Network Automation Expect Scripts - rConfig V8 SIE Tutorial

SIE Expect Script Example: Radware Alteon Configuration Backup

This guide demonstrates complete Script Integration Engine (SIE) implementation using an Expect script to backup Radware Alteon load balancer configurations. This example illustrates the end-to-end workflow from SIE enablement through script deployment, device configuration, and execution testing.

---

Implementation Overview

Use Case

Challenge: Radware Alteon load balancers use a proprietary CLI interface with custom command sequences for configuration export. Standard SSH-based backup commands don’t work—the device requires interactive navigation through menus and specific command syntax to dump configuration.

Solution: Expect script automates the interactive CLI session, executing the precise command sequence needed to retrieve and format the Alteon configuration for rConfig storage.

Components:

• Expect script handling Alteon CLI interaction
• Custom connection template specifying script protocol
• Command category with script invocation
• Device configured with script-based template and credentials

Prerequisites

Before implementing this example, ensure:

SIE Enabled: Script Integration Engine feature flag set to true in .env file (see SIE Overview for enablement instructions)

Expect Installed: Expect binary available on rConfig server

/usr/bin/expect

which expect

If Expect is not installed:

# Rocky Linux/RHEL/CentOS
sudo dnf install expect -y

# Ubuntu/Debian
sudo apt-get install expect -y

Script Directory: Scripts directory exists with appropriate permissions

sudo mkdir -p /var/www/html/rconfig8/current/storage/app/rconfig/scripts/
sudo chown www-data:www-data /var/www/html/rconfig8/current/storage/app/rconfig/scripts/
sudo chmod 755 /var/www/html/rconfig8/current/storage/app/rconfig/scripts/

Device Access: Network connectivity from rConfig server to Alteon device, valid device credentials for CLI access.

---

Step 1: Enable SIE

If not already enabled, activate Script Integration Engine in rConfig:

Edit Environment File

sudo nano /var/www/html/rconfig8/current/.env

Add or Modify SIE Setting

Locate the SIE configuration or add if not present:

SCRIPT_INTEGRATION_ENGINE_ENABLED=true

Save and exit (Ctrl+O, Enter, Ctrl+X).

Clear Application Cache

Apply configuration changes by clearing rConfig cache:

cd /var/www/html/rconfig8/current
php artisan rconfig:clear-all

Verification: SIE is now enabled. Scripts specified in device commands will execute during backup operations.

Caution

Security Reminder: Enabling SIE allows server-side script execution. Ensure only trusted scripts are deployed and maintain strict access controls on the scripts directory.

---

Step 2: Deploy Expect Script

Create the Script File

Navigate to the scripts directory and create the Expect script:

cd /var/www/html/rconfig8/current/storage/app/rconfig/scripts/
sudo nano alteon_cdump_test_script.exp

Expect Script Content

Paste the following Expect script (customize for your Alteon device specifics):

#!/usr/bin/expect -f

# Radware Alteon Configuration Dump Script
# Purpose: Connect to Alteon load balancer and retrieve configuration
# Usage: ./alteon_cdump_test_script.exp <device_ip> <username> <password>

# Capture command line arguments
set device_ip [lindex $argv 0]
set username [lindex $argv 1]
set password [lindex $argv 2]

# Set timeout for expect commands (30 seconds)
set timeout 30

# Initiate SSH connection to Alteon device
spawn ssh -o StrictHostKeyChecking=no $username@$device_ip

# Expect password prompt and send password
expect {
    "password:" {
        send "$password\r"
    }
    timeout {
        puts "Error: Connection timeout waiting for password prompt"
        exit 1
    }
    eof {
        puts "Error: Connection closed unexpectedly"
        exit 1
    }
}

# Wait for command prompt (customize based on your Alteon prompt)
expect {
    ">>  Main# " {
        # Successfully logged in
    }
    timeout {
        puts "Error: Timeout waiting for command prompt"
        exit 1
    }
}

