Mailing List Archive

Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> Hi All,
>
> Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
>
> Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> sending "admin" twice and later it sends "enable" at the prompt .... Any
> suggestions ?
>
> add user sslvpnb admin
> add password sslvpnb pass1 pass2
> add autoenable sslvpnb 0
> add method sslvpnb ssh
>
> [rancid@rancid ~]$ more var/asa/router.db
> sslvpn1;cisco;up
> sslvpn2;cisco;up
> sslvpna;cisco;up
> sslvpnb;cisco;up
>
> [rancid@rancid ~]$ clogin sslvpnb
> sslvpnb
> spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> admin@sslvpnb's password:
> User admin logged in to sslvpnb
> Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017
> from 68.181.191.19
> Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec
> 28 2017 from 68.181.191.19

its sending admin again because it sees "login:" before a prompt. why
is it displaying this?

> Type help or '?' for a list of available commands.
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
>
> Error: Unrecognized command, check your enable command
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
> sslvpnb> enable
> Password:
> Invalid password
> Password:
> Invalid password
> Password:
> Invalid password
> Access denied.
> sslvpnb>
>
>
> Thanks
> -Azher

> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

In the ASA version 9.8.X , there are sending out the "Last login: " and the
"Last failed Login: " as default. There is no way to disable this.

I tried adding following lines in .cloginrc but no luck:

add prompt sslvpna {"sslvpna>"}
add enableprompt sslvpna {"sslvpna>"}

Is there a way to skip login: for this specific device ?

Thanks
-Azher



On Sun, Dec 31, 2017 at 1:19 PM, heasley <heas@shrubbery.net> wrote:

> Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> > Hi All,
> >
> > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with
> RANCID.
> >
> > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> > sending "admin" twice and later it sends "enable" at the prompt .... Any
> > suggestions ?
> >
> > add user sslvpnb admin
> > add password sslvpnb pass1 pass2
> > add autoenable sslvpnb 0
> > add method sslvpnb ssh
> >
> > [rancid@rancid ~]$ more var/asa/router.db
> > sslvpn1;cisco;up
> > sslvpn2;cisco;up
> > sslvpna;cisco;up
> > sslvpnb;cisco;up
> >
> > [rancid@rancid ~]$ clogin sslvpnb
> > sslvpnb
> > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> > admin@sslvpnb's password:
> > User admin logged in to sslvpnb
> > Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017
> > from 68.181.191.19
> > Failed logins since the last login: 0. Last failed login: 06:47:32 PST
> Dec
> > 28 2017 from 68.181.191.19
>
> its sending admin again because it sees "login:" before a prompt. why
> is it displaying this?
>
> > Type help or '?' for a list of available commands.
> > sslvpnb> admin
> > ^
> > ERROR: % Invalid input detected at '^' marker.
> >
> > Error: Unrecognized command, check your enable command
> > sslvpnb> admin
> > ^
> > ERROR: % Invalid input detected at '^' marker.
> > sslvpnb> enable
> > Password:
> > Invalid password
> > Password:
> > Invalid password
> > Password:
> > Invalid password
> > Access denied.
> > sslvpnb>
> >
> >
> > Thanks
> > -Azher
>
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss@shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>

This is a behavior change to the ASA made in version 9.8. I believe it’s a response to a US DOD mandate, to aid in detecting unauthorized logins. At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can’t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat’s site).

I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance. I hadn’t noticed it in rancid, since I’m still in lab trials.

Luckily, it’s configurable, see “Enable and View the Login History” at this URL:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf

weylin

-----Original Message-----
From: heasley <heas@shrubbery.net>
Date: Sunday, December 31, 2017 at 16:19
To: Azher <azheramin@gmail.com>
Cc: <rancid-discuss@shrubbery.net>
Subject: Re: [rancid] ASA-5585 Enable mode

Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> Hi All,
>
> Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
>
> Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> sending "admin" twice and later it sends "enable" at the prompt .... Any
> suggestions ?
>
> add user sslvpnb admin
> add password sslvpnb pass1 pass2
> add autoenable sslvpnb 0
> add method sslvpnb ssh
>
> [rancid@rancid ~]$ more var/asa/router.db
> sslvpn1;cisco;up
> sslvpn2;cisco;up
> sslvpna;cisco;up
> sslvpnb;cisco;up
>
> [rancid@rancid ~]$ clogin sslvpnb
> sslvpnb
> spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> admin@sslvpnb's password:
> User admin logged in to sslvpnb
> Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017
> from 68.181.191.19
> Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec
> 28 2017 from 68.181.191.19

its sending admin again because it sees "login:" before a prompt. why
is it displaying this?

