How to setup and configure Rancid integrated with Tacacs+

 Rancid (Really awesome cisco config differ)takes care of changes happenings on your network devices and creates a version for each minor and major changes,does a difference with previous version and send the difference to the administrator team.So if a change request is there with detailed configuration steps,after the implementation manager will get mail from rancid and he can match the rancid change with the change request.Another thing no need to take backup of network devices as rancid keeps the latest backup of every device in your network

Steps for deploying Rancid:-


I assume you have installed and configured TACACS+ on the server where you are planning to setup rancid.My intention is to have rancid integrated with Tac-Plus but if you want them to use separately its your choice

Step 1 :Install the expect and build essential package using apt-get either as root or as sudo

                  #apt-get install build-essential expect rancid-core rancid-util

Step 2:- Rancid configuration file setup

Rancid installation creates different folders under /var/lib/rancid home directory

Open /etc/rancid.conf and add a group name there. We can add different groups here for individual datacenters sepetated by a comma like INDIA,USA,JAPAN etc

Here in this example “INDIA” has been used.

LIST_OF_GROUPS=”INDIA”

Create a file with name .cloginrc under /var/login/rancid

                     #touch .cloginrc

This will file hold the password,user,ip addresses of network devices

open .cloginrc using an editor and add the devices as per the below format

add password

Since Tacplus is using for aaa access to all the network devices .cloginrc file should look like the below format

add user * rancid

add password *

(It is assumed that corresponding entries are created for rancid user under /etc/tacacas/tac_plus.config.Rancid configuration files are attached along with the tac_plus.config which includes rancid user and rancid group)

Step 3:-protect the .cloginrc as it contains the password

                   #chmod 600 /var/lib/rancid/.cloginrc

Change the permission and ownership of rancid directories

                   #chown -R rancid:rancid /var/lib/rancid

Step 4:- Initiating rancid cvs directories using the script rancid-cvs

Login as rancid:

                      #su – rancid

                      $/var/lib/rancid/bin/rancid-cvs

This will create the cvs directory /var/lib/rancid folder

Considering the the example we have adopted it would be INDIA (/var/lib/rancid/INDIA)

Step5:- Adding network device details under rancid cvs directory

Add all the network device details in router.db file under /var/lib/rancid/INDIA as per the below format(A router.db file is attached for reference)

Format is

ip address:vendor:up

vendor name will vary based on the nework device like cisco,juniper,netscalar etc

Here are the list of vendors RANCID supports

(http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch1_:_Network_Backups_With_Rancid#Table_1-2_:_Various_device_types_for_Rancid)

Step 6 :Verifying rancid and network device integration

Now try to see if rancid can login to the device we added using the following rancid login command

                     $ /var/lib/rancid/bin/clogin ip address of the device

                     $ /var/lib/rancid/bin/clogin 1.1.1.1

spawn telnet 1.1.1.1

Trying 1.1.1.1…

Connected to 1.1.1.1

Escape character is ‘^]’.

Switch>enable

Password:

Switch#

Switch#exit

Connection closed by foreign host.

Which shows that rancid is able to login to the device

Step 7: Starting rancid using the rancid-run script

                           $/var/lib/rancid/bin/rancid-run

Check for the logs under /var/lib/rancid/log.Look for errors.

If configurations are all good successful we will see “successfully polled” messages under the log file

Step 8 :-installing cvs and cvsweb for rancid

                            #apt-get install cvs cvsweb

Step 9 :- Install and configure postfilx for email alerts

                             #apt-get install postfix

Add the following entries under /etc/aliases

rancid-admin-INDIA: rancid-networking

rancid-INDIA: adminteam

adminteam: bejoybkn@yahoo.com

Nowas root

                              #newaliases

Under /etc/postfix/main.cf add relay host ip

( relayhost =x.x.x.x)

Restart postfix

                              #/etc/init.d/postfix restart

You should be start getting emails from rancid with the initial configuration version of the devices

Step 10 :- Configuring cvs and cvsweb for rancid integration

Under /etc/cvsweb/cvsweb.conf add the below entries under @Cvsrepositories

‘INDIA’=>[‘INDIA’,’/var/lib/rancid/CVS’],

add a symbolic link for cvsweb under apache home directory

                        #ln -s /usr/share/cvsweb /var/www/cvsweb(apache server installation directory.If not please install and configure apache webserver)

