Hello

When I started to test NeDi I have used a local user with privilege level 15 access (no enable password / no aaa new-model ). With this configuration is it possible to get a backup of the running config of the Cisco devices.

Now I changed the login to use RADIUS. With the "privilege level 15" command on the vty lines it is still possible to login directly with privilege level 15 access on the Cisco devices.

Since I changed the login on the Cisco devices to RADIUS (query IAS Server) then I still get information about interfaces, IOS, Modules, and so on, but I is not possible to get a backup of the device configs any more !

Of cource I also tried to initialize the database once again (nedi.pl -i) but no config will be saved in the MySQL DB.

When I change back the configs to privilege level 15 access with a local user, then also the "backup config" feature works again.

The backup feature also works with "aaa authentication login default local" or completely without "aaa new model" but not with external real RADIUS!

Can someone explain this strange behavior?

Marco

Rauchi,

I am in a similar pickle. I have devices detected and I can login with the Radius nedi account. I get all the information about the device. ie interfaces, serial numbers etc... but no config backup.

Case in point is 1200 series Access points. have 35 listed but no back up of the configs.

Thanks

We also use radius and I've tested both a prviliedge 15 user (without enable pw) and a regular one (with enable pw). I never encountered this issue :huh: :mellow:

One question :

What is the config of RADIUS on cisco Switch for enable RADIUS enable login ?

With our Catalyst 2950 switches, i can login with RADIUS server but i can't directly login in enable mode !!

I have done many searches on Google, but i can't resolve this problem.

If you have got any ideas, it would be great.

Thanks.

Works here, like so:

Thanks for your help rickli.

But when I put your lines on my switch, I can't login.

I must write those instructions for successfully login :

But I don't arrive directly in enable mode.

I don't find the problem :( :( :( :(

Hello OMFan

There is more than one possibility to get level 15 access on your switches. If you only need telnet you can try to add the command "privilege level 15" on your vty lines.

line vty 0 15
privilege level 15

*******************************************************************

If you also need level 15 access on your web interface, or if you want to distinguish between different access levels, than you would have to configure your RADIUS server accordingly. If you use Microsoft IAS then I could probably help you. If you use any other RADIUS Server I would recommend to use google and search for:

"shell:priv-lvl=" for example: shell:priv-lvl=15

This is the attribute the RADIUS Server must provide to the Cisco device (Router, Switch, Wireless AP...).

Hope this helps ;-)

It would also be interessting to know if you can still get config backups in NeDi after using RADIUS.



Marco

Thanks for your answer.

I use FreeRadius and i only want to login in telnet directly in enable mode.


I will try "privilege level 15" on line vty 0 15" and i keep you informed.

Then i will try Nedi Backup Config which seems to be very useful.


Thanks a lot for your help.

Yes, hope it helps. As far as I have seen NeDi reads the running configs during discovery over telnet. So if you can see the configs just make sure that you are watching the latest one. If the feature wouldn't work anymore then you would still see the older configs.

Marco

You can try Cisco AV-Pairs which is covered in dictionary.cisco.

Example:
homer Auth-Type := Local, User-Password == "testing"
Service-Type = Shell-User,
Cisco-AVPair = "shell:priv-lvl=15"

This will put user homer immediately in enable mode.

I haven't found the reason for the config backup problem described earlier, but after a complete new setup from scrach this feature now also works with radius.

Marco

My problem for enabling directly is RESOLVED !!!


Thanks a lot fou your help.


I just try the backup config feature on nedi and it works fine !!

I like so much the changes feature !!! It's very very useful !

But one question : How can we use the simulate function in Write Menu ?

I expect to have results of commands without changing conf of the switch but nothing appears.


Edit : When I run /var/nedi/nedi.pl -cobN it works fine but when i put this command in Cron, the backup config don't work !!!! (The date update field is the last time i run the script manually).

I have checked rights on files and for tests, i have put 777 on all files and directorys.

My distrib is ubuntu.

You are the best :) :)

After many searches on this forum, I didn't find the solution for backup configuration when script is in cronjob.


Is there someone who have encountered the same problem ?



Thanks.

if it runs at the cmd line but not from cron, this is usually a path (environment) problem.

Greetings
Rufer

Your answer remind me that i have encountered the same thing with a shell script and I have added those lines for resolving the problem :

Do you think I must put those lines in nedi.pl ?

If it's necessary, how can I do that ?


Thanks for your help.

If you want to change the path throughout the environment, then within your Ubuntu distro you should edit the file '/etc/environment'.

If you only want to change the path for NeDi, then I think you should be able to add the line above, but you'll probably also need to follow it with:

For my part, I just create a shell script that will start Nedi from cron. You can add the necessary path statements there.

Example:

simple example:

Greetings
Rufer

I have just tried to run nedi.pl -cobN in command mode and it doesn't work :( :( :( :(.

I don't understand why. This method has always worked fine !!

EDIT: I have found the explanation, it's necessary to put

on line vty 0 15.

So i have tested your indications, and it doesn't work !!
I have created this script :

I don't know what it is wrong !!

I had the same RADIUS issue concerning the backup config a few months later again. Thist time I found a work around.

After changing from "login local" to AAA Authentication I realized that the backup config feature does not work any more.

I then decided to delete this device under "Devices -> List" in NeDi so that the device was removed during the next discovery.

Another discovery later the device was added again and the backup feature was now working properly as before the login change in the device configuration occured.

Hope this helps!

Marco