This invention relates to the field of network management, and in particular to a system that facilitates access to network devices using a variety of authentication/access schemes.
To adequately manage a network, access must often be gained to devices of the network, to determine and/or modify their configuration, obtain diagnostic information, monitor their performance, and so on.
In order to gain access to a network device, an authentication process is typically required, which generally includes the execution of a pre-defined access protocol. The access protocol is generally specific to each device, or device type, as determined by the vendor, and is also often dependent upon the particular configuration of the device, such as whether it is configured for Telnet, Secure Shell, or SNMP, and so on.
FIGS. 1A and 1B illustrate examples of two different access/authentication protocols for gaining access to two different network devices (in this example, a Juniper© device and a CISCO© device, respectively) that are configured to provide access via Telnet.
In FIG. 1A, after communication is established, the device provides an initial prompt (“login:”) 110, to which the user desiring access responds with a predefined user name 115. The device responds with another prompt (“Password:”) 120, to which the user responds with a predefined password 125. If the login name and password are recognized by the device as being authorized to grant access, the device responds with an identification stream 130, and terminates the stream 130 with a prompt symbol (“>”) 140, to which the user can respond with a specific query or command. If the login name and password are not recognized, the device generally responds with an error message and reissues the login prompt (“login:”).
In FIG. 1B, a different protocol is used; in this protocol, the device provides an initial prompt (“Password:”) 160, to which the user responds with a predefined password 165. If the device recognizes the password, the device issues a subsequent prompt (“>”) 170. In this particular example device, there are two levels of user access, commonly termed ‘user’ and ‘super-user’ access levels. To request super-user access, the user responds with “enable” 175, to which the device responds with a second password prompt 180. If the user provides a recognized super-user password 185, the device grants this higher level access, and indicates the different access level with a different prompt symbol (“#”) 190.
Often, the management of a network requires modification to many network devices. For example, to enhance security, the authentication parameters (username, password, community string) of some or all of the network devices may be changed periodically. Applying changes to many devices manually can be very tedious and error prone, and an automation of the process would reduce the tedium and errors. Other tasks, such as system diagnosis tasks that require knowledge of device configurations, would also benefit from automation tools that automatically collect such configuration information. However, to use such automation processes, access must be provided to each device being modified or monitored, and the disparate access protocols among device types introduces a substantial hurdle to such tasks.
It is an objective of this invention to provide a method and system to facilitate gaining access to a variety of different network devices. It is a further objective of this invention to provide a method and system to facilitate the creation of authentication/access protocol scripts for a variety of different network devices. It is a further objective of this invention to facilitate the creation of authentication/access protocol scripts to support future devices or standards.
These objects, and others, are achieved by a method and system that discovers and stores the proper access protocol for each device on a network. The discovery process includes progressively sequencing through state transitions until a successful access protocol sequence for a device is determined. When a successful access sequence is determined, a sequence script corresponding to this sequence is stored for subsequent access to the device. Preferably, the protocol-discovery algorithm is modeled as a state table that includes a start state and two possible terminal states: success and failure. A state machine executes the state table until a terminal state is reached; if the terminal state is a failure, the system backtracks to attempt an alternative sequence. The process continues until the success state is reached or until all possible sequences are executed without success. An exemplary state model is provided that has been shown to be effective for modeling network devices from a variety of vendor devices, as are techniques for generating protocol scripts based on this model, or others.
Throughout the drawings, the same reference numerals indicate similar or corresponding features or functions. The drawings are included for illustrative purposes and are not intended to limit the scope of the invention.