> Type help or '?' for a list of available commands.
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
>
> Error: Unrecognized command, check your enable command
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
> sslvpnb> enable
> Password:
> Invalid password
> Password:
> Invalid password
> Password:
> Invalid password
> Access denied.
> sslvpnb>
>
>
> Thanks
> -Azher

> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss




_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss

Awesome. Though, since it’s the default parameter, would it make sense to account for it in clogin?
weylin

From: Azher <azheramin@gmail.com>
Date: Monday, January 1, 2018 at 23:09
To: Weylin Piegorsch <weylin@bu.edu>
Subject: Re: [rancid] ASA-5585 Enable mode

Thanks, that fixed it.

no aaa authentication login-history
-Azher

On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <weylin@bu.edu<mailto:weylin@bu.edu>> wrote:
This is a behavior change to the ASA made in version 9.8. I believe it’s a response to a US DOD mandate, to aid in detecting unauthorized logins. At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can’t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat’s site).

I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance. I hadn’t noticed it in rancid, since I’m still in lab trials.

Luckily, it’s configurable, see “Enable and View the Login History” at this URL:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf

weylin

-----Original Message-----
From: heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>
Date: Sunday, December 31, 2017 at 16:19
To: Azher <azheramin@gmail.com<mailto:azheramin@gmail.com>>
Cc: <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] ASA-5585 Enable mode

Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> Hi All,
>
> Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
>
> Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> sending "admin" twice and later it sends "enable" at the prompt .... Any
> suggestions ?
>
> add user sslvpnb admin
> add password sslvpnb pass1 pass2
> add autoenable sslvpnb 0
> add method sslvpnb ssh
>
> [rancid@rancid ~]$ more var/asa/router.db
> sslvpn1;cisco;up
> sslvpn2;cisco;up
> sslvpna;cisco;up
> sslvpnb;cisco;up
>
> [rancid@rancid ~]$ clogin sslvpnb
> sslvpnb
> spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> admin@sslvpnb's password:
> User admin logged in to sslvpnb
> Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017
> from 68.181.191.19<tel:68.181.191.19>
> Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec
> 28 2017 from 68.181.191.19

its sending admin again because it sees "login:" before a prompt. why
is it displaying this?

> Type help or '?' for a list of available commands.
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
>
> Error: Unrecognized command, check your enable command
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
> sslvpnb> enable
> Password:
> Invalid password
> Password:
> Invalid password
> Password:
> Invalid password
> Access denied.
> sslvpnb>
>
>
> Thanks
> -Azher

> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss@shrubbery.net<mailto:Rancid-discuss@shrubbery.net>
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss

I think so. Having this detected by clogin would definitely help many
others.
-Azher


On Mon, Jan 1, 2018 at 8:36 PM, Piegorsch, Weylin William <weylin@bu.edu>
wrote:

