Can I change the password on multiple switches ? 2

[coupleojars]

Good morning all,
Due to new security measures wonderfully imposed on me from above I need to change the passwords on our switches every month. The only way I know how to do this is from the CLI. Is there any way I can change it on multiple switches ( We have 34 and this is going to be a right pain doing them all individually )
Any suggestions gratefully received.

Jars

 

[NetEng631]

You can use either perl with NET::TELNET::CISCO module or you can also do expect scripting. But you have to be every careful with your script writing.

Tacacs is also a better solution. I think Solar winds has a cheap version for a few hundred or you can go with Cisco Secure ACS for 3 or 4 thousand dollars. It has full AAA with all the levels of access you need, plus detailed accounting of what was done. The users can be configured to enter a new password every month.


And no I have not written the script becuase I have not had to do it.

NetEng

 

[AJ1982]

kiwi cat tools could be your friend.


===

Fatman Superstar (Andrew James)

CCNA,
(CCNA Cisco Academy Instructor Trained)

 

[baddos]

There is also a bunch of free RADIUS servers out there, where you can do the same thing.

I think you might be able to change them all if they are in a cluster. I could be wrong though.

 

[lui3]

I would go the radius route. Setup a radius/tacacs server and point all the switches at it.

then you can just change the login on the server every month and all the switches will authenticate off it.

cisco has a Access Control Server that will aid in this configuration.

 

[InDenial]

If ofcourse depends on the kind of switches but if the swithes you have support it.. just create a file with the new passwords

e.g.

conf t
enebale secret cisco
line vty 0 4
password cisco
line con 0
password cisco
end

and then just do an snmpset where you point to that file on an ftp server.

And since 34 switches are not many switches to do changes on you could also just make a file:

oldpassword
en
oldenablepassword
conf t
enebale secret cisco
line vty 0 4
password cisco
line con 0
password cisco
end
wr
exit

and just copy paste it into your telnet session when you got connected.

an ACS or Radius Server is a bit over the top for 34 switches. If your boss does not mind though.. go for it..;-)

InDenial

 

[mntlfngrs]

You could do like InDenial says but instead of exiting the first switch just scipt the telnet from that one to the ip of the next like so:

oldpassword
en
oldenablepassword
conf t
enebale secret cisco
line vty 0 4
password cisco
line con 0
password cisco
end
wr
!
!
!
telnet 161.181.0.2
!
!
!
oldpassword
en
oldenablepassword
conf t
enebale secret cisco
line vty 0 4
password cisco
line con 0
password cisco
end
wr


Use the ! or a carriage return as a pause and continue like this through all your switches. If you had procomm you could easily scipt this with built in "wait for" for a pause.

34 switches in a cut and paste scipt will probably break if there is slow network or delays.

"Be all and you'll be to end all.
Life can be a real ball.
State of mind!"

 

[coupleojars]

mmmm, management currently considering the ACS or Radius alternative so should have a snap decision back from them around Christmas. In the meantime the script ( which is now pages long ) is doing the job perfectly. Can find and replace the passwords every month in notepad and then just run it from one switch - takes about 2 mins to do the whole process. Thanks very much for all your help.