Try to see http://ipaddress:port/cgi-bin/cvsweb/ for the rancid cvsweb gui

example http://1.1.1.1./cgi-bin/cvsweb

Step 11 :- Configuring rancid to run at regular inter well to poll network device

Add a cron tab for rancid user so that it runs at regular intervals and send the emails

                                #crontab -e

                            1 10 * * * /usr/local/rancid/bin/rancid-run (add this entry in the crontab file)

Configuration file templates for Rancid.Assumption all the devices are configured under tacacs+

———————————————————————————————————–

a)/var/lib/rancid/.cloginrc

add     user    *       rancid
add     password        *             

--------------------------------------------------------------------

b)/var/lib/rancid/INDIA   (please note the synatx is ip:vendor:up for example user cisco for cisco devices,f5 for f5 lb’s,netscaler for citrix lb’s,etc.Please google for router.db for more vendor format)

1.1.1.1:cisco:up

——————————————————————————————-

c)/etc/cvsweb/cvsweb.conf

@CVSrepositories = (
#        ‘local’   => [‘Local Repository’, ‘/var/lib/cvs’],
        ‘INDIA’   => [‘INDIA’, ‘/var/lib/rancid/CVS’],
#       ‘freebsd’ => [‘FreeBSD’,          ‘/var/ncvs’],
#       ‘openbsd’ => [‘OpenBSD’,          ‘/var/ncvs’],
#       ‘netbsd’  => [‘NetBSD’,           ‘/var/ncvs’],
#       ‘ruby’    => [‘Ruby’,             ‘/var/anoncvs/ruby’],
);

—————————————————————————————

d) /etc/tacacs/tac_plus.conf   which includes rancid user and a group for rancid group

# Rancid – account used for rancid process
user = rancid {
        member = rancid
        login = des xxxxxxxxxxxx
        enable = des xxxxxxxxxxxx
        }

group = rancid {
        default service = deny
        service = exec {
        priv-lvl = 6
        }
        cmd = write {
                permit .*
                }
        cmd = dir {
                permit .*
                }
        cmd = copy {
                permit running-config
                }
        cmd = show {
                permit .*
                }
        cmd = terminal {
                permit length
                }
        cmd=enable {
                permit .*
                }
        cmd=exit {
                permit .*
                }
        cmd = admin {
              permit .*
              }
        cmd = more {
              permit .*
                }

That’s it.You will check the rancid authentication logs from /var/log/tac-plus/tacacs.log and for rancid system logs /var/lib/rancid/logs

Rancid Fix for Netscaler 9.x version:-

If you are using rancid to backup netscaler devices with 9.x firmware  in your network you may see that Rancid is failing and will get timed out.You may see in the logs that show ns ns.conf is not able to run.The reason being rancid is not able to identify netscalers > prompt.

Here is an easy way to fix it.Rancid uses nslogin and nsrancid script to take netscaler backup.Make the following modifications to these 2 files and rancid will work easily.These files are present under /var/lib/rancid/bin

router.db format for netscaler devices is (ip address:netscaler:up)

Here are the differences in nslogin and nsrancid scripts which i took from my rancid server

===================================================================

bejoy@netmon1000:/var/lib/rancid/bin$ diff nslogin.orig nslogin

520c520
<     set prompt "#"
—
>     set prompt “>”
621,622c621,624
< -re “^.+$prompt” { set junk $expect_out(0,string);
<  regsub -all “\[\]\[]” $junk {\\&} prompt; }
—
> #-re “^.+$prompt” { set junk $expect_out(0,string);
> # regsub -all “\[\]\[]” $junk {\\&} prompt; }
>          -re “^$prompt”        { set junk $expect_out(0,string);
>                                    regsub -all “\[\]\[]” $junk {\\&} prompt; }

bejoy@netmon1000:/var/lib/rancid/bin$ diff nsrancid.orig nsrancid

69c69,70
< $prompt = "netscaler#";
—
> #$prompt = “netscaler#”;
> $prompt = “>”;
177c178
< last if (/^$prompt/);
—
> last if (/^ Done/);
192c193
<     if (/exit$/) {
—
>     if (/ Done$/) {

bejoy@netmon1000:/var/lib/rancid/bin$

=================================================================

Share me your experience and let me know is there any way i can help you.Enjoy 🙂

Please reach me out @ bejoybkn@yahoo.com/bejoy.bnair@gmail.com

I can help you out with your doubts or questions