> Awesome. Though, since it’s the default parameter, would it make sense to
> account for it in clogin?
>
> weylin
>
>
>
> *From: *Azher <azheramin@gmail.com>
> *Date: *Monday, January 1, 2018 at 23:09
> *To: *Weylin Piegorsch <weylin@bu.edu>
>
> *Subject: *Re: [rancid] ASA-5585 Enable mode
>
>
>
> Thanks, that fixed it.
>
> no aaa authentication login-history
>
> -Azher
>
>
>
> On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <weylin@bu.edu>
> wrote:
>
> This is a behavior change to the ASA made in version 9.8. I believe it’s
> a response to a US DOD mandate, to aid in detecting unauthorized logins.
> At least, that was a requirement implemented sometime around 2005 (for
> systems that supported the capability), though I can’t find a .mil URL more
> recent than 2008 discussing the requirement (though I can find it
> referenced in some current commercial locations like Red Hat’s site).
>
> I noticed it recently in lab trials; I had assumed Cisco decided it made
> sense to make this the normal behavior for all deployments, given ASA
> stands for Adaptive Security Appliance. I hadn’t noticed it in rancid,
> since I’m still in lab trials.
>
> Luckily, it’s configurable, see “Enable and View the Login History” at
> this URL:
> https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/
> configuration/general/asa-98-general-config/admin-management.pdf
>
> weylin
>
>
> -----Original Message-----
> From: heasley <heas@shrubbery.net>
> Date: Sunday, December 31, 2017 at 16:19
> To: Azher <azheramin@gmail.com>
> Cc: <rancid-discuss@shrubbery.net>
> Subject: Re: [rancid] ASA-5585 Enable mode
>
> Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> > Hi All,
> >
> > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with
> RANCID.
> >
> > Same config does not work for ASA-5585, 9.8(1). I am not sure why it
> is
> > sending "admin" twice and later it sends "enable" at the prompt ....
> Any
> > suggestions ?
> >
> > add user sslvpnb admin
> > add password sslvpnb pass1 pass2
> > add autoenable sslvpnb 0
> > add method sslvpnb ssh
> >
> > [rancid@rancid ~]$ more var/asa/router.db
> > sslvpn1;cisco;up
> > sslvpn2;cisco;up
> > sslvpna;cisco;up
> > sslvpnb;cisco;up
> >
> > [rancid@rancid ~]$ clogin sslvpnb
> > sslvpnb
> > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> > admin@sslvpnb's password:
> > User admin logged in to sslvpnb
> > Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28
> 2017
> > from 68.181.191.19
> > Failed logins since the last login: 0. Last failed login: 06:47:32
> PST Dec
> > 28 2017 from 68.181.191.19
>
> its sending admin again because it sees "login:" before a prompt. why
> is it displaying this?
>
> > Type help or '?' for a list of available commands.
> > sslvpnb> admin
> > ^
> > ERROR: % Invalid input detected at '^' marker.
> >
> > Error: Unrecognized command, check your enable command
> > sslvpnb> admin
> > ^
> > ERROR: % Invalid input detected at '^' marker.
> > sslvpnb> enable
> > Password:
> > Invalid password
> > Password:
> > Invalid password
> > Password:
> > Invalid password
> > Access denied.
> > sslvpnb>
> >
> >
> > Thanks
> > -Azher
>
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss@shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>
>
>
>

Last login notification (and last failed login) has been a computing best practice for 30 years. It provides simple, easy detection of some forms of man-in-the-middle password trapping. It's not foolproof but it's an important protection that is valued by the informed users that it serves.

If you're federally regulated in the USA (HIPPAA/HiTECH, SOX, GLB, FDA, DOD, NIST FIPS, &etc.) you are probably legally required to enable last login and failed login notifications, simply because it's an industry best practice and blowing off industry best practices is (arguably) negligence.

--Charlie

On Mon, Jan 1, 2018 at 11:41 PM Azher Amin wrote:
________________________________

I think so. Having this detected by clogin would definitely help many others.
-Azher


On Mon, Jan 1, 2018 at 8:36 PM, Piegorsch, Weylin William <weylin@bu.edu<mailto:weylin@bu.edu>> wrote:

Awesome. Though, since it?s the default parameter, would it make sense to account for it in clogin?
weylin

From: Azher <azheramin@gmail.com<mailto:azheramin@gmail.com>>
Date: Monday, January 1, 2018 at 23:09
To: Weylin Piegorsch <weylin@bu.edu<mailto:weylin@bu.edu>>

Subject: Re: [rancid] ASA-5585 Enable mode

Thanks, that fixed it.

no aaa authentication login-history
-Azher

On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <weylin@bu.edu<mailto:weylin@bu.edu>> wrote:
This is a behavior change to the ASA made in version 9.8. I believe it?s a response to a US DOD mandate, to aid in detecting unauthorized logins. At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can?t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat?s site).

I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance. I hadn?t noticed it in rancid, since I?m still in lab trials.

Luckily, it?s configurable, see ?Enable and View the Login History? at this URL:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf

weylin

-----Original Message-----
From: heasley <heas@shrubbery.net<mailto:heas@shrubbery.net>>
Date: Sunday, December 31, 2017 at 16:19
To: Azher <azheramin@gmail.com<mailto:azheramin@gmail.com>>
Cc: <rancid-discuss@shrubbery.net<mailto:rancid-discuss@shrubbery.net>>
Subject: Re: [rancid] ASA-5585 Enable mode

Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> Hi All,
>
> Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
>
> Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> sending "admin" twice and later it sends "enable" at the prompt .... Any
> suggestions ?
>
> add user sslvpnb admin
> add password sslvpnb pass1 pass2
> add autoenable sslvpnb 0
> add method sslvpnb ssh
>
> [rancid@rancid ~]$ more var/asa/router.db
> sslvpn1;cisco;up
> sslvpn2;cisco;up
> sslvpna;cisco;up
> sslvpnb;cisco;up
>
> [rancid@rancid ~]$ clogin sslvpnb
> sslvpnb
> spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> admin@sslvpnb's password:
> User admin logged in to sslvpnb
> Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017
> from 68.181.191.19<tel:68.181.191.19>
> Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec
> 28 2017 from 68.181.191.19

its sending admin again because it sees "login:" before a prompt. why
is it displaying this?

