HP Procurve Switch - AAA Authentication SSH Login and Enable TACACS Local - Device Command Template Help

novethdevera

Hi Guys,

Please help in creating a working device command template for HP Procurve switch that uses AAA Authentication SSH Login and Enable TACACS Local.

Here are the login steps:

First Screen:

--------------------------------------------------------------------------------

login as: ho\a009000101

We'd like to keep you up to date about:

  * Software feature updates

  * New product announcements

  * Special events

Please register your products now at:  www.ProCurve.com

ho\a009000101@172.29.203.9's password:

--------------------------------------------------------------------------------

Second Screen:

--------------------------------------------------------------------------------

ProCurve J4904A Switch 2848

Firmware revision I.08.98

Copyright (C) 1991-2006 Hewlett-Packard Co.  All Rights Reserved.

                           RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the Government is subject to restrictions

as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and

Computer Software clause at 52.227-7013.

         HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303

Press any key to continue

--------------------------------------------------------------------------------

Last Screen:

--------------------------------------------------------------------------------

NTM03SAH009> enable

Connecting to Tacacs server

User Access Verification

Username: ho\a009000101

Password:

NTM03SAH009#

--------------------------------------------------------------------------------

Here is the AAA configuration on the HP Procurve switch:

aaa authentication login privilege-mode

aaa authentication ssh login tacacs local

aaa authentication ssh enable tacacs local

My custom device command template:

<!--SolarWinds Network Management Tools-->

<!--Copyright 2005 SolarWinds.Net All rights reserved-->

<Configuration-Management Device="HP Procurve J4904A" SystemOID=" 1.3.6.1.4.1.11.2.3.7.11.32">

    <Commands>

        <Command Name="RESET" Value=""/>

        <Command Name="Reboot" Value="reset board{CRLF}y${CRLF}"/>

        <Command Name="EnterConfigMode" Value="configure"/>

        <Command Name="ExitConfigMode" Value="end"/>

        <Command Name="Startup" Value="config"/>

        <Command Name="Running" Value="running-config"/>

        <Command Name="DownloadConfig" Value="Show ${ConfigType}"/>

        <Command Name="UploadConfig" Value="${EnterConfigMode}${CRLF}${ConfigText}${CRLF}${ExitConfigMode}"/>

        <Command Name="DownloadConfigIndirect" Value="copy running-config tftp ${StorageFilename} ${StorageAddress}${CRLF}"/>

        <Command Name="UploadConfigIndirect" Value="copy tftp file${CRLF}${CRLF}${StorageFilename}${CRLF}${StorageAddress}${CRLF}"/>

        <Command Name="EraseConfig" Value="reset configuration${CRLF}y${CRLF}"/>

        <Command Name="Version" Value="show version"/>

        <Command Name="PreCommand" Value="${CRLF}" RegEx="Press any key to continue "/>

    </Commands>

</Configuration-Management>

Session Trace logs:

[4/12/2012 4:42:43 PM] -----------------NCM 6.1-------------------

[4/12/2012 4:42:43 PM] UseCustomMorePromptBehaviour: False

[4/12/2012 4:42:43 PM] Login Attempts: 1

[4/12/2012 4:42:43 PM] Custom UserName Prompt:

[4/12/2012 4:42:43 PM] Device Template:

[4/12/2012 4:42:43 PM] System Name:

[4/12/2012 4:42:43 PM] System Description:

[4/12/2012 4:42:43 PM] System OID:

[4/12/2012 4:42:43 PM] OS Image:

[4/12/2012 4:42:43 PM] OS Version:

[4/12/2012 4:42:43 PM] Menu-Based mode=False

[4/12/2012 4:42:43 PM] FreezeLoginForPreCommands mode= False

[4/12/2012 4:42:43 PM]

-->StateChange: Connecting to server<--

[4/12/2012 4:42:44 PM] Got HostFingerPrint: 71:88:65:a0:c4:32:03:d4:81:1b:6a:aa:9d:16:d3:d0

