Mailing List Archive

Cisco ISE/ADE-OS backups
Hello list,

I'll just get this out of the way, I have inherited a customized version of RANCID (v2.3.8) that we use to backup a bunch of different devices from all kinds of manufacturers. From what I can tell the customization that has been done was to redact a bunch of "unstable" things to stop versions from incrementing. A bunch of different devices have been added into our rancid repo and things are humming along. That's not really my question, just wanted to level set.

Has anyone successfully gotten Cisco ISE (a.k.a. ADE-OS) working with RANCID? Someone had written a "iselogin" script and "ciscoise" interpreter working but it was quite unstable and had tons of duplicate output. So I wrote a different "ciscoise" script to use "clogin" rather than having yet another login script. I can get certain parts of the output but the output of "show run" seems to be sent all at once in one big blob. I am not sure how I would go about pulling that apart, so I figured I'd ask if anyone has gotten Cisco ISE working with RANCID before I sink more time and effort into this.

Thanks in advance,

AJ Schroeder
Re: Cisco ISE/ADE-OS backups [ In reply to ]
Thu, Jul 21, 2022 at 07:27:07PM +0000, AJ Schroeder:
> I'll just get this out of the way, I have inherited a customized version of RANCID (v2.3.8) that we use to backup a bunch of different devices from all kinds of manufacturers. From what I can tell the customization that has been done was to redact a bunch of "unstable" things to stop versions from incrementing. A bunch of different devices have been added into our rancid repo and things are humming along. That's not really my question, just wanted to level set.

You can upgrade to recent code and still use your altered versions by
adding them to rancid.types.conf with your own device type names (and
possibly some renaming of the scripts).

You might at time try the current versions to see if they have fixed
whatever output was oscillating from the 2.3.8 version.

> Has anyone successfully gotten Cisco ISE (a.k.a. ADE-OS) working with RANCID? Someone had written a "iselogin" script and "ciscoise" interpreter working but it was quite unstable and had tons of duplicate output. So I wrote a different "ciscoise" script to use "clogin" rather than having yet another login script. I can get certain parts of the output but the output of "show run" seems to be sent all at once in one big blob. I am not sure how I would go about pulling that apart, so I figured I'd ask if anyone has gotten Cisco ISE working with RANCID before I sink more time and effort into this.

I know nothing about ade-os, but I am not sure that I understand what you
mean by 'one big blob'. Do you mean it is one line? To have it output
w/o a pager is perfect. maybe an example or more information about the
format/representation of the config

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Cisco ISE/ADE-OS backups [ In reply to ]
-----Original Message-----
From: heasley <heas@shrubbery.net>
Sent: Thursday, July 21, 2022 3:04 PM
To: AJ Schroeder <ajschro@cdw.com>
Cc: rancid-discuss@www.shrubbery.net
Subject: Re: [rancid] Cisco ISE/ADE-OS backups

EXTERNAL EMAIL

Thu, Jul 21, 2022 at 07:27:07PM +0000, AJ Schroeder:
>> I'll just get this out of the way, I have inherited a customized version of RANCID (v2.3.8) that we use to backup a bunch of different devices from all kinds of manufacturers. From what I can tell the customization that has been done was to redact a bunch of "unstable" things to stop versions from incrementing. A bunch of different devices have been added into our rancid repo and things are humming along. That's not really my question, just wanted to level set.

>You can upgrade to recent code and still use your altered versions by adding them to rancid.types.conf with your own device type names (and possibly some renaming of the scripts).

You might at time try the current versions to see if they have fixed whatever output was oscillating from the 2.3.8 version.

That is in the plan to get rancid upgraded - in the process of planning it out.

>> Has anyone successfully gotten Cisco ISE (a.k.a. ADE-OS) working with RANCID? Someone had written a "iselogin" script and "ciscoise" interpreter working but it was quite unstable and had tons of duplicate output. So I wrote a different "ciscoise" script to use "clogin" rather than having yet another login script. I can get certain parts of the output but the output of "show run" seems to be sent all at once in one big blob. I am not sure how I would go about pulling that apart, so I figured I'd ask if anyone has gotten Cisco ISE working with RANCID before I sink more time and effort into this.