# Navigate to configuration menu
send "/cfg\r"

expect {
    ">>  Configuration# " {
        # Successfully entered config mode
    }
    timeout {
        puts "Error: Failed to enter configuration mode"
        exit 1
    }
}

# Execute configuration dump command
send "dump\r"

# Capture configuration output
# Wait for command completion and prompt return
expect {
    ">>  Configuration# " {
        # Dump completed
    }
    timeout {
        puts "Error: Configuration dump timeout"
        exit 1
    }
}

# Exit configuration mode
send "apply\r"
expect ">>  Configuration# "

send "../\r"
expect ">>  Main# "

# Logout from device
send "exit\r"
expect eof

# Exit successfully
exit 0

Save and Set Permissions

Save the file (Ctrl+O, Enter, Ctrl+X) and set execute permissions:

sudo chmod 755 /var/www/html/rconfig8/current/storage/app/rconfig/scripts/alteon_cdump_test_script.exp
sudo chown www-data:www-data /var/www/html/rconfig8/current/storage/app/rconfig/scripts/alteon_cdump_test_script.exp

Test Script Manually

Before rConfig integration, test the script directly with real device credentials:

/usr/bin/expect /var/www/html/rconfig8/current/storage/app/rconfig/scripts/alteon_cdump_test_script.exp 192.168.1.100 admin password123

Expected Output: Alteon configuration data printed to terminal

Success Indicators:

• Script connects to device
• Authentication succeeds
• Configuration dump executes
• Output captured and displayed
• Script exits with code 0

Troubleshooting: If script fails, review error messages, verify device accessibility, confirm credentials, and adjust expect patterns to match your Alteon’s actual CLI prompts.

---

Step 3: Create Connection Template

SIE-enabled devices require a connection template specifying “script” as the protocol.

Access Device Templates

In rConfig UI, navigate to: Devices → Device Templates

Create New Template

Click Add New Template and configure:

Template Content:

# rConfig connection template - DO NOT EDIT DIRECTLY
## Notes:
## Remember to update permissions for the templates folder after uploading new template files.
## Run 'chown -R www-data:www-data /var/www/html/rconfig8' on your rconfig server CLI
## All items below that contain free text should be contained within quotation marks " "
## For new community submitted templates visit: https://github.com/rconfig/rConfig-templates

main:
  name: "alteon_script_template"
  desc: "Radware Alteon with Expect script integration"

connect:
  timeout: 30
  idleTimeout: 30
  protocol: script

Template Parameters:

name: Unique identifier for the template (used in device configuration)

desc: Human-readable description

timeout: Maximum time (seconds) for script execution before timeout

• Set based on expected script runtime
• Alteon config dump typically completes in 10-20 seconds
• 30 seconds provides buffer for network latency

idleTimeout: Maximum idle time during script execution

• Prevents hanging on unexpected device responses
• Set equal to or slightly less than timeout

protocol: script: Critical - Instructs rConfig to execute script instead of SSH/Telnet connection

Save Template

Click Save to store the template. Template is now available for device assignment.

---

Step 4: Configure Command

Commands define how rConfig invokes scripts with proper parameters.

Access Commands Section

Navigate to: Devices → Commands

Create New Command

Click Add New Command or edit existing category:

Command Configuration:

Command Text:

/usr/bin/expect {script_path}alteon_cdump_test_script.exp {device_ip} {device_username} {device_password}

Alternative Filename (recommended): alteon_config

• Simplifies configuration filenames in rConfig storage
• Without alternative name, filename becomes lengthy command string
• Alternative name used as base for stored config files

Command Breakdown

/usr/bin/expect: Full path to Expect interpreter binary

• Located via which expect command
• Must be absolute path, not relative

{script_path}alteon_cdump_test_script.exp: Script filename prefaced with {script_path} variable

• {script_path} expands to: /var/www/html/rconfig8/current/storage/app/rconfig/scripts/
• Combined with script name forms full path to script file

{device_ip}: Replaced with device IP address from rConfig device record

• Passed as first argument to Expect script
• Script uses to establish SSH connection

{device_username}: Replaced with device username credential

• Passed as second argument
• Script uses for authentication

{device_password}: Replaced with device password credential

• Passed as third argument
• Script uses for authentication

Note: {device_enable_password} not used in this example as Alteon doesn’t require enable mode

Parameter Order

Parameters can appear in any order—script determines usage based on argument position. This example uses: IP, username, password (matching Expect script’s argument handling).

