While i was experimenting with some new features of EEM (which looks like it's turning into a programming language!), i found out that the action cli command uses one of the vtys that are available for normal access to the router, but with a null (or should i say empty?) username.
I created a sample eem applet (which produces some cli output when "show clock" is executed) in order to test it:
event manager applet LOG-CLI-APPLET
event cli pattern "show clock" sync no skip no
action 1.3 cli command "show users"
action 1.4 syslog msg "$_cli_result"
action 1.5 cli command "show aaa user all | i TTY|EXEC: Username=|Authen|^--------------------------------------------------$"
action 1.6 syslog msg "$_cli_result"
This is the generated output which shows the extra vty used:
Jan 18 03:28:28.142: %HA_EM-6-LOG: LOG-CLI-APPLET:
Line User Host(s) Idle Location
2 vty 0 myusername idle 00:02:31 x.x.x.x
3 vty 1 myusername idle 00:00:00 x.x.x.x
* 4 vty 2 idle 00:00:00
Interface User Mode Idle Peer Address
router>
Jan 18 03:28:28.458: %HA_EM-6-LOG: LOG-CLI-APPLET:
--------------------------------------------------
TTY Num = -1
Authen: no data
--------------------------------------------------
EXEC: Username=myusername
TTY Num = 2
AuthenTime = 03:09:32 EET Jan 18 2009
Authen: service=LOGIN type=ASCII method=TACACSPLUS
--------------------------------------------------
EXEC: Username=myusername
TTY Num = 3
AuthenTime = 03:09:41 EET Jan 18 2009
Authen: service=LOGIN type=ASCII method=TACACSPLUS
--------------------------------------------------
EXEC: Username=(n/a)
TTY Num = 4
AuthenTime = 03:28:27 EET Jan 18 2009
Authen: no data
And these are some aaa (+ modem for the vtys) debugs that shed some light on it:
Jan 18 03:17:44.181: AAA/MEMORY: create_user (0x65BA1774) user='' ruser='NULL' ds0=0 port='tty4' rem_addr='NULL' authen_type=NONE service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Jan 18 03:17:44.181: TTY4: EXEC creation
Jan 18 03:17:44.181: AAA/ACCT/EXEC(00000014): Pick method list 'default'
Jan 18 03:17:44.281: tty4 AAA/AUTHOR/CMD (151559760): Port='tty4' list='' service=CMD
Jan 18 03:17:44.281: AAA/AUTHOR/CMD: tty4 (151559760) user=''
Jan 18 03:17:44.281: tty4 AAA/AUTHOR/CMD (151559760): send AV service=shell
Jan 18 03:17:44.281: tty4 AAA/AUTHOR/CMD (151559760): send AV cmd=show
Jan 18 03:17:44.281: tty4 AAA/AUTHOR/CMD (151559760): send AV cmd-arg=users
Jan 18 03:17:44.281: tty4 AAA/AUTHOR/CMD (151559760): send AV cmd-arg=
Jan 18 03:17:44.281: tty4 AAA/AUTHOR/CMD (151559760): found list "default"
Jan 18 03:17:44.281: tty4 AAA/AUTHOR/CMD (151559760): Method=tacacs+ (tacacs+)
Jan 18 03:17:44.281: %AAA/AUTHOR/TAC+: (151559760): no username in request
Jan 18 03:17:44.281: AAA/AUTHOR/TAC+: (151559760): send AV service=shell
Jan 18 03:17:44.281: AAA/AUTHOR/TAC+: (151559760): send AV cmd=show
Jan 18 03:17:44.281: AAA/AUTHOR/TAC+: (151559760): send AV cmd-arg=users
Jan 18 03:17:44.281: AAA/AUTHOR/TAC+: (151559760): send AV cmd-arg=
Jan 18 03:17:44.485: TAC+: (151559760): received author response status = PASS_ADD
Jan 18 03:17:44.485: AAA/AUTHOR (151559760): Post authorization status = PASS_ADD
Jan 18 03:17:44.713: AAA/MEMORY: free_user (0x65BA1774) user='' ruser='NULL' port='tty4' rem_addr='NULL' authen_type=NONE service=LOGIN priv=1
Jan 18 03:17:44.717: unknown AAA/DISC: 1/"User Request"
Jan 18 03:17:44.717: unknown AAA/DISC/EXT: 1020/"User Request"
Jan 18 03:17:44.717: AAA/ACCT/EXEC(00000014): Pick method list 'default'
Jan 18 03:17:44.717: TTY4: Line reset by "Virtual Exec"
Jan 18 03:17:44.717: TTY4: Modem: (unknown)->READY
For comparison, here is the same output when a normal user (already logged in) executes the above command:
Jan 18 03:56:25.817: AAA/MEMORY: create_user (0x65FA05F4) user='myusername' ruser='router' ds0=0 port='tty3' rem_addr='x.x.x.x' authen_type=ASCII service=NONE priv=1 initial_task_id='0', vrf= (id=0)
Jan 18 03:56:25.817: tty3 AAA/AUTHOR/CMD (2383786117): Port='tty3' list='' service=CMD
Jan 18 03:56:25.817: AAA/AUTHOR/CMD: tty3 (2383786117) user='myusername'
Jan 18 03:56:25.817: tty3 AAA/AUTHOR/CMD (2383786117): send AV service=shell
Jan 18 03:56:25.817: tty3 AAA/AUTHOR/CMD (2383786117): send AV cmd=show
Jan 18 03:56:25.817: tty3 AAA/AUTHOR/CMD (2383786117): send AV cmd-arg=users
Jan 18 03:56:25.817: tty3 AAA/AUTHOR/CMD (2383786117): send AV cmd-arg=
Jan 18 03:56:25.817: tty3 AAA/AUTHOR/CMD (2383786117): found list "default"
Jan 18 03:56:25.817: tty3 AAA/AUTHOR/CMD (2383786117): Method=tacacs+ (tacacs+)
Jan 18 03:56:25.817: AAA/AUTHOR/TAC+: (2383786117): user=myusername
Jan 18 03:56:25.817: AAA/AUTHOR/TAC+: (2383786117): send AV service=shell
Jan 18 03:56:25.817: AAA/AUTHOR/TAC+: (2383786117): send AV cmd=show
Jan 18 03:56:25.817: AAA/AUTHOR/TAC+: (2383786117): send AV cmd-arg=users
Jan 18 03:56:25.817: AAA/AUTHOR/TAC+: (2383786117): send AV cmd-arg=
Jan 18 03:56:26.021: TAC+: (-1911181179): received author response status = PASS_ADD
Jan 18 03:56:26.021: AAA/AUTHOR (2383786117): Post authorization status = PASS_ADD
Jan 18 03:56:26.021: AAA/MEMORY: free_user (0x65FA05F4) user='myusername' ruser='router' port='tty3' rem_addr='x.x.x.x' authen_type=ASCII service=NONE priv=1
As you can see above, there is no exec, as the user is already logged in.
