cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1257
Views
4
Helpful
6
Replies

LMS 2.6 RME Baseline Compliance

nickmaiolo
Level 1
Level 1

Ive been playing around with the baseline compliance within RMe on LMS 2.6. First of all, there isnt a lot of decent documentation within the help section IMO. Is there a white paper or some other source of knowledge for these compliance checks ?

Second of all, ive come across an interesting query. How do you do a compliance check for a specific TACACS key within the IOS configuration? Its encrypted so the plain key wont match, and as apparently there are 20 or so different algorithyms (sp?) used to encrypt keys within IOS, theres no way of matching the encrypted text either.

An example would be if i wanted to compliance check a group of 5 devices who should all have the same TACACS key. How is this possible with compliance check or any other part of CiscoWorks?

Hopefully im not missing something relatively eay to spot.

Thanks in advance

Nick

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

We are always working on improving the Baseline documentation, but what we have in LMS 2.6 currently is the state of things now.

As for the keys, they should be encrypted using the Cisco symmetric encryption algorithm, so they can be the same on all devices. That means that if you create a baseline template with a current key line (e.g. tacacs-server key 7 0702205E4D1C0A) (this is "marcus" BTW) then that same line can be put on all devices, and you will know that the resulting key on those devices will be "marcus".

I see what you mean there but what if you wanted to check that the config has a "user admin password 7 xxxxx" statement but the encrypted password is naturally different in each device, this happens with the enable secret password also, what do I do then?

+ user admin password 7 [PASSWORD]

That will match any value for the encrypted password. The text in [] can be anything you want.

ok, but if the userid and password are the same on say all devices yet the encrypted password is different on all device configs ( due to service password-encryption), I cannot get a match, any further suggestions.

Ah syntax alert!

Should be

+ username admin password 7 [password]

and that sorted it!

Now I'm having difficulty with getting the banner motd to work, I've tried various permutations but no cigar.

ie + banner motd " message " or [message not checked]

any suggestions on this or there a few issues with certain commands?

Multi-line commands like banner need special handling. Each newline in the banner needs to be replaced with "". So, if your banner is:

This

is

a

banner

Your template would be:

+ banner motd "Thisisabanner"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco