Mailing List Archive

Scott B. Lowe wrote:
> I am having another issue with Riverstone gear.

Hi, Scott

> I use tacacs+ to login to my Riverstone gear. To login I enter the
> tac_username then the tac_password. The enable password and vty
> password are the same on the Riverstone. According to the
> documentation, I set up .cloginrc to look like this
>
> add password my.river.stone {enable&vtypass} {enable&vtypass}
> add user my.river.stone {tacuser}
> add userpassword my.river.stone {tacuserpass}

We're using RADIUS here, but it should be the same. The 'add password'
line handling changed for rivlogin around about rancid 2.2bsomething -
if the following suggestion doesn't work, try going to rancid 2.3.
Also, non TAC+ logins were broken.

In the newer version...

For your add password line, the first password on the line should be the
password you enter immediately after "Press RETURN to activate
console...".

The second password is the last resort password (i.e., when you've
logged in using that first password, you go to enable, and your TACACS+
credentials cannot be checked because the AAA server is 'unreachable'
(buggy network code on the Enterasys shows this up regularly)).

The userpassword is your tac+ user password, and the user is your tac+
user. (This handling hasn't changed).

> When I run the rivlogin for the router It logs in fine using the tacacs
> username and password but gives a bad-password error when it trys the
> enable command. If I disable tacacs and set up .cloginrc to just use
> the last-resort/enable password for a login it goes all the way through
> to enable mode just fine. This leads me to believe that rivlogin is
> trying to use the {tacuserpass} for enable instead of
> {enable&vtypass}. Perhaps I have missed something in the config? Any
> help would be greatly appreciated.

Yes, it would appear you've run across a bug I introduced to rivlogin.
(oops)

Please try the newest available version on the ftp.shrubbery.net server,
and if you like mail me off-list if you're still having trouble.

-Andrew

Thanks for the input Andrew,

I am using version 2.3 now with no luck. Let me explain a little more
of what I have. My Riverstones only have one password for
last-resort/enable/vty. They are all the same. I only use tac+ for the
initial login after the "Press return to activate...". I set up the
.cloginrc file as you explained and it still gave me a bad password
error when it went to enable. I was convinced that rivlogin was
ignoring the password line and just using the tac+ password for enable
so I tested it. I created a tac+ user with a password that is the same
as the enable password on the Riverstone. You can guess what
happened.....that worked fine. In fact I can remove the password line
all together and it will still go all the way through enable. This must
be a bug in the rivlogin script as it only pays attention to the first
password on the line. I can't leave the tac+ password the same as the
enable password so if you have any more suggestions I would be grateful.



Andrew Fort wrote:

> Scott B. Lowe wrote:
>
>> I am having another issue with Riverstone gear.
>
>
> Hi, Scott
>
>> I use tacacs+ to login to my Riverstone gear. To login I enter the
>> tac_username then the tac_password. The enable password and vty
>> password are the same on the Riverstone. According to the
>> documentation, I set up .cloginrc to look like this
>>
>> add password my.river.stone {enable&vtypass}
>> {enable&vtypass}
>> add user my.river.stone {tacuser}
>> add userpassword my.river.stone {tacuserpass}
>
>
> We're using RADIUS here, but it should be the same. The 'add
> password' line handling changed for rivlogin around about rancid
> 2.2bsomething - if the following suggestion doesn't work, try going to
> rancid 2.3. Also, non TAC+ logins were broken.
>
> In the newer version...
>
> For your add password line, the first password on the line should be
> the password you enter immediately after "Press RETURN to activate
> console...".
>
> The second password is the last resort password (i.e., when you've
> logged in using that first password, you go to enable, and your
> TACACS+ credentials cannot be checked because the AAA server is
> 'unreachable' (buggy network code on the Enterasys shows this up
> regularly)).
>
> The userpassword is your tac+ user password, and the user is your tac+
> user. (This handling hasn't changed).
>
>> When I run the rivlogin for the router It logs in fine using the
>> tacacs username and password but gives a bad-password error when it
>> trys the enable command. If I disable tacacs and set up .cloginrc to
>> just use the last-resort/enable password for a login it goes all the
>> way through to enable mode just fine. This leads me to believe that
>> rivlogin is trying to use the {tacuserpass} for enable instead of
>> {enable&vtypass}. Perhaps I have missed something in the config?
>> Any help would be greatly appreciated.
>
>
> Yes, it would appear you've run across a bug I introduced to rivlogin.
> (oops)
>
> Please try the newest available version on the ftp.shrubbery.net
> server, and if you like mail me off-list if you're still having trouble.
>
> -Andrew