Extra event manager debugs show the whole "login" process for the EEM user:
Jan 18 03:41:44.067: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : CTL : cli_open called.
Jan 18 03:41:44.167: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : CCC
Jan 18 03:41:44.167: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT :
Jan 18 03:41:44.167: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : router line 4
Jan 18 03:41:44.167: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT :
Jan 18 03:41:44.167: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : router>
Jan 18 03:41:44.167: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : IN : router>show users
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT :
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : Line User Host(s) Idle Location
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : 2 vty 0 myusername idle 00:00:02 x.x.x.x
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : 3 vty 1 myusername idle 00:00:00 x.x.x.x
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : * 4 vty 2 idle 00:00:00
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT :
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : Interface User Mode Idle Peer Address
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT :
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : router>
Jan 18 03:41:44.379: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : IN : router>show aaa user all | i TTY|EXEC: Username=|Authen|^--------------------------------------------------$
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : --------------------------------------------------
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : TTY Num = -1
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : Authen: no data
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : --------------------------------------------------
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : EXEC: Username=myusername
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : TTY Num = 2
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : AuthenTime = 03:09:32 EET Jan 18 2009
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : Authen: service=LOGIN type=ASCII method=TACACSPLUS
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : --------------------------------------------------
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : EXEC: Username=myusername
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : TTY Num = 3
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : AuthenTime = 03:09:41 EET Jan 18 2009
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : Authen: service=LOGIN type=ASCII method=TACACSPLUS
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : --------------------------------------------------
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : EXEC: Username=(n/a)
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : TTY Num = 4
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : AuthenTime = 03:41:44 EET Jan 18 2009
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : Authen: no data
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : OUT : router>
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : IN : router>exit
Jan 18 03:41:44.599: %HA_EM-6-LOG: LOG-CLI-APPLET : DEBUG(cli_lib) : : CTL : cli_close called.
This is normal if you think that in order to execute a cli command you need exec access, but it also means that you might have problems running such EEM applets, when all your vtys are full, exec under a vty is disabled or a special command authorization method is used ("transport input" and "access-class" do not seem to affect it; i guess it's because it is originating from inside). While experimenting i got 2 vtys stuck and all combinations of "clear line/tcp" didn't help (so a reload was needed). You might want to keep an eye on it.
Btw, i fell into an interesting tool (IDEEM) regarding EEM programming. Too bad there wasn't a trial/evaluation version available online.
Update: Thx to Ivan's comment, i added the following command and now the pre-configured username appears on the vty list.
event manager session cli username "eem-user"
The output now becomes:
Jan 18 19:43:10.002: %HA_EM-6-LOG: LOG-CLI-APPLET:
Line User Host(s) Idle Location
2 vty 0 myusername idle 00:01:44 x.x.x.x
3 vty 1 myusername idle 00:00:00 x.x.x.x
* 4 vty 2 eem-user idle 00:00:00
Interface User Mode Idle Peer Address
router>
Jan 18 19:43:10.222: %HA_EM-6-LOG: LOG-CLI-APPLET:
--------------------------------------------------
TTY Num = -1
Authen: no data
--------------------------------------------------
EXEC: Username=myusername
TTY Num = 2
AuthenTime = 19:40:21 EET Jan 18 2009
Authen: service=LOGIN type=ASCII method=TACACSPLUS
--------------------------------------------------
EXEC: Username=myusername
TTY Num = 3
AuthenTime = 19:40:37 EET Jan 18 2009
Authen: service=LOGIN type=ASCII method=TACACSPLUS
--------------------------------------------------
EXEC: Username=eem-user
TTY Num = 4
AuthenTime = 19:43:09 EET Jan 18 2009
Authen: no data
From my understanding, the general aaa process for the EEM cli user goes like this:
1) login authentication is bypassed
2) exec authorization is bypassed (but exec accounting is happening)
3) command authorization is used
Maybe it's time for an "aaa authorization eem-commands" option ;)
Posts
Here are some more details:
ReplyDeletehttp://blog.ioshints.info/2007/05/command-authorization-fails-with-eem.html
Thx for the link Ivan. I'm sure i had read it in the past, but as it seems i missed the "event manager session cli username" command.
ReplyDelete