[4/12/2012 4:42:44 PM] SWTelnet9 Crypto Information Begin

[4/12/2012 4:42:44 PM] Protocol = SSH2

[4/12/2012 4:42:44 PM] RemoteName = SSH-2.0-OpenSSH_3.7.1p2

[4/12/2012 4:42:44 PM] SCcipher = 3des-cbc

[4/12/2012 4:42:44 PM] CSCipher = 3des-cbc

[4/12/2012 4:42:44 PM] Keys = ssh-rsa

[4/12/2012 4:42:44 PM] SWTelnet9 Crypto Information End

[4/12/2012 4:42:45 PM] TimerTick: mstrData=<> State=1 - Connecting to server

[4/12/2012 4:42:45 PM] Pending Disconnect = False

[4/12/2012 4:42:45 PM] TimerState not Idle, Leaving.

[4/12/2012 4:42:45 PM]

-->StateChange: Connected to server - idle<--

[4/12/2012 4:42:45 PM] Solarwinds.Net SWTelnet9 Version 9.0.27

[4/12/2012 4:42:45 PM] Connected!

[4/12/2012 4:42:45 PM] --> We'd like to keep you up to date about:  * Software feature updates  * New product announcements  * Special eventsPlease register your products now at:  www.ProCurve.comProCurve J4904A Switch 2848

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] --> Firmware revision I.08.98

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] --> Copyright (C) 1991-2006 Hewlett-Packard Co.  All Rights Reserved.

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] -->                            RESTRICTED RIGHTS LEGEND

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] -->  Use, duplication, or disclosure by the Government is subject to restrictions

[4/12/2012 4:42:45 PM] -->  as set forth in subdivision (b) (3) (ii) of the Rights in Technical Data and

[4/12/2012 4:42:45 PM] -->  Computer Software clause at 52.227-7013.

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] -->          HEWLETT-PACKARD COMPANY, 3000 Hanover St., Palo Alto, CA 94303

[4/12/2012 4:42:45 PM] -->

[4/12/2012 4:42:45 PM] --> Press any key to continue

[4/12/2012 4:42:45 PM] Receive Event: Pre-Commands found, start check for RegEx if any

[4/12/2012 4:42:45 PM] ProcessLogin State: 0

[4/12/2012 4:42:47 PM] TimerTick: mstrData=<Press any key to continue> State=3 - Connected to server - idle

[4/12/2012 4:42:47 PM] Pending Disconnect = False

[4/12/2012 4:42:49 PM] TimerTick: mstrData=<Press any key to continue> State=3 - Connected to server - idle

[4/12/2012 4:42:49 PM] Pending Disconnect = False

[4/12/2012 4:42:49 PM] Pre-Commands: Waiting more than 3 seconds for response start sending pre-command if any...

[4/12/2012 4:42:49 PM] Pre-Commands: Direct pre-command has been sent-

[4/12/2012 4:42:49 PM] <--

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] -->

[4/12/2012 4:42:49 PM] --> NTM03SAH009>

[4/12/2012 4:42:49 PM] ProcessLogin State: 0

[4/12/2012 4:42:49 PM] --->NTM03SAH009> NTM03SAH009> NTM03SAH009>

[4/12/2012 4:42:49 PM] ProcessLogin State: 0

[4/12/2012 4:42:51 PM] TimerTick: mstrData=<NTM03SAH009> NTM03SAH009> NTM03SAH009> NTM03SAH009> > State=3 - Connected to server - idle

[4/12/2012 4:42:51 PM] Pending Disconnect = False

[4/12/2012 4:42:51 PM] TimerTick: Send to CRLF get prompt again

[4/12/2012 4:42:51 PM] <--

[4/12/2012 4:42:51 PM] --->NTM03SAH009>

[4/12/2012 4:42:51 PM] ProcessLogin State: 0

[4/12/2012 4:42:51 PM] Custom Prompt detector detect # prompt

[4/12/2012 4:42:51 PM] no credentials needed - Command mode prompt detected

[4/12/2012 4:42:51 PM] Prompt is being set to : NTM03SAH009>

[4/12/2012 4:42:51 PM] Logging into Enable Mode

[4/12/2012 4:42:51 PM] <-- enable

[4/12/2012 4:42:51 PM] --> enableConnecting to Tacacs server

[4/12/2012 4:42:51 PM] -->

[4/12/2012 4:42:51 PM] -->

[4/12/2012 4:42:51 PM] ProcessLogin State: 5

[4/12/2012 4:42:51 PM] -->

[4/12/2012 4:42:51 PM] --> User Access Verification

[4/12/2012 4:42:51 PM] -->

[4/12/2012 4:42:51 PM] --> Username:

