Checking aaa configuration using LMS Baseline Compliance Checks

Similar Messages

• LMS 4.2.3 baseline compliance template and standard ACL

  When using a baseline compliance template to check and deploy a standard ACL, I encountered what seems to be a bug:
  I configured a template with these commands:
  +ip access-list standard 21
  +; Hosts allowed access
  +  permit host 10.20.30.40
  +  permit host 40.30.20.10
  +  deny any log
  When I do compliance check and deployment, the last line is dropped by LMS.
  In fact, when I look into the job's "Work Order", the commands are:
  ip access-list standard 21
  ; Hosts allowed access
    permit host 10.20.30.40
    permit host 40.30.20.10
  After the job run, "show running-config" shows the access list matching the "Work Order" (without the "deny any log" command.)
  Is this a bug?

  Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
  Name:
  Archive Mgmt Job Work Order
  Summary:
  General Info
  JobId: 2704
  Owner: admin
  Description: test_acl
  Schedule Type: Immediate
  Job Type: Compliance Check
  Baseline Template Name: test_acl
  Attachment Option: Disabled
  Report Type: NAJob Policies
  ----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
  Job Based Password: DisabledDevice Details
  Device
  Commands
  Sup_2T_6500
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  10.104.149.180
    ip access-list standard 21
    permit host 10.20.30.40
    permit host 40.30.20.10
    deny any log
  Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• Baseline Compliance Check Loopback0

  I'm working on a Baseline Template for compliance.  One of the interfaces that we use across all our routers is Loopback 1.  I want to use a baseline template to check if Loopback 0 exists and then if it exists, I want to check certain lines in its interface config.  Here is how I have my Template configured:
  Prerequisite Command Set - checkLoopback
  +interface Loopback1
  Subordinate Command Set - checkLoopbackConfig
  +description Network Management Interface
  +ip address [#172\.16\..*\..*#] [255.255.255.0]
  Basically I want to confirm that Loopback 1 exists and then check that the standard description has been used and that the IP Address is within a certain range.
  Whether the interfrace is configured or not, when I run the compliance check it reports that the device is compliant.  I've also tried "-interface Loopback1" in the Prerequisite Command Set and the result still reports the device is compliant.
  How can I accomplish my goal of checking that the interface exists first then check the config of the interface?
  Thanks for the help.

  You can use commandsets. The commandsets are a set of one or more CLI commands. You can define a commandset while creating a Baseline template in the Advanced mode.
  The features of the commandsets are:
  •If the commands in commandset are in a submode (ip/interface etc.) a submode command must be specified for such a commandset.
  •Commandsets can have one or more child commandsets.
  •Child commandsets inherit parent's sub-mode command.
  You can define commandsets that have to be checked before running the actual commands.
  The features of the prerequisite commandsets are:
  •A commandset can have another commandset as its prerequisite.
  •A prerequisite commandset is used only for comparison and is not deployed onto the device.
  •A commandset is compared with the config only if its prerequisite condition is satisfied.
  LMS evaluates the commandsets in different ways depending on whether you have defined the commandset as Parent or Prerequisite.
  For example, assume that you have defined two commandsets, commandset1 and commandset2:
  •Commandset defined as Prerequisite
  - commandset1 as the Prerequisite of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
  - If commandset1 does not contain submode and is not present in a device, then commandset2 is not evaluated and the device is displayed in the excluded  list in the compliance report.
  - If commandset1 contains submode and is not present in applicable submodes, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.
  •Commandset defined as Parent
  - commandset1 as the Parent of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
  - If either of these commandsets is missing, the template is considered non-compliant.
  -Joe

• Using SCCM 2012 Compliance to check if a GPO applied

  Is it possible to use SCCM 2012 Compliance feature to check if a AD GPO settings applied to a Device / User collection or not?
  If Yes, then how?

  You can do this with SCM (Security Compliance Manager), download here:
  http://www.microsoft.com/en-us/download/details.aspx?id=16776
  Import your GPOs to SCM some guidelines here:
  http://4sysops.com/archives/microsoft-security-compliance-manager-scm-v2-part-1
  Export your GPO from SCM to DCM format guides here:
  http://blogs.msdn.com/b/scom_2012_upgrade_process__lessons_learned_during_my_upgrade_process/archive/2012/09/21/compliance-settings-sccm-2012.aspx
  Import your DCM to SCCM and off you go

• How to install/Configure/Use VT Hash Check to detect Malware/Unwanted programs in Windows?

