05-21-2013 07:34 AM
A couple of months ago we allowed AMP (Version 7.6.1) to ssh to our controllers so we can run some of the show commands directly from AMP
But we recently noticed in the logs that AMP was running show commands by itself every 15 seconds
10.10.10.5 is the AMP server
May 20 19:58:21 fpcli: USER: admin connected from 10.10.10.5 has logged out.
May 20 19:58:21 fpcli: USER: admin has logged in from 10.10.10.5.
May 20 19:58:21 fpcli: USER:firstname.lastname@example.org COMMAND:<encrypt disable > -- command executed successfully
May 20 19:58:21 fpcli: USER:email@example.com COMMAND:<no paging > -- command executed successfully
May 20 19:58:21 fpcli: USER:firstname.lastname@example.org COMMAND:<show ap provisioning bssid D8:C7:C8:11:22:33 > -- command executed successfully
What scares me the most is that it keeps running the encrypt disable command .
I looked everywhere to see if it is possible to run some sort script from Airwave but I couldn'f find anything .
Is this normal ? Anybody seen this before ?
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
05-21-2013 01:50 PM
You'll see encrypt disable whenever AMP logs in to run a command. In 7.6, AirWave logs into the controller once for each AP during Audit. That may be the source of the show commands you're seeing. This is easier proven if you look look at the log, grep for 'show ap provisioning' -> should see bssid MACs vary as you go (not repeating). Frequency of a bssid MAC appearing should be based on auditing period (unless there were some manual calls given). In 7.7, the behaviour will change to be a single login per controller instead of per AP.
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company