Save Command

Save command to category. Ensure category is noted for device assignment.

Video Tutorial: Command Configuration

Demonstration of creating script-based command with proper parameter substitution

---

Step 5: Configure Device

With template and command created, configure the Alteon device to use script-based backup.

Access Device Configuration

Navigate to: Devices → Device List

Find the Alteon device or create a new device entry.

Device Settings

Configure the following device parameters:

Basic Information:

• Device Name: Descriptive name (e.g., “alteon-lb-01”)
• IP Address: Alteon management IP (e.g., 192.168.1.100)
• Device Type: Select or create “Load Balancer” or “Alteon” type

Connection Settings:

• Connection Template: Select “alteon_script_template” (created in Step 3)
• Command Category: Select category containing the Expect script command (from Step 4)

Credentials:

• Username: Device CLI username
• Password: Device CLI password
• Enable Password: Leave blank (not used for Alteon)

Save Device Configuration

Click Save to store device settings. Device is now configured for script-based backup.

---

Step 6: Test Execution

Verify script integration works correctly using rConfig’s debug feature.

Access Device Debug

From the device page, click Debug or Test Connection button.

Execute Debug Command

Debug mode executes the configured command and displays results in real-time:

Debug Output Displays:

1. Command Executed: Full command with substituted parameters

   /usr/bin/expect /var/www/html/rconfig8/current/storage/app/rconfig/scripts/alteon_cdump_test_script.exp 192.168.1.100 admin password123

2. Script Output: Captured stdout containing Alteon configuration

3. Execution Status: Success or failure indication

4. Execution Time: Duration of script execution

5. Exit Code: Script exit status (0 = success)

Verify Success

Success Indicators:

• Exit code: 0
• Status: Success/Completed
• Output: Valid Alteon configuration data
• No error messages in output

Configuration Captured: If debug succeeds, configuration is stored in device history and available for:

• Viewing in device configuration tab
• Diff comparison with previous versions
• Compliance checking
• Search indexing

Troubleshooting Failed Execution

Common Issues and Resolutions:

Script Not Found:

Error: /var/www/html/rconfig8/current/storage/app/rconfig/scripts/alteon_cdump_test_script.exp: No such file or directory

Resolution: Verify script exists in scripts directory, check filename spelling in command.

Permission Denied:

Error: Permission denied

Resolution: Set execute permissions on script:

chmod 755 /var/www/html/rconfig8/current/storage/app/rconfig/scripts/alteon_cdump_test_script.exp

Authentication Failure:

Error: Login incorrect or permission denied

Resolution: Verify device credentials in rConfig device settings, test credentials manually via SSH.

Timeout:

Error: Script execution timeout

Resolution: Increase timeout in connection template, optimize script for faster execution, check network connectivity to device.

Expect Pattern Mismatch:

Error: Timeout waiting for command prompt

Resolution: Adjust expect patterns in script to match actual Alteon CLI prompts. Use interactive SSH session to observe exact prompt format.

Video Tutorial: Debug and Troubleshooting

Step-by-step debug process and common troubleshooting scenarios

---

Step 7: Schedule Automated Backups

Once debug confirms script works correctly, enable automated backups.