  This just to share the below post with windows users.. 
  How to install/Configure/Use VT to detect Malware/Unwanted programs in Windows?
  http://www.windowstechinfo.com/2014/03/how-to-installconfigureuse-vt-to-detect_29.html
  Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

  That is interesting. Normally a bootmgr error message means that the boot loader is corrupt and hard disk not "dead".. Replacing the hard drive is a quickie shotgun method of resolving the issue.
  Did you give up on the SSD?
  The  desktop ( w/ASUS Crossfire V Formula-Z  mobo) I am using to type this, has the same SSD that you asked about. I used the method I described in the earlier post to clone the OS to the SSD. The SSD is the boot drive.
  ****Please click on Accept As Solution if a suggestion solves your problem. It helps others facing the same problem to find a solution easily****
  2015 Microsoft MVP - Windows Experience Consumer

• Configuring IPSLA using LMS 4.0

  Dear all,
  It's me again...
  I have tried to configure IPSLA using LMS and I'm quite surprised that even if the collectors are running:
  and my tagrget has received the IPSLA responder commands - no commands have been received on my source router so my stats are empty .I have no errors messages while configuring the IPSLA.
  Any ideas ? where can I find some logs ?
  regards,
  vincent

  I'm not sure what you mean by "no commands have been received on my source router."  If you mean that you don't see any IP SLA configuration on the source, then this is expected.  By default the IP SLA configuration pushed by LMS does not appear in the running config.  This can be changed by checking the "Copy IPSLA Configuration to running-config" box under Admin > Collection Settings > Performance > IPSLA application settings.  You will then need to reconfigure your collector in LMS.
  That said, you don't need to do this.  LMS will maintain the IP SLA configuration via SNMP without it needing to show up in the running config.

• Using LMS to extract VRF name as a variable from device config to deploy VRF name in additional configuration

  Using LMS is there a way to run a job which would extract the VRF name in part of the configuration and then use it as a variable to deploy additional configuration using the VRF name. We have a number of management VRF's and need to deploy a mass configuration change on a number of devices.
  aaa group server tacacs+ blah
  server x.x.x.x
  server x.x.x.x
  ip vrf forwarding test

  I am working for a service provider and I was given a task to configure more than 50000 devices (!). First I started with VBS and some scriptable terminal application, but it was too complicated to handle that much data. I then decided to develop my own application dedicated to device mass-configuration. As I understand your question, you may also find it useful : http://www.prettygoodterminal.com
  BR 

• How to Backup configuration using tftp/ftp in Prime LMS?

  Hi
  how can i backup ASA/PIX configuration using tftp/ftp in Prime LMS 4.2.2?
  --I discovered those devices and can managed them in the LMS but in the config file backup the passwords are encrypted,
  that's why i want to backup them with tftp/ftp.
  thanks

  Wrong service names are set in tnsnames.ora

• AAA Authorization Using Local Database

  Hi Guys,
  I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
  FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.

  For allowing limited read only access , use this example,
  We need these commands on the switch
  Switch(config)#do sh run | in priv
  username admin privilege 15 password 0 cisco123!
  username test privilege 0 password 0 cisco
  privilege exec level 0 show ip interface brief
  privilege exec level 0 show ip interface
  privilege exec level 0 show interface
  privilege exec level 0 show switch
  No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
  User Access Verification
  Username: test
  Password:
  Switch>show ?
  diagnostic Show command for diagnostic
  flash1: display information about flash1: file system
  flash: display information about flash: file system
  interfaces Interface status and configuration
  ip IP information
  switch show information about the stack ring
  Switch>show switch
  Switch/Stack Mac Address : 0015.f9c1.ca80
  H/W Current
  Switch# Role Mac Address Priority Version State
  *1 Master 0015.f9c1.ca80 1 0 Ready
  Switch>show run
  ^
  % Invalid input detected at '^' marker.
  Switch>show aaa server
  ^
  % Invalid input detected at '^' marker.
  Switch>show inter
  Switch>show interfaces
  Vlan1 is up, line protocol is up
  Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
  Internet address is 192.168.26.3/24
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Switch>
  Please check this link,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Using RME baseline templates to find non-compliant SNMP strings

  Running LMS3.2.1
  A. Can I run a compliance check using RME baseline template to find devices which have non standard SNMP strings IN ADDITION to the correct one?
  How will the regular expression look like if we want to say
  + snmp-server community cisco123 ro
  + snmp-server community cisco456 rw 1
  - snmp-server community [anything else] ro
  - snmp-server community [anything else] rw [#.*#]
  B. Is it possible to run a clean up job on the violating devices by using DEPLOY (or NetConfig, etc.)?

