Baseline Template range does not work

orsonjoon · ‎05-13-2008

In the baseline template the following is configured:

+ tacacs-server directed-request

+ tacacs-server host 10.22.2.10

+ tacacs-server host 10.22.102.10

+ tacacs-server host 10.10.10.1

- tacacs-server [#!(10\.22\.2\.10|10\.22\.102\.10|directed-request)#]

You would expect that this will result that the + servers are added, and that server 10.10.10.1 will be removed.

However this is not the case, when I run a compliance check, the only thing he wants to remove is "+ tacacs-server directed-request" and nothing else, even when I remove the "directed-request" (- tacacs-server [#!(10\.22\.2\.10|10\.22\.102\.10)#] from the template, he only wants to remove the "-tacacs-server directed-request".

Can someone please help me with this?

Many many thanks!

Joe Clarke · ‎05-13-2008

This template says that the following lines MUST be in a compliant config:

tacacs-server directed-request

tacacs-server host 10.22.2.10

tacacs-server host 10.22.102.10

tacacs-server host 10.10.10.1

Anything else starting with "tacacs-server" that is not followed by 10.22.2.10, 10.22.102.10, or directed-broadcast will be non-compliant.

It sounds like what you want is:

+ tacacs-server host 10.22.2.10

+ tacacs-server host 10.22.102.10

- tacacs-server [#!(10\.22\.2\.10|10\.22\.102\.10)#]

This would enforce that 10.22.2.10 and 10.22.102.10 must be in the config, but no other tacacs-server lines should be. If you only care about removing tacacs-server directed-request, then you need:

+ tacacs-server host 10.22.2.10

+ tacacs-server host 10.22.102.10

- tacacs-server directed-request

orsonjoon · ‎05-13-2008

Thanks for your rapid response.

What I want in my config is this:

tacacs-server directed-request

tacacs-server host 10.22.2.10

tacacs-server host 10.22.102.10

Any other tacacs-server command must be removed.

I don't know how but this

+ tacacs-server host 10.22.2.10

+ tacacs-server host 10.22.102.10

- tacacs-server [#!(10\.22\.2\.10|10\.22\.102\.10)#]

will result only that the "tacacs-server directed-request" statement is removed, and the "tacacs-server host 10.10.10.1" not.

Joe Clarke · ‎05-13-2008

Ah, I see. You probably want this then:

+ tacacs-server host 10.22.2.10

+ tacacs-server host 10.22.102.10

- tacacs-server host [#!(10\.22\.2\.10|10\.22\.102\.10)#]

- tacacs-server [#!host#]

orsonjoon · ‎05-13-2008

Thanks for your patience, but it still doesn't do exactly what I want.

When I run a compliance check he now wants to remove:

-tacacs-server host 10.10.10.1

-tacacs-server directed-request

I still don't understand why he wants to remove the -tacacs-server directed-request statement, I don't want this to be removed. Any ideas?? thanks again ;-)

orsonjoon · ‎05-14-2008

Never mind, found it this did the trick:

- tacacs-server [#!directed-request#]