Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Tell me the best way to apply multiple credentials to 900 network devices

I have quite the challenge ahead of me. A remote site has over 900 networking devices. A mixture of the last 15 years of Cisco's switches and routers (All the mid to enterprise size models along with some nodes that should of been retired years ago). There are 4 typical credentials that they use, some are on SSH some are on telnet. Some require enable to passthrough to pull down the configurations, some don't.

If you were in this situation, after doing a network discovery and it could not match the credentials to device, how would you tackle this? I looked at the database and see that each credential that it uses seems to be an encrypted username and password, if only you could tell a ncm node to look at a particular credential profile and apply it that way. I am struggling to get this up to speed.

Find more posts tagged with

Accepted answers

fryman

Hi all! So I took a little advice from a everybody here and built out the 16 profiles for the combination of the credentials, protocol and enable. Then managed to pry the networking guys into spread sheeting down potential credentials. Then assigned a custom field with a profile number (1-16) and updated that field. After that I found down the ncm settings menu a way to assign multiple devices NCM credentials that works much much better then edit node and multiple editing on each of the profiles. Then batch run download running or startup configs. Happy to report after that rather tedious task from the 900 odd network devices we managed to get around 80% of the configurations down and working!

I thanks one and everybody for the potential work throughs on this one. Password hygiene is a thing.

All comments

wluther

fryman Well, I suppose the easiest way to do this would require you to already know which devices require which login. If you've already grouped together the ones you know for certain, you can apply the creds in bulk via the manage nodes page or the configuration management page. On either of those pages, you select all of the nodes you wish to group together/apply the same creds, edit properties, choose connection profile (towards bottom), save/apply.

If you build your connection profiles, you can enable an option to automatically test the profile for auto assignment.

(I would recommend this option be used with caution, as it may cause account locks depending on your security policy/settings.)

If you simply do not know which devices require which profiles, then I would suggest you start building a list. You could build your four connection profiles, then select small groups of your devices to start testing.

Ex. Select 25 devices, apply connection profile A to those devices. Attempt to download configs via the configuration management page. When you find devices which have failed, simply apply connection profile B to those devices, and try again. Keep doing this until everything in the first group successfully downloads the configs. Then proceed to the next group. It is essentially the same thing as enabling the auto assign option, though it would allow you to go more slowly and possibly have a lower risk.

Do any of these option sound like they are close to what you are looking for?

Let us know if you need further assistance.

Thank you,

-Will

fryman

Hey will, appreciate your precious time in taking a moment to suggest some ideas. So we have 4 main admin accounts with a combination of ssh and telnet. So 16 combinations per device

In effect. Plus enable or no enable.. Not one person knows which credential is the correct one but more to the point of the protocol being lucky dip. Radius and ssh is being deployed across the estate

Get Outlook for iOS

fryman

Finally it’s not documented anywhere a grid of sorts of what device match what credentials on what protocol with enable or no enable. Setting the credentials on auto test as part of a discovery has not worked and credentials have not assigned as part of the network discovery. Finally if you have ever tried editing say 50-100 devices in a batch, you may have experienced that the request will time out while the engine try’s to lock so many records. This whole process is painful and intensely frustrating. Not to mention these 900 odd devices are hanging off an additional poller on a link in a geographically challenging part of the world, where in some cases the poller gets “upset” and returns an error that the poller cannot be contacted and is running a different version of Ncm then the primary. Which turns out to be a false error (usually because I think jobs are still in the engine even though under transfer jobs everything is clear) or potential latency or connectivity issues

Sigh

Get Outlook for iOS

wluther

fryman Yikes, this sounds like it's not going to be a super fun project. Unfortunately, since nobody knows exactly which device needs which connection profile, it sounds like you are going to need to create one version, apply it, test it, and change it for those which fail. Other than building each of the options out up front, enabling the auto detect feature, and rediscovering the devices (or re-adding the devices to NCM), I do not know of a way to sneak passed this one.

fryman

Yikes indeed! That is looking like the way forward... and then in the discovery process it doesn’t give you an output of what connection profiles were applied to the node! I wish that was easier to see to see how successful it was matching cli credentials to nodes. Always get the fun ones!!

Get Outlook for iOS

wluther

fryman There may be an option to do this via the Orion API, but it still comes down to knowing which connection profile each device requires. The API option, however, might be a bit nicer to your additional poller, as it probably does not require as much overhead on the resources. (At least I don't think it will.)

fryman

That’s a very good point and one I didn’t consider. I think api calls would be a lot lighter on the poller which is near capacity and writing to a db across a mpls link in two rather sparse distances. Looks like it’s time to spreadsheet an export of all the network nodes and attack it in batches. Many thanks for the inspirations.

Get Outlook for iOS

sja

Hi Lukian

I just was wondering no AAA/TACaS ?

fryman

Hey SJA, Good question. Not implemented, local creds only. Wheels are in motion to change this but this is quite a large site with production sensitive equipment and a network guy whos working 27 hours a day to keep the lights on.

cnorborg

Hopefully all the enable passwords are the same?

wluther definitely had the basic premise correct. You'd probably be best off creating the 16 profiles in "NCM Settings" and "Connection Profiles", more if you have multiple enable passwords unfortunately. Then change all the nodes to "Auto Assign" as far as what credentials they have and try and let Solarwinds figure it out from there. If you have multiple enable passwords, you might be better off doing the 16 profiles mentioned above, and for those devices which get discovered correctly, go and set up and all new local user on the device(s) that is different from everything else, and then move all those devices over to this "standard" profile. Then, change the enable password to the next possible iteration and do an autodiscover on those nodes that didn't use the first one, and so on...

Get everything over to a standard profile, then work at unconfiguring all the old ones.

ie: work in stages and as you get things "right", move the devices to a new standard profile. I suppose you could work with one connection profile and just keep changing its credentials until you find all the combinations, rather than doing 16 at a time. Your choice. Since its local authentication, I'm guessing the possibility of getting locked out of the device isn't that great?

fryman

I thanks one and everybody for the potential work throughs on this one. Password hygiene is a thing.

wluther

fryman, glad to hear you got things running smoothly!