Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LMS 2.6 RME Baseline Compliance

Ive been playing around with the baseline compliance within RMe on LMS 2.6. First of all, there isnt a lot of decent documentation within the help section IMO. Is there a white paper or some other source of knowledge for these compliance checks ?

Second of all, ive come across an interesting query. How do you do a compliance check for a specific TACACS key within the IOS configuration? Its encrypted so the plain key wont match, and as apparently there are 20 or so different algorithyms (sp?) used to encrypt keys within IOS, theres no way of matching the encrypted text either.

An example would be if i wanted to compliance check a group of 5 devices who should all have the same TACACS key. How is this possible with compliance check or any other part of CiscoWorks?

Hopefully im not missing something relatively eay to spot.

Thanks in advance

Nick

6 REPLIES
Cisco Employee

Re: LMS 2.6 RME Baseline Compliance

We are always working on improving the Baseline documentation, but what we have in LMS 2.6 currently is the state of things now.

As for the keys, they should be encrypted using the Cisco symmetric encryption algorithm, so they can be the same on all devices. That means that if you create a baseline template with a current key line (e.g. tacacs-server key 7 0702205E4D1C0A) (this is "marcus" BTW) then that same line can be put on all devices, and you will know that the resulting key on those devices will be "marcus".

New Member

Re: LMS 2.6 RME Baseline Compliance

I see what you mean there but what if you wanted to check that the config has a "user admin password 7 xxxxx" statement but the encrypted password is naturally different in each device, this happens with the enable secret password also, what do I do then?

Cisco Employee

Re: LMS 2.6 RME Baseline Compliance

+ user admin password 7 [PASSWORD]

That will match any value for the encrypted password. The text in [] can be anything you want.

New Member

Re: LMS 2.6 RME Baseline Compliance

ok, but if the userid and password are the same on say all devices yet the encrypted password is different on all device configs ( due to service password-encryption), I cannot get a match, any further suggestions.

New Member

Re: LMS 2.6 RME Baseline Compliance

Ah syntax alert!

Should be

+ username admin password 7 [password]

and that sorted it!

Now I'm having difficulty with getting the banner motd to work, I've tried various permutations but no cigar.

ie + banner motd " message " or [message not checked]

any suggestions on this or there a few issues with certain commands?

Cisco Employee

Re: LMS 2.6 RME Baseline Compliance

Multi-line commands like banner need special handling. Each newline in the banner needs to be replaced with "". So, if your banner is:

This

is

a

banner

Your template would be:

+ banner motd "Thisisabanner"

298
Views
4
Helpful
6
Replies