Net-Appliance-Session 0.15 How do I handle session authentication

Posted on 2008-01-10 12:51:32-08 by tvd

I can't figure out how to handle the secondary authentication when I do a session command to a fwsm module in a cisco switch. The fwsm has no IP addresses that are acessible, so I can't log into it directly. Here is what I need to do:

ssh user1@10.10.10.10 user1@10.10.10.10's password: ****** ******************* I am OK to this point ****************** switch-1 #session slot 6 processor 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open ************************* NOTICE ************************* This system is intended to be used solely by authorized users in the course of legitimate corporate business. Users are monitored to the extent necessary to properly administer the system, to identify unauthorized users or users operating beyond their proper authority, and to investigate improper access or use. By accessing this system, you are consenting to this monitoring. ************************* NOTICE ************************* User Access Verification Password: ******* firewall-1/act> en Password: ******* firewall-1/act# sho resource acl-partition exit exit

Any help would be appreciated. Vern

Direct Responses: 6847 | 6891 | Write a response

Posted on 2008-01-10 15:20:00-08 by oliver in response to 6845

Re: Net-Appliance-Session 0.15 How do I handle session authentication

Hi Vern,

This is a set-up which I've not tried before with Net::Appliance::Session.

I just wanted to send you a message to let you know I'm thinking about the problem, and how it could be solved.

Thanks for getting in touch - I'll get back to you soon, hopefully,

regards,
oliver.

Direct Responses: Write a response

Posted on 2008-01-19 21:51:36-08 by oliver in response to 6845

Re: Net-Appliance-Session 0.15 How do I handle session authentication

Hi Vern,

Okay, I have a solution for you, and I have tested this with our own FWSM and it works:

1 my $s = Net::Appliance::Session->new( 2 Host => '10.10.10.10', 3 ); 4 $s->input_log(*STDOUT); 5 6 eval { 7 $s->connect( 8 Name => 'username', 9 Password => '********', 10 SHKC => 0, 11 ); 12 $s->begin_privileged('********'); 13 14 $s->cmd( 15 String => 'session slot 6 proc 1', 16 Match => ['/Password:/'] 17 ); 18 $s->cmd("********"); 19 20 $s->in_privileged_mode(0); 21 $s->begin_privileged("********"); 22 $s->cmd("quit"); 23 }; 24 print "error on $host: $@\n" if $@; 25 26 $s->close;

I'll quickly explain what is going on here. If you want more explanation, please just ask.

I start by going into enable mode on the main switch using begin_privileged (12). Then I use the custom "cmd" method to session onto the FWSM (14), which allows me to override the match prompt and instead make the module stop when it sees a given regular expression, which is '/Password:/' (16).

After that I have to enter the FWSM login password using a "cmd" (18). Okay, now for the part which is not documented :-) I am able to pass a false value to "in_privileged_mode" (20) to make the module once again think it is not in enable mode (which it isn't, for the FWSM). I can then make another call to "begin_privileged" (21) with the FWSM enable password (and username, if you want, also).

To quit cleanly, I have to call "cmd" to log out of the FWSM (22), and then I can call "close" to log out of the switch (26). One thing you might need to watch out for is passing explicit passwords to begin_privileged on line 21, because your FWSM password may be different from your swtich password.

I hope that helps!

regards,
oliver.

Direct Responses: 10572 | Write a response

Posted on 2009-05-01 14:32:50-07 by tvd in response to 6891

Re: Net-Appliance-Session 0.15 How do I handle session authentication

Oliver, your solution has been working fine using Net-Appliance-Session-0.15 ---- Until I upgraded to Net-Appliance-Session-1.36. I also installed: Net-SSH-Perl-1.34 Net-Appliance-Phrasebook-1.8 Net-Appliance-Session-1.36 Net-Telnet-3.03 With this combination I am OK until I try to do the password entry on line 18 of your post.

Here is an example: -------------------------------------------- | WARNING: UNAUTHORIZED USE OR TAMPERING | | IS A VIOLATION OF POLICY AND A CRIMINAL | | OFFENSE. VIOLATORS ARE SUBJECT TO | | DISMISSAL AND/OR PROSECUTION. | | | | - Enterprise TACACS+ Account Required - | -------------------------------------------- yyyy@nn.nnn.nnn.nnn's password: xxxxxx router-r2#terminal length 0 terminal length 0 router-r2#session slot 6 proc 1 session slot 6 proc 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open ************************* NOTICE ************************* This system is intended to be used solely by authorized users in the course of legitimate corporate business. Users are monitored to the extent necessary to properly administer the system, to identify unauthorized users or users operating beyond their proper authority, and to investigate improper access or use. By accessing this system, you are consenting to this monitoring. ************************* NOTICE ************************* User Access Verification Password: pppppp <--------------- Notice the extra LF here Password: Timeout, EOF or other failure waiting for command response ----------------------------------------------------------------------- Under the old version: -------------------------------------------- | WARNING: UNAUTHORIZED USE OR TAMPERING | | IS A VIOLATION OF POLICY AND A CRIMINAL | | OFFENSE. VIOLATORS ARE SUBJECT TO | | DISMISSAL AND/OR PROSECUTION. | | | | - Enterprise TACACS+ Account Required - | -------------------------------------------- yyyy@nn.nnn.nnn.nnn's password: xxxxxx terminal length 00rminal length 00 session slot 6 proc 1on slot 6 proc 1 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.61 ... Open ************************* NOTICE ************************* This system is intended to be used solely by authorized users in the course of legitimate corporate business. Users are monitored to the extent necessary to properly administer the system, to identify unauthorized users or users operating beyond their proper authority, and to investigate improper access or use. By accessing this system, you are consenting to this monitoring. ************************* NOTICE ************************* User Access Verification Password: pppppp Type help or '?' for a list of available commands. enabledprod4-f/stby> enable *******d: pppppp sho resource acl-partitionesource acl-partition Total number of configured partitions = 2 Partition #0 Mode : exclusive List of Contexts : data-L2 Number of contexts : 1(RefCount:1) Number of rules : 42177(Max:61437) Partition #1 Mode : exclusive List of Contexts : admin Number of contexts : 1(RefCount:1) Number of rules : 33(Max:61437) router-f/stby# Total number of configured partitions = 2 Partition #0 Mode : exclusive List of Contexts : data-L2 Number of contexts : 1(RefCount:1) Number of rules : 42177(Max:61437) Partition #1 Mode : exclusive List of Contexts : admin Number of contexts : 1(RefCount:1) Number of rules : 33(Max:61437) quit Logoff note that both of these had $s->input_log(*STDOUT); $s->output_log(*STDOUT); to display both input and output.

Could you please have a look at this? Thanks, Vern

Direct Responses: Write a response

Perl Weekly newsletter
A free weekly newsletter for people who are busy to read all the blogs. click here to check it out.