Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cisco ASA 2nd level login using different credentials than ssh credentials

See original GitHub issue

By default netmiko tries to use the same username to do the 2nd level “login” on the firewall. We have different credentials for the ssh portion, and the “login” portion on the firewall. There is an option to pass a “enable” password to the ConnectHandler, but we don’t use “enable”, we use login, and there are no option to pass different credentials for the “login” user/pass.

User my_secret_ssh_login_user logged in to my_secret_fw
Logins over the last 13 days: 46.  Last login: 10:24:49 EST Mar 4 2022 from 10.1.1.1
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
asa-4150/my_secret_fw> show curpriv
Username : my_secret_ssh_login_user
Current privilege level : 1
Current Mode/s : P_UNPR
asa-4150/my_secret_fw>
asa-4150/my_secret_fw> login
Username: my_secret_ssh_login_user
Password: ***************
%Login failed
ERROR: Invalid username
Username: my_secret_ssh_login_user
Password: ***************
%Login failed
ERROR: Invalid username
Username: my_secret_ssh_login_user
Password: ***************
%Login failed
ERROR: Invalid username
asa-4150/my_secret_fw> my_secret_ssh_login_user
                              ^
ERROR: % Invalid input detected at '^' marker.
asa-4150/my_secret_fw> login
Username: my_secret_ssh_login_user
Password: ***************
%Login failed
ERROR: Invalid username
Username:
Username: exit

Issue Analytics

State:
Created 2 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

c3101commented, Mar 7, 2022

Thanks Kirk

A note for future passers by:

from netmiko.cisco import cisco_asa_ssh
from typing import Any, Union, List, Dict, Optional


class my_custom_asa_with_different_2nd_level_creds(cisco_asa_ssh.CiscoAsaSSH):
    """Subclass specific to Cisco ASA."""

    def __init__(self, *args: Any, **kwargs: Any) -> None:

        # Grab the 2nd level user creds from kwagrs, and remove them before passing to super()
        # super breaks if they're still in there
        self.second_level_user = kwargs["second_level_user"]
        self.second_level_pass = kwargs["second_level_pass"]
        del kwargs["second_level_user"]
        del kwargs["second_level_pass"]

        kwargs.setdefault("allow_auto_change", True)
        return super().__init__(*args, **kwargs)

    def asa_login(self) -> None:
        """
        Handle ASA reaching privilege level 15 using login

        twb-dc-fw1> login
        Username: admin

        Raises NetmikoAuthenticationException, if we do not reach privilege
        level 15 after 10 loops.
        """
        delay_factor = self.select_delay_factor(0)

        i = 1
        max_attempts = 10
        self.write_channel("login" + self.RETURN)
        output = self.read_until_pattern(pattern=r"login")
        while i <= max_attempts:
            time.sleep(0.5 * delay_factor)
            output = self.read_channel()
            if "sername" in output:
                assert isinstance(self.second_level_user, str)
                self.write_channel(
                    self.second_level_user + self.RETURN
                )  # pass our "custom" 2nd level user creds
            elif "ssword" in output:
                assert isinstance(self.second_level_pass, str)
                self.write_channel(
                    self.second_level_pass + self.RETURN
                )  # pass our "custom" 2nd level user creds
            elif "#" in output:
                return
            else:
                self.write_channel("login" + self.RETURN)
            i += 1

        msg = "Unable to enter enable mode!"
        raise NetmikoAuthenticationException(msg)


def main():

    firewall = my_custom_asa_with_different_2nd_level_creds(
        device_type="cisco_asa",
        host="cisco5.domain.com",
        username="admin",
        password="password",
        second_level_user="admin2",
        second_level_pass="password2",
    )


if __name__ == "__main__":
    main()

Resolved, please mark closed.

0reactions

ktbyerscommented, Mar 7, 2022

Nice job @c3101 😃