Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Cisco privilege level support
See original GitHub issueThe mechanism to detect if a device is in enable mode is based on string matching of the device prompt. In case of a Cisco device, Netmiko checks for #. This is however not accurate. The prompt of a Cisco device ends with > when the privilege level is 1. If it is greater then 1, then the prompt ends with #.
If you have a privilege level between 1 and 15, then Netmiko cannot enable() to privilege level 15, because check_enable_mode() returns True. On a Cisco device, it is not needed to check the device prompt, because the enable command will simply return the prompt, when you are already in privilege level 15. If you are in level 3 for instance, then the device will prompt you for the password.
By simply adding a test to check if pattern is in output and removing the initial enable mode check, you can workaround this:
def enable(self, cmd="", pattern="ssword", re_flags=re.IGNORECASE):
output = ""
msg = (
"Failed to enter enable mode. Please ensure you pass "
"the 'secret' argument to ConnectHandler."
)
self.write_channel(self.normalize_cmd(cmd))
try:
output += self.read_until_prompt_or_pattern(
pattern=pattern, re_flags=re_flags
)
if pattern in output:
self.write_channel(self.normalize_cmd(self.secret))
output += self.read_until_prompt()
except NetmikoTimeoutException:
raise ValueError(msg)
if not self.check_enable_mode():
raise ValueError(msg)
return output
Privilege level 3 is assigned by a TACACS server in my case and I have to implement this workaround to use Netmiko to configure the network. I believe that it is a valid use case to have a privilege level other then 1 or 15, but Netmiko has issues with this. Can you please look into this?
Issue Analytics
- State:
- Created 3 years ago
- Comments:13 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
People really should not be using
no_state_check=Falseif you are privilege 15 or privilege 1.But we should probably regex on
(ssword|{base_prompt})anyways (as there is no good reason to fail if the password prompt never shows up on theenablecmd execution.Regarding 1.: that doesn’t make sense, since 15 is the default: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/d1/sec-d1-cr-book/sec-cr-e1.html#wp3307186499 Regarding 2.: that could work, except when you are at privilege level 15 already, then the method will timeout while not receiving the expected
asswordpattern. To prevent that you should skip waiting for the pattern if the prompt returns immediately after sendingenable.