Problems with ASCII config script and TACACS

[thtsch]

Hey everyone,

FYI: This is my first post in this forum. Pardon my english - I'm from Germany

For our ERS-4550T Rollout i want to use an ASCII configuration script that runs completely silent without any user/admin interaction. Therefore i disable the 'Password Security' feature with the following command.

no password security

By disabling this feature, there should be no password verification and the passwords can be provided in-line in cleartext, for example:

username "admin" "cleartextpassword" rw
radius server host 1.2.3.4 key "cleartextkey"

Everything is working fine and the script does it's job from the beginning to the end.
Because I want to use TACACS for the user authentication, i replaced the RADIUS config with the TACACS config. Technically the config is working, but the script doesn't like TACACS cleartext keys.

switch(config)#tacacs server host 1.2.3.4 key "cleartextkey"
                                                                            ^
% Invalid input detected at '^' marker.

So my script will never run completely without asking me for the TACACS key. Though I disabled "Password Security", I'm asked for the TACACS key twice, whereas the RADIUS key can be entered in-line and cleartext.

I've also tried providing the key in the following two config lines, but this also didn't work:

tacacs server host 1.2.3.4 key
"cleartextkey"
"cleartextkey"

Any ideas what the problem could be or how to get my script running?

Thanks in Advance for you help!! 

Greetings from Germany
Tom

[Dominik]

Hi Tom and welcome to the forum,

I am not sure if the command "no password security" will effect the TACACS shared secret regulations.
TACACS can only be enabled if you have a secure or "s" image on your switch.

Can you provide the SW release that is running on your ERS4550T.

Cheers

[thtsch]

Hi Dominik,
thanks for your reply. I could successfully enable TACACS on the switch because I'm using the Secure-Image (4500_550003s.img). This is the Software and Firmware running on my ERS4550T-PWR:

Operational Software:  FW:5.3.0.3   SW:v5.5.0.003
Operational license:   Base software

Greetings
Tom

[Dominik]

The standard security restrictions are:

Valid passwords are between 10 and 15 characters long. The password
must contain a minimum of the following:
• 2 lowercase letters
• 2 capital letters
• 2 numbers
• 2 special symbols, such as:!@#$%^&*()

Does it work if your TACACS shared secred macth these criterias ?

[Michael McNamara]

Hi Tom and welcome to the forums!

What are you using to script the installation? Are you just cutting-n-pasting into the command line or are you using something like Expect or some other type of scripting like Procomm Plus to script the installation?

I'm not sure of the logic in it myself but the switch will not accept the password as a single command line statement.

If you are using Expect it shouldn't be too difficult to just and a few lines to echo the password twice.

Cheers!

PS: Your English is very good by the way! I wouldn't have a clue how to even start speaking German.

[thtsch]

@Dominik: Thanks, I'll try this.
@Michael: I'm using the "script run" command referring to a .TXT file on the attached USB stick.

Meanwhile I'm happy with the script, even if I have to type the PW twice. It's still more comfortable than copy|pasting the whole thing 

Thank you, guys!

[Dominik]

@thtsch
you can also upload the script via tftp, this is more comfortable if you want to run the same script on a lot of switches as to bring a USB stick to all your devices.

@Micheal
so schwer ist deutsch auch nicht 

Cheers