Command Authorization Fails with EEM applet or Tcl policy

One of my readers asked an interesting question: „why do the commands executed within a EEM Tcl policy fail with Command authorization fails message?“ The short answer is simple: If you use AAA command authorization (which you can only do if you're using a TACACS+ server), you have to specify the username under which the EEM will execute its CLI commands with the event manager session cli username user configuration command.

Note: This is only required if you use TACACS+ server, as the command authorization cannot be performed in AAA environments using RADIUS servers.

For those of you who want to know more, here's the in-depth explanation:

The EEM applets or Tcl policies do not execute in the context of a line (physical or virtual terminal interface), it's therefore impossible to execute CLI commands directly from the EEM policies (contrary to what you can do in Tcl shell with exec command). To execute CLI commands, you have to open a quasi-telnet session with the cli_open call and send and receive characters with the cli_exec call or a combination of cli_write/cli_read* calls. The same approach is used for the commands executed with the action cli commands within EEM applets, the only difference being that you cannot process the output generated by the CLI commands in the EEM applet.

The commands executed by an EEM applet or Tcl policy undergo all the security checks usually performed by a router (they are no different from commands typed in by an operator using a telnet session, only the authentication process is skipped). If you have configured AAA command authorization, the router sends AAA request to the TACACS+ server for every command the EEM applet tries to execute ... and the authorization requests fail if there is no username included in the request. As the login process is skipped, you have to set the desired username manually with the event manager session cli username user configuration command.

8 comments:

  1. Hello,

    Question about using pure TCL scripts (without EMM) with AAA command authorization

    How to start the TCL script under a specific username to prevent the "Command authorization fails message"

    Thanks

    ReplyDelete
  2. Workaround found after reading the "Executing IOS commands from Tcl shell" from the "Tclsh on Cisco IOS tutorial".

    On the above article it is mentionned that the ios_config command is executed inside the context of another VTY line (also found with the AAA debug). The workaround is to define the FIRST VTY line with "transport input none" to prevent ssh or telnet to grab it and to configure the aaa authorization without any command authorization for this line.

    Kind regards
    Christian Chautems

    ReplyDelete
  3. Hi Christian!

    Sorry for a late reply, I was on vacation. Your observation was successfully reproduced and is now the bug CSCsu65401. Thanks for the perfect workaround :)

    Ivan

    ReplyDelete
  4. Hi I wolud like to know, what does this message mean? EM: No consumer registered for any event type

    please

    thanks

    ReplyDelete
  5. Ivan Pepelnjak11 August, 2009 07:57

    No idea. If this impacts your production network, you should open a case with Cisco TAC.

    ReplyDelete
  6. To "invitado":

    inside EEM there is a generic queue to pass messages, with producers and consumers. Each entry has a specific type (trigger event, aaa event...), and there is a different consumer for each type.

    The message "EM: No consumer registered for any event type" appears when:

    1) EEM debug is enabled, and
    2) when there a message in the queue, but there's no consumer associated.

    This is not a bug nor a problem, but rather a notification to help IOS developers.

    ReplyDelete
  7. can we combine eem applet with tcl?
    i tried some.
    ############
    event none
    action 2.0 cli command "enable"
    action 2.1 cli command "tclsh test.tcl"
    ############
    ==================
    that test.tcl contain below code :
    puts "in tcl"
    ==================

    but i cant see anything printed in terminal.
    i debug the eem actions and see that tcl file executing but nothing appear in terminal.
    what's wrong.
    i apologize for my bad english.

    ReplyDelete
    Replies
    1. The results of an "action cli command" are stored in $_cli_result variable, not printed on the screen. Use "action 2.2 puts $_cli_result" to see them, see http://wiki.nil.com/Regular_expressions_in_Embedded_Event_Manager_applets for an example.

      Delete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.