mode on Device.

VLAN Config fetch is not supported using RCP.

Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.

Please let me know, if i need to do any changes in the CLMS for Archiving the configuration while authenticating through TACACS.

Thanks,

Ravi

Martin Ermel · ‎07-27-2010

do you get that failure for all devices ?
double-check the credentials in DCR (the best would be to export the credentials to csv)
you can also enable ArchiveMgmt debugging to get more details: RME > Admin > System Preferences > Application Loglevel Settings (logs will be in dcmaservice.log)
also BugId CSCsu21040 could be the reason for this failure

CSCsu21040 Bug Details
Enable authentication prompts for username/password instead of just pass
Symptom:

With enable authentication configured, the router/switch prompts for both username and password instead of just password.

Conditions:

This problem has been seen on IOS 12.2(33)SXH3.

lvravikrishna · ‎07-28-2010

Hi mermel,

Thanks for your response.

With local authentication i could able to Archive the files without any problem. After integrating the devices with CACS 5.0 i am facing this issue. I just enabled the debug and attaching the file for your reference.

Thanks,

Ravi

Martin Ermel · ‎07-28-2010

RME definitely cannot enter privilege 15 level on the device and thus fails to get the config.
Have you verified the credentials for this device? You can do this in Common Services > Device and Credentials > Device Management go to Export, select the device, check-in to export the credentials and get them into an csv file.

Also, how does the prompt changes when you login "manually" with this user?

Which version of RME do you have? Have you installed all the latest device packages for CS and RME?

lvravikrishna · ‎07-28-2010

The device credentials are correct. I could manually login into the switch using them.

I checked the Device and Credentials by exporting them into CSV file and looks fine. I am using SSH as a transport protocol.

The following Prompt appears when i login manually

RO-1-3560>en

password:

RO-1-3560#

RME Version 4.3.1 and CS Version is 3.3.0 and this was updated with latest device packages.

Thanks,

Ravi

Martin Ermel · ‎07-28-2010

does this user have command authorization enabled or does it have a special privilege level after login?

lvravikrishna · ‎07-28-2010

The user has privilege level 15 after enable authentication. The problem i could not understand here is; with the same username and password i could able to login manually for CLI access to the device.

I integrate the CLMS with ACS in Non-ACS mode with Login module as TACACS+.. does it make any difference. And the other observation i had is, CLMS is not sending any username (which is configured under the device credentials) to the switch. I observed this by enabling debug aaa authentication on the device. Attached is the log for reference...i could not find any username coming my CLMS server which is 10.10.20.50.

And do we have any document that explains integration of CLMS with CACS 5.0? I tried on the internet but could not get any good document.

Thanks,

Ravi

Martin Ermel · ‎07-29-2010

looking at the debug I see that you are trying to contact the device from another source (10.1.15.28) not from the LMS server (10.10.20.50). Is there an access-list or a firewall between the device and the LMS server?

Go to RME > Devices > Device Management > Device Credential Verification Jobs
and create a new job to test connectivity from LMS to the device
Alternatively you can check the communication from Device Center > Tools > Management Station to Device, check-in SSH and select version 2 and click OK

lvravikrishna · ‎07-29-2010

There is no firewall/access-list between the LMS server and the ACS. However i added command set authorization under access policies in acs and added command sets in rules and i could notice authentication is getting failed in the debug output when i schedule a job from CLMS...but as i told earlier i could login into the device manually using the same credentials.

Attached is the debug output for your reference..please let me know if i need to add something.

SSH test RME is getting successful on all the devices.

Martin Ermel · ‎07-30-2010

does the ACS has anything in its log that could help?

Sorry, but I will be out the next 3 weeks and cannot follow-up ...

rosenhan · ‎11-23-2010

You need to check ACS authorization profiles and verify that the username you are using in ACS has the correct command auth set assigned to it. We had the same problem, it was fixed when we added the following:

Cisco ACS 5.2: Policy elements->Authorization and Permissions->Device Administration->Command Sets. In here create a command set that permits all commands, we just checked the box that said "Permit any command that is not in the table below" when we created this command auth set. After you create this command set you will need to apply it to the access policy for the user you have assigned to Cisco Works in ACS: go to Access Policies->Default Device Admin->Authorization. In here you will need to either add the user and assign the command set to it or you can add the group the user is in and assign the command set to it. We had to use the "Customize" button at the bottom and add the "Command Sets" column.

Let me know if this worked.

David

rosenhan · ‎01-14-2011

Replying directly to the user who opened the question this time:

You need to check ACS authorization profiles and verify that the username you are using in ACS has the correct command auth set assigned to it. We had the same problem, it was fixed when we added the following:

Cisco ACS 5.2: Policy elements->Authorization and Permissions->Device Administration->Command Sets. In here create a command set that permits all commands, we just checked the box that said "Permit any command that is not in the table below" when we created this command auth set. After you create this command set you will need to apply it to the access policy for the user you have assigned to Cisco Works in ACS: go to Access Policies->Default Device Admin->Authorization. In here you will need to either add the user and assign the command set to it or you can add the group the user is in and assign the command set to it. We had to use the "Customize" button at the bottom and add the "Command Sets" column.

Let me know if this worked.

David