Backup Scheduling

Scripts execute during scheduled backup jobs just like standard SSH/Telnet backups:

Via Device Groups:

1. Add Alteon device to appropriate device group
2. Configure backup schedule for group
3. Script executes automatically per schedule

Via Global Schedule:

1. Ensure device included in backup scope (not excluded)
2. Global backup schedule triggers script execution
3. Configuration captured and versioned automatically

Monitoring Script Backups

Backup History: View backup success/failure in device backup history:

• Navigate to device page
• Review backup log for script execution results
• Check for consistent successful backups or recurring failures

Notifications: Configure email or webhook notifications for backup failures:

• Settings → Notifications
• Create alert for backup failures
• Receive notifications when script backups fail

Logs: Review detailed execution logs:

tail -f /var/www/html/rconfig8/current/storage/logs/laravel.log | grep -i script

---

Advanced Script Techniques

Error Handling Enhancement

Improve script robustness with comprehensive error handling:

#!/usr/bin/expect -f

# Enhanced error handling version
set device_ip [lindex $argv 0]
set username [lindex $argv 1]
set password [lindex $argv 2]

# Validate arguments
if {$device_ip == "" || $username == "" || $password == ""} {
    puts "Error: Missing required arguments"
    puts "Usage: $argv0 <device_ip> <username> <password>"
    exit 1
}

# Enhanced timeout handling
set timeout 30
log_user 0  # Suppress script interaction output

spawn ssh -o StrictHostKeyChecking=no -o ConnectTimeout=10 $username@$device_ip

expect {
    "password:" {
        send "$password\r"
    }
    "No route to host" {
        puts "Error: Device unreachable - check network connectivity"
        exit 1
    }
    "Connection refused" {
        puts "Error: SSH connection refused - verify SSH enabled on device"
        exit 1
    }
    timeout {
        puts "Error: Connection timeout - device not responding"
        exit 1
    }
}

# Additional authentication error handling
expect {
    ">>  Main# " {
        # Login successful
    }
    "Permission denied" {
        puts "Error: Authentication failed - check credentials"
        exit 1
    }
    "Access denied" {
        puts "Error: Access denied - user may lack permissions"
        exit 1
    }
    timeout {
        puts "Error: Login timeout - authentication may have failed"
        exit 1
    }
}

# Continue with configuration dump...

Output Formatting

Format script output for improved readability in rConfig:

# Add header to configuration output
puts "# Radware Alteon Configuration Backup"
puts "# Device: $device_ip"
puts "# Date: [clock format [clock seconds] -format {%Y-%m-%d %H:%M:%S}]"
puts "#"
puts ""

# Execute dump and capture output
send "dump\r"

# Wait for and capture configuration
expect {
    -re "(.*)\r\n>>  Configuration# " {
        set config_output $expect_out(1,string)
        puts $config_output
    }
}

# Add footer
puts ""
puts "# End of Configuration"

Logging for Audit

Implement audit logging separate from rConfig output:

# Log to separate audit file
set logfile "/var/log/rconfig/alteon_script_audit.log"
set timestamp [clock format [clock seconds] -format {%Y-%m-%d %H:%M:%S}]

# Append to audit log (not captured by rConfig)
if {[catch {open $logfile a} logfd]} {
    # Log file open failed, continue without logging
} else {
    puts $logfd "$timestamp - Device: $device_ip - User: $username - Status: Starting backup"
    close $logfd
}

# Script execution...

# Log completion
if {[catch {open $logfile a} logfd]} {
    # Silently fail if can't log
} else {
    puts $logfd "$timestamp - Device: $device_ip - Status: Backup completed successfully"
    close $logfd
}

---

Script Optimization

Performance Improvements

Reduce Timeout Overhead: Set aggressive but safe timeouts:

# Use shorter timeouts for fast networks
set timeout 15  # Instead of 30

# But increase for specific slow operations
expect {
    ">>  Configuration# " {
        # Dump may take longer
        set timeout 45
        send "dump\r"
    }
}

Minimize Output: Suppress unnecessary device output:

# Disable pagination/prompts on device
send "terminal length 0\r"
expect ">>  Main# "

# Suppress expect's own output
log_user 0

Parallel Execution: For multiple Alteon devices, rConfig handles parallelization. Ensure scripts don’t create resource contention:

# Avoid writing to shared files
# Use unique temp files if needed:
set tempfile "/tmp/alteon_$device_ip_[clock seconds].tmp"

Maintainability

Parameterize Device-Specific Values:

