Automating the Login Sequence | User Access and Privilege Levels

Problem

You want to automate the process of logging into a router, typing usernames, passwords, and so forth.

Solution

The following script automates the process of logging into the router using a scripting language called Expect. Expect is a powerful scripting language that provides automation of interactive sessions (see Appendix A for more details). The script takes a router name or IP address as a command line argument. It then performs an automated login sequence before returning the session back to you for a normal interactive session.

Here is the sample output:

Freebsd% tel Router1
spawn telnet Router1
Trying 172.25.1.5...
Connected to Router1.
Escape character is '^]'.


User Access Verification

Username: ijbrown
Password: 

Router1>
Router1 - vty login ok
enable
Password: 
Router1#
Router1 - enable login ok

Router1#term mon
Router1#

The Expect code follows in Example 3-3.

Example 3-3. tel

#!/usr/local/bin/expect
#
# tel -- a script to perform automated login onto a Cisco 
# router using either a hostname or IP address. 
#
#
# Set behaviour
set userid ijbrown
set vtypasswd oreilly 
set enablepwd cookbook
#
#
set timeout 10
set rtr [lindex $argv 0] 
spawn telnet $rtr
expect { 
 {Username} { send "$userid
"
 expect {
 {*Password*} { send "$vtypasswd
" }
 }
 }
 {telnet>} { send_user "$rtr - telnet failed
"
 exit
 }
 {Password} { send "$vtypasswd
" }
 }
 
expect {
 {Password} { send_user "
$rtr - vty login failed
"
 exit
 }
 {Username} { send_user "
$rtr - vty login failed
"
 exit
 }
 {>} { send_user "
$rtr - vty login ok
" }
 }
 
 send "enable
"
 expect "Password"
 send "$enablepwd
" 
#
 expect {
 {*#} { send_user "
$rtr - enable login ok
" }
 
 {*>} { send_user "
$rtr - enable login failed
"
 exit
 }
 {Password} { send_user "
$rtr - enable login failed
"
 exit
 }
 }
# 
send "
"
expect "*#*"
send "term mon
"
# 
interact

Discussion

This script is intended to save you time when you have to repeatedly log into routers. The tel script will connect to the VTY and send the login sequence before returning the session back to you. The script can login to routers that use local usernames, AAA authentication, or the default VTY/enable passwords. You can also use it to submit router commands before returning control back to the end user. Since the script can respond immediately to the various router prompts, the entire login sequence is much faster than what a human can type.

This script also notifies the user when it experiences problems in the login sequence, and it displays the entire sequence so that you can follow its progress on the screen. Generally, if the script experiences a problem, it will terminate with an appropriate error message, if possible. It also includes a global timeout variable to ensure that problems do not hang the user session. The default global timeout is 10 seconds.

This script requires the scripting language Expect to be loaded on the server and located in the directory /usr/local/bin. You will also need to set a few variables. First, the userid variable must be set to your router username: either the local administered username or your AAA username. If your router does not prompt for usernames, then the script ignores this variable.

Second, the variable vtypasswd must be set to the password associated with your username, or if your router is not configured to use used usernames, it should be the VTY password.

Third, the variable enablepwd must be set to the router's enable password.

This script should be stored in your home directory with read, write, and execute privileges restricted to only yourself. This is to ensure that unauthorized users cannot view your ID and password, which are stored in clear text, or use the script to login to a device using your credentials:

Freebsd% chmod 700 tel

Many corporate security organizations frown on storing unencrypted passwords in flat files. Please check your security guidelines before using this script.

The final step in the script login sequence is to submit useful commands before returning the session back to the user. This is a time-saving step to automatically submit commands that you use regularly. By default, the script will send the terminal monitor command before terminating; however, you can easily add other commands with little effort. You can also easily modify it to send a standard set of commands and then exit from the router without needing to turn over control.

The tel script has proven to be an invaluable tool during the writing of this book. We have used it literally thousands of times, saving countless keystrokes in the process. Think of it as a preventative measure for Carpal Tunnel Syndrome.