Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Blue

special chars in TACACS passwords

Do special chars such as $ or ! present a problem for CiscoWorks LMS 2.2 (RME 3.5)? After Export to File as csv, I see ! is used internally by CWK in "!{[NOVALUE]}!" and the $ sign is escaped like this: "\$". Do these special chars get presented correctly to TACACS, or is Cisco Secure ACS having trouble with them too?

11 REPLIES
Cisco Employee

Re: special chars in TACACS passwords

Not sure abou ACS, but LMS usually does't like special characters like $, !, or @ in its passwords or comm strings. Its better to stick to alpha-numeric.

Blue

Re: special chars in TACACS passwords

Is there any way to turn on debug to see how exactly RME NetConfig is conversing with the device? I have another NetConfig job that claims it couldn't get the telnet prompt, even though I got the prompt fine telnetting to it manually.

Cisco Employee

Re: special chars in TACACS passwords

You can enable debugging for Netconfig - Netconfig Client under Loglevel settings and then have a look at the netcnofigclient.log.

A packet capture while the netconfig job is running is also a useful tool

If it can't get the telnet prompt then it won't even attempt to send a password and will timeout.

Are your telnet prompts custom or do they have any whitespace like:

Username :

Blue

Re: special chars in TACACS passwords

I'm running LMS 2.2 RME 3.5 here. I believe those debug options/logfile are for LMS 2.5 or higher. I think there's a config file that needs to be modified for debug in LMS 2.2. Is this correct?

The telnet prompt is the default, I believe:

cat6509idf>

This prompt problem only happens with the two CatOS devices attempted.

Blue

Re: special chars in TACACS passwords

Yup, getting rid of the ! and $ got CWK auth'ing to TACACS successfully again.

Still need to figure out the telnet prompt issue though.

Cisco Employee

Re: special chars in TACACS passwords

To enable debugs for RME 3.5 do the following:

Turning on the debugs :

-----------------------

* ConfigArchive (Used by NetConfig to view device configurations)

Change the DebugLevel parameter to 5 in

\cscopx\www\classpath\com\cisco\nm\config\archive\config.properties

Edit the config.properties file to read DEBUG_LEVEL=5

* NetConfig, MakerChecker, ConfigCategory:

Change the DebugLevel parameter in

\cscopx\www\classpath\com\cisco\nm\cmf\debug.properties

Just change the line "NetConfig=1" to "NetConfig=5".

* Change the CDLDebugLevel parameter to 5 in

\CSCOpx\www\classpath\com\cisco\nm\config\cjm\downloader\downloader.properti

es

CDLDebugLevel=1 to CDLDebugLevel=5

Restart the ChangeAudit & JRunProxyServer processes

You will need to restart/refresh the browser window before running the

NetConfig job. Now run the NetConfig Job

Look at the following log files for info:

1) ..\CSCOpx\lib\jrun\jsm-cw2000\logs\stdout.log

2) ..\CSCOpx\lib\jrun\jsm-cw2000\logs\stderr.log

NetConfig jobs logs as well

3) ../CSCOpx/files/jobs/config/

Remember to turn off debugs

Blue

Re: special chars in TACACS passwords

It doesn't seem like JRunProxyServer can be stopped/started. It does not appear in the dropdown list of processes in Stop Process, although I do see it running in Process Status.

Blue

Re: special chars in TACACS passwords

Well, I tricked the JRunProxyServer into restarting by updating a few CiscoView device support packages.

But... NetConfig whines in the /var/adm/CSCOpx/files/jobs/config//log:

CDL:writeResultsToFile: /var/adm/CSCOpx/files/jobs/config/1104/results.20070207113503.txt with error: Job failed: Error: PGM_NM=Configuration Archive:6413:TYPE=unassigned message type::Change Audit process not running.

Cause: PGM_NM=Configuration Archive:6414:TYPE=unassigned message type::The Change Audit process has to be running to do the operation.

Action: Start the Change Audit process.

CDL:writeResultsToFile: got resultsFile

CDL:writeResultsToFile: num of devices: 2

CDL:writeResultsToFile: currDeviceIdx = 0

CDL:writeResultsToFile: currDeviceIdx = 1

CDL:writeResultsToFile: Wrote Results file

CDL:doEncaseLogging: Finished Downloading Job 1104: EDT-CATOS test (Owner=admin)

NMCS:Inserted row #176869 into CAS_LOG

***********************

I had forgotten to restart ChangeAudit before running a previous NetConfig job, but I had started ChangeAudit before running this particular job. I verified it's running.

In NetConfig Job Details, I find one device was updated successfully (which also failed with the telnet prompt yesterday), another one failed again, not because of ChangeAudit not running or telnet prompt:

*****************************8

<<< Update Failed (1) >>>

*** Device Details for cat6509idf1***Transport==>Telnet***

Device failed during update.

===> Update Result: failed

Error: PGM_NM=Configuration Archive:6377:TYPE=unassigned message type::Resource /var/adm/CSCOpx/files/archive/config/831/20070206113037running.cfg was checked by another user under application Function Id:302 - Config Editor

Cause: PGM_NM=Configuration Archive:6378:TYPE=unassigned message type::The resource was already checked out.

Action: Only one user can checkout a resource.

Error: PGM_NM=Configuration Archive:6377:TYPE=unassigned message type::Resource /var/adm/CSCOpx/files/archive/config/831/20070206113037running.cfg was checked by another user under application Function Id:302 - Config Editor

Cause: PGM_NM=Configuration Archive:6378:TYPE=unassigned message type::The resource was already checked out.

Action: Only one user can checkout a resource.

- CLI Output -

Seems it's because I had tried to have Config Editor update this switch's config yesterday. I don't see any obvious way to release the "checkout" on this switch. Several earlier NetConfig jobs against this switch failed with the same error.

/opt/CSCOpx/objects/jrun/jsm-cw2000/logs/stdout.log is full of Java exceptions about the SMTP server.

The last entry in /opt/CSCOpx/objects/jrun/jsm-cw2000/logs/stderr.log is from 9/1/2005.

Blue

Re: special chars in TACACS passwords

I found the List Checked out Files option but Undo Checkout just closed the window without unlocking the devices.

Re: special chars in TACACS passwords

even cisco acs also doesn't accept those special charecters, because i have cisco acs 4.1 installed in organization.

Blue

Re: special chars in TACACS passwords

That's interesting. I was able to log in to the TACACS-enabled devices manually using those passwords with ! and $ in them. We have some version of Cisco Secure 3.x.

176
Views
14
Helpful
11
Replies