# Define device-specific prompts as variables
set main_prompt ">>  Main# "
set config_prompt ">>  Configuration# "

# Use variables in expect statements
expect $main_prompt
send "/cfg\r"
expect $config_prompt

Modular Functions: For complex scripts, use procedures:

proc login {device_ip username password} {
    spawn ssh -o StrictHostKeyChecking=no $username@$device_ip
    expect "password:"
    send "$password\r"
    expect ">>  Main# "
    return 0
}

proc dump_config {} {
    send "/cfg\r"
    expect ">>  Configuration# "
    send "dump\r"
    expect -re "(.*)\r\n>>  Configuration# " {
        puts $expect_out(1,string)
    }
    return 0
}

# Main execution
login $device_ip $username $password
dump_config

---

Alternative Script Languages

While this example uses Expect, SIE supports any scripting language. Consider alternatives based on requirements:

Python for API-Based Devices

If Alteon supported REST API instead of CLI:

#!/usr/bin/env python3
import sys
import requests
from requests.auth import HTTPBasicAuth

# Get parameters from rConfig
device_ip = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

# API endpoint
url = f"https://{device_ip}/api/config/export"

try:
    # Call API with authentication
    response = requests.get(
        url,
        auth=HTTPBasicAuth(username, password),
        verify=False,  # Disable SSL verification for self-signed certs
        timeout=30
    )

    if response.status_code == 200:
        # Output configuration to stdout for rConfig capture
        print(response.text)
        sys.exit(0)
    else:
        print(f"Error: API returned status {response.status_code}")
        sys.exit(1)

except Exception as e:
    print(f"Error: {str(e)}")
    sys.exit(1)

Command in rConfig:

/usr/bin/python3 {script_path}alteon_api_backup.py {device_ip} {device_username} {device_password}

Bash for Simple CLI Automation

For devices with straightforward CLI:

#!/bin/bash

# Get parameters
DEVICE_IP=$1
USERNAME=$2
PASSWORD=$3

# Use sshpass for non-interactive SSH (install: apt-get install sshpass)
sshpass -p "$PASSWORD" ssh -o StrictHostKeyChecking=no "$USERNAME@$DEVICE_IP" << 'EOF'
terminal length 0
show running-config
exit
EOF

# Exit with SSH command's exit code
exit $?

Command in rConfig:

/bin/bash {script_path}simple_backup.sh {device_ip} {device_username} {device_password}

---

Community Resources

Example Scripts Repository

rConfig maintains a collection of community-contributed SIE scripts:

GitHub Repository: https://github.com/rconfig/rConfig-templates

Available Examples:

• Radware Alteon (this example)
• F5 BIG-IP iControl API
• Cisco Wireless LAN Controllers
• Palo Alto Panorama API
• Various OT/IoT devices

Directory Structure:

SIE-examples/
├── expect/
│   ├── alteon_cdump_test_script.exp
│   ├── cisco_wlc_backup.exp
│   └── README.md
├── python/
│   ├── f5_bigip_api.py
│   ├── palo_panorama.py
│   └── README.md
└── bash/
    ├── simple_cli_backup.sh
    └── README.md

Contributing Your Scripts

Share working scripts with the community:

1. Test Thoroughly: Ensure script works reliably in your environment
2. Generalize: Remove site-specific hardcoded values
3. Document: Include comments explaining logic and requirements
4. Submit: Create pull request to rConfig-templates repository

Contribution Benefits:

• Help other rConfig users with similar devices
• Receive community feedback and improvements
• Build reputation in rConfig ecosystem

---

Troubleshooting Reference

Common Expect Issues

Issue: Script hangs indefinitely

Causes:

• Expect pattern doesn’t match actual device output
• Device prompt changed or includes variable content (timestamps, etc.)

