LMS 2.6 RME Baseline Compliance

Unanswered Question
Mar 8th, 2007

Ive been playing around with the baseline compliance within RMe on LMS 2.6. First of all, there isnt a lot of decent documentation within the help section IMO. Is there a white paper or some other source of knowledge for these compliance checks ?

Second of all, ive come across an interesting query. How do you do a compliance check for a specific TACACS key within the IOS configuration? Its encrypted so the plain key wont match, and as apparently there are 20 or so different algorithyms (sp?) used to encrypt keys within IOS, theres no way of matching the encrypted text either.

An example would be if i wanted to compliance check a group of 5 devices who should all have the same TACACS key. How is this possible with compliance check or any other part of CiscoWorks?

Hopefully im not missing something relatively eay to spot.

Thanks in advance

Nick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Joe Clarke Thu, 03/08/2007 - 08:37

We are always working on improving the Baseline documentation, but what we have in LMS 2.6 currently is the state of things now.

As for the keys, they should be encrypted using the Cisco symmetric encryption algorithm, so they can be the same on all devices. That means that if you create a baseline template with a current key line (e.g. tacacs-server key 7 0702205E4D1C0A) (this is "marcus" BTW) then that same line can be put on all devices, and you will know that the resulting key on those devices will be "marcus".

tony-jordan Wed, 06/06/2007 - 05:22

I see what you mean there but what if you wanted to check that the config has a "user admin password 7 xxxxx" statement but the encrypted password is naturally different in each device, this happens with the enable secret password also, what do I do then?

Joe Clarke Wed, 06/06/2007 - 06:05

+ user admin password 7 [PASSWORD]

That will match any value for the encrypted password. The text in [] can be anything you want.

tony-jordan Thu, 06/07/2007 - 00:37

ok, but if the userid and password are the same on say all devices yet the encrypted password is different on all device configs ( due to service password-encryption), I cannot get a match, any further suggestions.

tony-jordan Thu, 06/07/2007 - 04:03

Ah syntax alert!

Should be

+ username admin password 7 [password]

and that sorted it!

Now I'm having difficulty with getting the banner motd to work, I've tried various permutations but no cigar.

ie + banner motd " message " or [message not checked]

any suggestions on this or there a few issues with certain commands?

Joe Clarke Thu, 06/07/2007 - 06:07

Multi-line commands like banner need special handling. Each newline in the banner needs to be replaced with "". So, if your banner is:

This

is

a

banner

Your template would be:

+ banner motd "Thisisabanner"

Actions

This Discussion