Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bulk enable password upload tool? 2

Status
Not open for further replies.

PBrider

IS-IT--Management
Feb 5, 2008
2
US
Is there a freeware tool out there that will perform bulk password changes on cisco gear? In compliance with all the SOX standards this is a must, and being able to just push the config change out through one program rather than log into every switch it will save me a ton of time.



Thanks in advance,

Jamie
 
If you have SNMP enabled with a read/write string, you could use snmpset from a command line.

 
On a side note, if you are worried about SOX compliance then why don't you employ Tacacs or radius?
 
Ah, arbitrary SOX standards. How I miss working for a company where every other word out of the mouths of management seemed to involve SOX. ;)

Personally, I use Perl net-telnet-cisco to make mass changes on my systems. Of course, that's pretty unsecure as passwords are transmitted in clear text (so if your network is compromised, so are your Cisco passwords, in theory), so it's somewhat self-defeating if your goal is security and SOX compliance. That could be overcome by using net-ssh, but then you'd need crypto images on all your gear.

SNMP would work, but again, if security is the concern, you'd want to use v3, since it has encryption and authentication.
 
I agree with Brian. If you're worried about SOX stuff, you should be using TACACS or RADIUS.
 
I don't know of too many that are free . On the paid side you have ciscoworks (pricey) , programs from Solarwinds which are more reasonable and also tools from Kiwi also resonable.
 
Isn't plshlpme proficient with Perl or UNIX scripting? Someone here once had a few strings that went out and updated the DST on their routers...

Burt
 
That was me with the Perl code. Changing passwords would be something like:

Code:
use Getopt::Long;
GetOptions(
     "host=s"     =>     \$host,
     "newpw=s"    =>     \$newpw,
);
  use Net::Telnet::Cisco;
	 $pass='loginpw'; 'current loginpw
	 $enable='enablepw'; 'current enablepw
  my $session = Net::Telnet::Cisco->new(Host => $host);
$session->login('login', $pass); 
$session->enable($enable);
$session->cmd("configure terminal");
$session->cmd("enable secret $newpw");
$session->cmd("end");
$session->cmd("wr mem\n");
exit;

I could build in a conditional test before performing wr mem to make sure the new password took, but the above would work as is, so long as you don't fat-finger something - then you'd be screwed.
 
Thanks, Burt. Not sure if the original poster will find that useful, but once you get a server or workstation set up with Perl where you can run your scripts from, the possibilities are basically endless. Anything you can do with an expensive package, you can do with Perl. You can even make it look pretty, but I usually just keep it console/text based.
 
Ouch I would be more concerned about the fact your are still using telnet to connect, SSL should be used or you might as well not even have a password. You should really think about using tacacs or radius if you have that many to manage.

CCNA MCSE MCP NET+ A+ Security+
 
He'd need crypto images, which he likely doesn't have, but I agree.

Just for the record, Perl has a net-ssh package that works essentially the same way as net-telnet-cisco - I've used both.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top