Resolution:

• Log into device manually, note exact prompt format
• Update expect patterns to match observed prompts
• Use regex patterns for variable prompt components:

  expect -re ">>.*Main# "  # Matches prompt with variable content

Issue: Authentication succeeds but commands fail

Causes:

• User lacks privileges for configuration commands
• Device in restricted mode

Resolution:

• Verify user has admin/config access
• Add privilege escalation to script if needed
• Check device logs for permission denials

Issue: Partial configuration captured

Causes:

• Timeout too short for full config dump
• Pagination/paging enabled on device

Resolution:

• Increase timeout values in script and template
• Disable paging: send "terminal length 0\r"
• Adjust expect patterns to handle multi-page output

Debugging Techniques

Enable Expect Debugging:

# Add at start of script
exp_internal 1  # Shows expect's internal operations
log_user 1      # Shows all interaction (default)

Capture Interaction to File:

# Log all interaction for review
log_file /tmp/expect_debug.log

Test Script Components Independently:

# Comment out later sections, test connection only:
spawn ssh $username@$device_ip
expect "password:"
send "$password\r"
expect ">>  Main# "
puts "Login successful"
exit 0

---

Security Best Practices

Credential Protection

Never Log Passwords: Ensure scripts don’t expose credentials:

# Disable output when sending password
log_user 0
send "$password\r"
log_user 1  # Re-enable after authentication

Secure Script Storage:

# Restrict script directory permissions
chmod 750 /var/www/html/rconfig8/current/storage/app/rconfig/scripts/
chown www-data:www-data /var/www/html/rconfig8/current/storage/app/rconfig/scripts/

# Individual script permissions
chmod 750 alteon_cdump_test_script.exp

Audit Script Execution:

# Monitor script execution logs
tail -f /var/www/html/rconfig8/current/storage/logs/laravel.log | grep script

# Review for unauthorized executions or failures

Input Validation

Always validate parameters received from rConfig:

# Validate IP address format
if {![regexp {^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$} $device_ip]} {
    puts "Error: Invalid IP address format"
    exit 1
}

# Sanitize inputs (prevent injection)
regsub -all {[^a-zA-Z0-9._-]} $username "" username

---

Related Documentation

• SIE Overview - Script Integration Engine concepts and architecture
• Device Templates - Creating and managing connection templates
• Commands Configuration - Setting up device command categories
• Configuration Backup Implementation - Understanding backup workflows

---

Quick Reference

Implementation Checklist

• SIE enabled in .env file
• Expect installed and binary path identified
• Script deployed to /var/www/html/rconfig8/current/storage/app/rconfig/scripts/
• Script permissions set (chmod 755)
• Script tested manually with device credentials
• Connection template created with protocol: script
• Command configured with script invocation and parameters
• Device configured with script template and credentials
• Debug execution successful
• Automated backup scheduled and verified

File Locations

Script Directory:

/var/www/html/rconfig8/current/storage/app/rconfig/scripts/

Environment File:

/var/www/html/rconfig8/current/.env

Expect Binary:

/usr/bin/expect

Command Template

/usr/bin/expect {script_path}script_name.exp {device_ip} {device_username} {device_password}

Connection Template

main:
  name: "device_script_template"
  desc: "Script-based connection"

connect:
  timeout: 30
  idleTimeout: 30
  protocol: script

Expect Script Structure

#!/usr/bin/expect -f

set device_ip [lindex $argv 0]
set username [lindex $argv 1]
set password [lindex $argv 2]

set timeout 30

spawn ssh -o StrictHostKeyChecking=no $username@$device_ip

expect "password:"
send "$password\r"

expect "prompt# "
send "config_dump_command\r"

expect "prompt# "
send "exit\r"

expect eof
exit 0

---

Summary

This Radware Alteon example demonstrates complete SIE implementation from enablement through production deployment. The workflow—enable SIE, deploy script, create template, configure command, assign to device, test—applies to any device type requiring custom script integration.

Key Takeaways:

• Expect excels at automating interactive CLI sessions
• Parameter substitution provides flexibility without hardcoding device details
• Debug mode enables rapid testing and troubleshooting
• Scripts integrate seamlessly with rConfig’s backup and diff features
• Community repository provides ready-made examples for common devices

For devices with different requirements (APIs, complex workflows, proprietary protocols), adapt this pattern using appropriate scripting languages and techniques while following the same integration workflow.