>I know nothing about ade-os, but I am not sure that I understand what you mean by 'one big blob'. Do you mean it is one line? To have it output w/o a pager is perfect. maybe an example or more information about the format/representation of the config

When I run my custom "ciscoise" interpreter in debug mode I see that RANCID logs in, disables paging with "term length 0", sets the terminal type to vt100, then sends the "show running-config", it pauses for a couple seconds, then the prompt appears and RANCID sends over "exit" and the script ends. However the running config output does not appear on the screen. When I'm logged into the CLI interactively it displays like a "normal" cisco config, but it looks like the entire config gets sent as one line. As a side note, it looks like Cisco ISE is using screen instead of vt100, but I don't think that is causing a problem.

Below is a redacted version of the config that I am seeing when I run the custom 'iselogin' in debug mode:

expect: does "! \r\nhostname ise-server01\r\n! \r\nip domain-name ad.example.com\r\n! \r\nipv6 enable\r\n! \r\ninterface GigabitEthernet 0\r\n ip address 10.20.30.40 255.255.254.0\r\n ipv6 address autoconfig\r\n ipv6 enable\r\n! \r\nip name-server 1.1.1.1 8.8.8.8 8.8.4.4\r\n! \r\nip default-gateway 10.20.30.1\r\n! \r\n! \r\nclock timezone America/Chicago\r\n! \r\nntp server time.nist.gov \r\nntp server time.google.com \r\n!\u0008\nusername rancid-user password hash <password> role admin \r\n!\u0008\nmax-ssh-sessions 5\r\n!\u0008\nservice sshd enable\r\nservice sshd encryption-algorithm aes128-gcm@openssh.com chacha20-poly1305@openssh.com aes256-gcm@openssh.com aes128-ctr aes256-ctr\r\n!\u0008\nrepository ISE_Reports\r\n url sftp://x.x.x.x/backups/\r\n user backup password hash **********\r\n!\u0008\npassword-policy\r\n lower-case-required\r\n upper-case-required\r\n digit-required\r\n no-username\r\n no-previous
-password\r\n min-password-length 4\r\n password-lock-enabled\r\n password-lock-timeout 15\r\n password-lock-retry-count 3\r\n!\u0008\nlogging loglevel 6\r\n!\u0008\nsnmp-server enable\r\nsnmp-server contact "SysAdmin"\r\nsnmp-server engineID ABCDEFGHIJK\r\nsnmp-server user snmp-user v3 hash <hashed password>\r\n!\u0008\nconn-limit 30 port 9060 \r\nconn-limit 5 port 9061 \r\n!\u0008\n!\u0008\nicmp echo on\r\n!\u0008\nise-server01/rancid-user#

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss@www.shrubbery.net
https://www.shrubbery.net/mailman/listinfo/rancid-discuss
Re: Cisco ISE/ADE-OS backups [ In reply to ]
To close the loop on this issue the fix was to download and build the latest version of RANCID in a different location (test VM in my case) and then replace my custom 'iselogin' with the newly built 'clogin' script and things worked as expected. I had no idea that the clogin scripts would be backwards compatible. Many thanks to Heasly for the expert insight and help even though we are running a very old version of rancid.

Yes - we are planning on upgrading to the new version in the near future.

From: AJ Schroeder
Sent: Thursday, July 21, 2022 2:27 PM
To: rancid-discuss@www.shrubbery.net
Subject: Cisco ISE/ADE-OS backups

Hello list,

I'll just get this out of the way, I have inherited a customized version of RANCID (v2.3.8) that we use to backup a bunch of different devices from all kinds of manufacturers. From what I can tell the customization that has been done was to redact a bunch of "unstable" things to stop versions from incrementing. A bunch of different devices have been added into our rancid repo and things are humming along. That's not really my question, just wanted to level set.

Has anyone successfully gotten Cisco ISE (a.k.a. ADE-OS) working with RANCID? Someone had written a "iselogin" script and "ciscoise" interpreter working but it was quite unstable and had tons of duplicate output. So I wrote a different "ciscoise" script to use "clogin" rather than having yet another login script. I can get certain parts of the output but the output of "show run" seems to be sent all at once in one big blob. I am not sure how I would go about pulling that apart, so I figured I'd ask if anyone has gotten Cisco ISE working with RANCID before I sink more time and effort into this.

Thanks in advance,

AJ Schroeder