[4/12/2012 4:42:51 PM] ProcessLogin State: 5

[4/12/2012 4:42:51 PM] <-- ho\a009000101

[4/12/2012 4:42:51 PM] --> ho\a009000101

[4/12/2012 4:42:51 PM] -->

[4/12/2012 4:42:51 PM] -->

[4/12/2012 4:42:51 PM] ProcessLogin State: 5

[4/12/2012 4:42:51 PM] --->Password:

[4/12/2012 4:42:51 PM] ProcessLogin State: 5

[4/12/2012 4:42:51 PM] <--

[4/12/2012 4:42:52 PM] -->

[4/12/2012 4:42:52 PM] -->

[4/12/2012 4:42:52 PM] --> Invalid password

[4/12/2012 4:42:52 PM] -->

[4/12/2012 4:42:52 PM] -->

[4/12/2012 4:42:52 PM] ProcessLogin State: 6

[4/12/2012 4:42:53 PM] TimerTick: mstrData=<> State=3 - Connected to server - idle

[4/12/2012 4:42:53 PM] Pending Disconnect = False

[4/12/2012 4:42:55 PM] TimerTick: mstrData=<> State=3 - Connected to server - idle

[4/12/2012 4:42:55 PM] Pending Disconnect = False

[4/12/2012 4:42:55 PM] --->NTM03SAH009>

[4/12/2012 4:42:55 PM] ProcessLogin State: 6

[4/12/2012 4:42:57 PM] TimerTick: mstrData=<NTM03SAH009> > State=3 - Connected to server - idle

[4/12/2012 4:42:57 PM] Pending Disconnect = False

[4/12/2012 4:42:59 PM] TimerTick: mstrData=<NTM03SAH009> > State=3 - Connected to server - idle

[4/12/2012 4:42:59 PM] Pending Disconnect = False

[4/12/2012 4:42:59 PM] Pre-Commands: Waiting more than 3 seconds for response start sending pre-command if any...

[4/12/2012 4:43:01 PM] TimerTick: mstrData=<NTM03SAH009> > State=3 - Connected to server - idle

[4/12/2012 4:43:01 PM] Pending Disconnect = False

[4/12/2012 4:43:01 PM] Pre-Commands: Waiting more than 3 seconds for response start sending pre-command if any...

[4/12/2012 4:43:01 PM] TimerTick: Login Timeout

[4/12/2012 4:43:01 PM] Disconnected - From: 172.29.203.9

[4/12/2012 4:43:01 PM] Disconnecting

Please help... I've tried several techniques in my custom device command template but nothing seems to work so far. Thanks in advance!

ElDeeBee

Obet, good job on laying out the issue giving us good insight to your issue.

It appears that your device is expecting an additional id and password once  you have passed the TACAC's authentication.

Via this screen view:

NTM03SAH009> enable

Connecting to Tacacs server

User Access Verification

Username: ho\a009000101

Password:

NTM03SAH009#

NCM trace shows it is getting to this point, but unable to send a password and so the device is responding with an "invalid password"

[4/12/2012 4:42:51 PM] ProcessLogin State: 5

[4/12/2012 4:42:51 PM] --->Password:

[4/12/2012 4:42:51 PM] ProcessLogin State: 5

[4/12/2012 4:42:51 PM] <--

[4/12/2012 4:42:52 PM] -->

[4/12/2012 4:42:52 PM] -->

[4/12/2012 4:42:52 PM] --> Invalid password

Can you explain if your TACACs server is supposed to send an additional password, or if NCM is setup with an enable password or not.

We would need to see the NCM configuration screen to see if it is setup with a password or not.