03-08-2007 03:04 AM
Ive been playing around with the baseline compliance within RMe on LMS 2.6. First of all, there isnt a lot of decent documentation within the help section IMO. Is there a white paper or some other source of knowledge for these compliance checks ?
Second of all, ive come across an interesting query. How do you do a compliance check for a specific TACACS key within the IOS configuration? Its encrypted so the plain key wont match, and as apparently there are 20 or so different algorithyms (sp?) used to encrypt keys within IOS, theres no way of matching the encrypted text either.
An example would be if i wanted to compliance check a group of 5 devices who should all have the same TACACS key. How is this possible with compliance check or any other part of CiscoWorks?
Hopefully im not missing something relatively eay to spot.
Thanks in advance
Nick
03-08-2007 08:37 AM
We are always working on improving the Baseline documentation, but what we have in LMS 2.6 currently is the state of things now.
As for the keys, they should be encrypted using the Cisco symmetric encryption algorithm, so they can be the same on all devices. That means that if you create a baseline template with a current key line (e.g. tacacs-server key 7 0702205E4D1C0A) (this is "marcus" BTW) then that same line can be put on all devices, and you will know that the resulting key on those devices will be "marcus".
06-06-2007 05:22 AM
I see what you mean there but what if you wanted to check that the config has a "user admin password 7 xxxxx" statement but the encrypted password is naturally different in each device, this happens with the enable secret password also, what do I do then?
06-06-2007 06:05 AM
+ user admin password 7 [PASSWORD]
That will match any value for the encrypted password. The text in [] can be anything you want.
06-07-2007 12:37 AM
ok, but if the userid and password are the same on say all devices yet the encrypted password is different on all device configs ( due to service password-encryption), I cannot get a match, any further suggestions.
06-07-2007 04:03 AM
Ah syntax alert!
Should be
+ username admin password 7 [password]
and that sorted it!
Now I'm having difficulty with getting the banner motd to work, I've tried various permutations but no cigar.
ie + banner motd " message " or [message not checked]
any suggestions on this or there a few issues with certain commands?
06-07-2007 06:07 AM
Multi-line commands like banner need special handling. Each newline in the banner needs to be replaced with "
This
is
a
banner
Your template would be:
+ banner motd "This
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide