Thread

[ home | FAQ | about | stats | new post | login | register | tags ]

Net-Appliance-Session [search.cpan.org] [Kobes search] [View and report bugs] [Ratings 0.0 (0) ]
[AnnoCPAN] [CPAN Tests results] [CPANTS]
Posted on Wed Aug 27 10:45:27 2008 by raimundh
Login Method
Hi, me again ;)

How easy would it be to implement a login method (similar again to Net::Telnet::Cisco) for the following type of scenario:

We are an ISP, auditing both configs on our PE routers and on the appropriate CE routers that are connected.

During the course of the script, if certain conditions are true, we connect (from the PE router) to the CE router. In this way, we reuse the session object that we created to connect to the PE. (this is because we can't necessarily reach the CE router from our management station).

Net::Appliance::Session handles both the connection and the login in the one method, connect. using the above example, with NTC we could do something like the following:

$session = new Net::Telnet::Cisco(...); #init the object with various variables. $session->login(Name => $peUser, Password => $pePass); #login to the PE router $session->cmd("show ip interface Serial1/0:0"); #run commands on PE router $session->cmd("show interface Serial1/0:0"); #run commands on PE router $session->print("telnet ".$ceIP." /vrf ".$vrf); #run telnet on PE -> CE $session->login(Name => $ceUser, Password => $cePass); #login on CE $session->cmd("show interface Serial0/1/0"); #run command on CE router

I'm not sure if a login method would be used very often with NAS, as the connect method generally handles all it needs to, but it would be handy.

Thanks
Raimund

Direct Responses: 8719 | Write a response
Posted on Tue Sep 2 16:35:34 2008 by oliver in response to 8677
Re: Login Method

Hi Raimund

The ability to reuse the session and connect on to another device is a good idea. I'm thinking about how best to implement it, because the module might need to change its personality (e.g. from Cisco to Juniper), and then roll back on disconnect from the remote host.

I'll let you know when I make some progress.

regards,
oliver.

Direct Responses: 8726 | 8898 | Write a response
Posted on Wed Sep 3 07:38:40 2008 by raimundh in response to 8719
Re: Login Method

Glad to know I can still send guys off to the drawing board to think ;)

Thanks for your help here - there's no rush at least - I've implemented a workaround in most cases.

Regards
Raimund
Write a response
Posted on Wed Oct 1 08:05:46 2008 by tj2001 in response to 8719
Re: Login Method
Hello, I'm just checking in on this capability as well. I have some Cisco PIX firewalls that I can only access by logging into a Cisco router first and then ssh from there to the firewall. Currently I can get to the firewalls via the router but then I fail getting to privileged mode on the firewall and I'm guessing it is related to the phrasebook mismatch. After logging into the firewall via the router I do:

$s->in_privileged_mode(0); $s->begin_privileged("enablepasswd");

But it does not go into privileged mode. I tried to just send the enable cmd and match Password to send the passwd but that doesn't work either. I'm guessing this due to the Phrasebook mismatch because my script works just fine going from router to router, in some instances 3 or 4 routers deep, but it fails to work from router to PIX. Having the ability to change the phrasebook during the session rather than defining it at session creation time would be helpful. Something like:

$s->platform("PIXOS");

I have no idea how hard it would be to make this change.

Great module BTW!!!

Thanks.
Direct Responses: 8899 | Write a response
Posted on Wed Oct 1 09:22:30 2008 by tj2001 in response to 8898
Re: Login Method
OK, I got my app working OK. I troubleshot this some more, First I took a deeper look at the phrasebook and determined there was no real issue there, so changing phrasebooks wouldn't have helped me as far as I could tell. To verify I set my connection phrasebook to PIXOS and it connected to the router OK and then ssh to PIX OK but still failed to enable.

I was using this method as per the example in a past post here:
$s->in_privileged_mode(0); $s->begin_privileged("passwd");


I did some further troubleshooting and determined this line in Net-Appliance-Session-Engine.pm in the begin_privileged sub was causing my problem

return 0 unless $self->do_privileged_mode;


So now instead of setting in_privileged_mode to false I am using this and it works OK for me

$s->do_privileged_mode(1); $s->begin_privileged("passwd");


Now it occurs to me why my router to router connections worked OK while router to PIX failed. I am logining in straight to priv level 15 when going from router to router. So I would have had this same problem as I did with the PIX had I needed to do an enable after logging into the next router.

Thanks!
Direct Responses: 8902 | Write a response
Posted on Wed Oct 1 18:54:24 2008 by oliver in response to 8899
Re: Login Method

Hi there,

I've had to take some time away through being very busy at work, but I still plan to add some features to the module to make this task easier.

What I have in mind is the following:

my $first_router = Net::Appliance::Session->new(...) $first_router->connect(...) my $second_router = Net::Appliance::Session->new( Transport => 'Proxy', Via => $first_router, ); $second_router->connect(...)

So this way the module can keep track of what the priv level of each device is, and if you have totally different devices (Juniper, HP, Cisco, PIX, etc) each session is also separate.

I'm glad you got something working in the meantime, though, well done.

cheers,
oliver.

Direct Responses: 8908 | Write a response
Posted on Thu Oct 2 08:57:20 2008 by tj2001 in response to 8902
Re: Login Method
Hi Oliver, thanks for the reply!

my $first_router = Net::Appliance::Session->new(...) $first_router->connect(...) my $second_router = Net::Appliance::Session->new( Transport => 'Proxy', Via => $first_router, ); $second_router->connect(...)


Not a bad idea, here's my 2 cents if you're interested. In some of the networks I work on it can take 2 or 3 router hops before I can reach my ultimate destination. I work as a consultant and use your module in my auto-backup script I run after finishing work on customer sites. I don't control the policies at these networks and many are partitioned off and/or have access-class statements that make it necessary for me to hop my way through a few routers to finally be able to make a connection to the intended router.

The above would be useful for me if it was architected in a nested manner that allowed for more than 1 router hop.

Expanding on what you have show would this then be possible?

my $third_router = Net::Appliance::Session->new( Transport => 'Proxy', Via => $second_router, ); $third_router->connect(...)
Direct Responses: 8911 | Write a response
Posted on Thu Oct 2 10:43:04 2008 by oliver in response to 8908
Re: Login Method
Thanks for the feedback on my suggestion. Yes, I was planning to make the Proxy Transport usable for any depth of connections.
Write a response
[ home | FAQ | about | stats | new post | login | register | tags ]
Service launched on 2nd of February 2005.
Comments, and other submissions on CPAN Forum are Copyright 2005-2007, their respective owners.
Site maintainer is not responsible for content. Privacy Policy
Maintained and hosted by Gabor Szabo at Perl Training Israel
See also World Wide Perl Training