> Type help or '?' for a list of available commands.
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
>
> Error: Unrecognized command, check your enable command
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
> sslvpnb> enable
> Password:
> Invalid password
> Password:
> Invalid password
> Password:
> Invalid password
> Access denied.
> sslvpnb>
>
>
> Thanks
> -Azher


------------------ CONFIDENTIALITY NOTICE ---------------

This message, including any attachments, is for the sole use of the
intended recipient(s) and may contain privileged confidential information
protected by law. Any unauthorized review, use, disclosure or distribution
of this message is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of this message.

------------------ CONFIDENTIALITY NOTICE ---------------

Mon, Jan 01, 2018 at 06:41:56PM -0800, Azher:
> In the ASA version 9.8.X , there are sending out the "Last login: " and the
> "Last failed Login: " as default. There is no way to disable this.
>
> I tried adding following lines in .cloginrc but no luck:
>
> add prompt sslvpna {"sslvpna>"}
> add enableprompt sslvpna {"sslvpna>"}
>
> Is there a way to skip login: for this specific device ?
>
> Thanks
> -Azher

Does this work?

Index: bin/clogin.in
===================================================================
--- bin/clogin.in (revision 3754)
+++ bin/clogin.in (working copy)
@@ -248,6 +248,12 @@
send_user "\nError: Check your passwd for $router\n"
catch {close}; catch {wait}; return 1
}
+ -nocase -re "last login:" {
+ exp_continue
+ }
+ -nocase -re "failed login:" {
+ exp_continue
+ }
"Login failed" {
send_user "\nError: Check your passwd for $router\n"
catch {close}; catch {wait}; return 1
@@ -267,9 +273,6 @@
send "K\r"
exp_continue
}
- -re "Last login:" {
- exp_continue
- }
-re "Press the <tab> key \[^\r\n]+\[\r\n]+" {
exp_continue
}


>
>
> On Sun, Dec 31, 2017 at 1:19 PM, heasley <heas@shrubbery.net> wrote:
>
> > Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> > > Hi All,
> > >
> > > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with
> > RANCID.
> > >
> > > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> > > sending "admin" twice and later it sends "enable" at the prompt .... Any
> > > suggestions ?
> > >
> > > add user sslvpnb admin
> > > add password sslvpnb pass1 pass2
> > > add autoenable sslvpnb 0
> > > add method sslvpnb ssh
> > >
> > > [rancid@rancid ~]$ more var/asa/router.db
> > > sslvpn1;cisco;up
> > > sslvpn2;cisco;up
> > > sslvpna;cisco;up
> > > sslvpnb;cisco;up
> > >
> > > [rancid@rancid ~]$ clogin sslvpnb
> > > sslvpnb
> > > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> > > admin@sslvpnb's password:
> > > User admin logged in to sslvpnb
> > > Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017
> > > from 68.181.191.19
> > > Failed logins since the last login: 0. Last failed login: 06:47:32 PST
> > Dec
> > > 28 2017 from 68.181.191.19
> >
> > its sending admin again because it sees "login:" before a prompt. why
> > is it displaying this?
> >
> > > Type help or '?' for a list of available commands.
> > > sslvpnb> admin
> > > ^
> > > ERROR: % Invalid input detected at '^' marker.
> > >
> > > Error: Unrecognized command, check your enable command
> > > sslvpnb> admin
> > > ^
> > > ERROR: % Invalid input detected at '^' marker.
> > > sslvpnb> enable
> > > Password:
> > > Invalid password
> > > Password:
> > > Invalid password
> > > Password:
> > > Invalid password
> > > Access denied.
> > > sslvpnb>
> > >
> > >
> > > Thanks
> > > -Azher
> >
> > > _______________________________________________
> > > Rancid-discuss mailing list
> > > Rancid-discuss@shrubbery.net
> > > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
> >
> >

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@shrubbery.net
http://www.shrubbery.net/mailman/listinfo/rancid-discuss