Network Change & Configuration Management

Reply
Highlighted

NetMRI Warning : Config Bad Password

DStephen
Techie
Posts: 9
7376     0

Hi all,

I'm trying to solve a warning issue that Network Automation found on all my access switch : Config Bad Password.

 

This is the description of the issue :

"The following devices have either weak or unknown Telnet or SSH passwords or have no enable password. Weak passwords represent a security problem and unknown passwords prevent configuration file processing for those devices."

 

So I've changed the password for local admin user and enable secret setting a strongest one, delete the password or line con and line vty but it does not resolve this issue.

If any one has ideas to solve it, please let me know.

Thanks.
Fabien.
 

I have syslog messages

PNelson
Techie
Posts: 4
7377     0

I have syslog messages stating that there has been a change be sent to NetMRI and it see's that information and re-pulls the configuration.  Have you tried sending your syslog messages to the box?

I'm sorry but I don't

DStephen
Techie
Posts: 9
7377     0

I'm sorry but I don't understand the link between what you said and my problem.

Additional information this

DStephen
Techie
Posts: 9
7377     0

Additional information this morning Smiley Happy :

 

Tried to set the following config on 4 different switches :

 

- SW 1 :

no password on line con 0 and vty 0 15

set enable secret 5 instead of enable password 7

set username admin with secret 5 instead of password 7

 

- SW 2 :

no password on line con 0 and vty 0 15

set username admin with secret 5 instead of password 7

no enable password

 

- SW 3 :

set enable secret 5 instead of enable password 7

set user admin with password 7

 

- SW 4 :

Set all the password with NetMri config script "IOS Password Settings".

 

Those 4 switches are still shown in issue "config bad password"

Based on the description, it

Adviser
Posts: 357
7377     0

Based on the description, it sounds like that issue may be raised because the NetMRI does not have valid CLI credentials for the device, rather than due to the weak password. Seems the issue combines both of those.

It could have been the

DStephen
Techie
Posts: 9
7377     0

It could have been the solution because I've disabled telnet on our switches and it was enable in NetMRI... But disabled it (NetMRI side) yesterday and my switches still appear in config "bad password" issue.

I've found something else : in the issue viewer I see TELNET Disabled, SSH Ok and Enable Pw None. The last one is really strange because I have an enable password on the switches.

 

Fabien.

The issue does get raised for

Adviser
Posts: 357
7377     0

The issue does get raised for a device if there is no enable password. Click on the device IP address link to go to the Device Viewer for the device, and then choose Settings & Status > CLI Credentials. It will show you the credential it is using to access the device. Try logging in with that credential (you can use the icon in the upper right of the Device Viewer, and choose Tools > Open SSH Session) - I expect you will find that that credential is dropping you straight into enable mode.

I've tried it, the

DStephen
Techie
Posts: 9
7377     0

I've tried it, the credentials set in the CLI credential page works well.

 Then i tried to open the SSH connection through the toolbox and it wrote that it failed to find the credential... I found that the credentials has to be set in the account under User admin - Users - username - cli credentials. Now the SSH connection works but I don't think that it'll change something about the issue.

I'll update you with any future developements.

 

Thanks.

Does that credential drop you

Adviser
Posts: 357
7377     0

Does that credential drop you straight into enable mode? If it does, that would be the reason for the Config Bad Password issue, I think - based on the description.

Yes that credential drop me

DStephen
Techie
Posts: 9
7377     0

Yes that credential drop me straight to the enable mode. But the issue is still there.

That is expected. The issue

Adviser
Posts: 357
7377     0

That is expected. The issue is there to warn you that you have a credential the drops you straight into enable mode, which is a potential security problem.

But before I told you the

DStephen
Techie
Posts: 9
7377     0

But before I told you the credetials was not set and the issue was there.

My understanding of the issue

Adviser
Posts: 357
7377     0

My understanding of the issue is that it will be raised if any of the following is true:

* NetMRI does not have credentials for the device

* NetMRI has credentials, but decided they are weak (I am not sure the criteria for that)

* NetMRI has credentials, and those credentials enter privileged mode without a separate password

 

John:

ERupert Employee
Employee
Posts: 4
7377     0

John:

Those are all true and it's a VERY misleading issue as you need to look at the issue details for each individual occurance to determine which condition is causing it.  Because it's valid in one case (NetMRI doesn't have proper credentials), it's not a good idea to supress it.  However, going straight to enable mode (priv 15) is by far and away the most common implementation in 95% of our customer and target customer base.  It's  NOT a security risk as our customers use TACACS for the authentication which controls who has priv mode on a user by user basis.  If we split the issue (or dropped this condition as irrelevent for the past decade and our target Enterprise audience), we could clear up some confusion.  I am pretty sure there is an RFE on this as I've raised this concern in the past.  In addition, I've never seen it fire for the weak string so I doubt that is even functional.  

 

 

FYI, I found out the reason

Adviser
Posts: 357
7377     0

FYI, I found out the reason the auto-login did not work without entering your user credentials is because the Sys Admin role by default does not contain the appropriate privilege. You need the privilege "Terminal: Use System Creds" added to the role in order for this to be allowed.

Thanks Eric. I think we

Adviser
Posts: 357
7377     0

Thanks Eric. I think we should treat it as a bug not an RFE, I will look into it.

Role-based access control also makes this a false positive

Expert
Posts: 228
7377     0

For devices that employ role-based access control (RBAC), there is no separate enable step.  The user's roles are passed to the device by the AAA server.  This includes Cisco devices such as ACE load balancers, Firewall modules, and all Nexus products.  Also, I believe that RADIUS servers can only perform a single auth step.

I don't want to see the test for the lack of an enable step totally eliminated because for regular IOS with local auth or TACACS, that should exist.  The newer Cisco WAN routers ship with a getting-started factory config (username cisco).  That includes a "privilege level 15" statement on the VTYs.  Not good if one forgets to completely wipe the factory config.

Showing results for 
Search instead for 
Do you mean 

Recommended for You