  - [#snmp-server community (?!cisco123|cisco456).*#]
  + snmp-server community cisco123 RO
  + snmp-server community cisco456 RW
    From the compliance job result GUI, you can deploy the job directly after verifying the results.  When you deploy this template, it will remove any community that does not match "cisco123" or "cisco456", and then add them if the device does not already have them.

• Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1

  Hi,
  we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
  Any help would be greatly appriciated.
  Thanks in advance
  Samir

  Hi,
  Here is the output.
  *** Device Details for  ***
  Protocol ==> Unknown / Not Applicable
  Selected Protocols with order ==> TFTP,SSH,HTTPS
  Execution Result:
  RUNNING
  CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
  Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
  But when I do mangement station to Device  it gives me following results:
  Interface Found:  10.192.18.10
  Status:  UP
  Test Results
  UDP     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
  TCP     Failed
        sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
  HTTP     Failed
        sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
  TFTP     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
  SNMPRv2c(Read)     Okay
       sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
  SNMPWv2c(Write)     Failed
        sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
  SSHv2     Failed
  TELNET     Okay
  Waiting for your reply.
  Samir

• Configuring using AAEI have been going through the following document. http

  I have been going through the following document.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/700058f0-b1a1-2a10-39a8-ab2627b87cfa?quicklink=index&overridelayout=true
  1. I have a JMS to Proxy scenario async. How do I make this scenario configured using Integrated configuration in 7.11 using AAE to improve the performance of this scenario?
  I know it is not supported by Proxies?
  Plz let me know the steps required for the same?
  2. I have a file to Proxy scenario - Async. Can I configure the same using integrated configuration scenario?
  Thanks
  ~N

  Hi
  Please check the following links for AAE with proxy
  ABAP Proxy sender possible in integrated configuration AAE with PI 7.11
  /people/makoto.sugishita/blog/2009/10/23/a-new-feature-in-netweaver-pimessage-protocol-xi-30-in-soap-adapter
  Regards
  Abhijit

• How to find the configuration use the Z message class.

  Usually when I do some configuration, it may need to create some message. such as the Validation.
  It raise a message when I run some standard t-code. So when I check some Z message class to find what program use this message, i can not find anything. So I assume there might two situation:
  1、we can not trace it dome when the program didn't write like this way:    MESSAGE E003(ZFI).
  2、this message might be used in some configuration,not in program.
  so how do we find the configuration use this message? or Is there any way can trace all message ?
  Thank you so much for your sincere answer.

  Hi,
  Case 1:  Message is defined correctly with message number & message class.
       Example - Message E003(ZFI).
    Easy to locate the message using whereused list.
  Case 2 :
  There are some FM's like BALW_BAPIRETURN_GET where we pass the message details.
  For example : 
  call function 'BALW_BAPIRETURN_GET'
          exporting
               type       = p_message-msgty
               cl         = p_message-msgid
               number     = p_message-msgno
               par1       = p_message-msgv1
               par2       = p_message-msgv2
               par3       = p_message-msgv3
               par4       = p_message-msgv4
  *          LOG_NO     = ' '
  *          LOG_MSG_NO = ' '
          importing
               bapireturn = p_return
          exceptions
               others     = 1.
  In these case, we won't be able to track the message number from where used list.  So, what we do is before calling these FM we use the below statement,
    IF 1 = 2. message e003(zfi). ENDIF. 
      so that message can be tracked using where used list.
  Case 3: Some messages can be configured in message control.( Table T100S ) . For those
    messages we search for table T100S in the program.
  Regards,
  DPM

• Launch Configuration using CIO object

  Hi,
  I am trying to launch Configuration using CIO object.
  plz find the code below, that am using.
  ===========START CODE==================
  Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
  System.out.println("------------- Context object created ----------");
  ConfigParameters cp = new ConfigParameters(79160);
  System.out.println("------------- ConfigParameters object created ----------");
  CIO cioObject = new CIO();
  System.out.println("------------- CIO object created ----------");
  Configuration config = cioObject.startConfiguration(cp,context);
  System.out.println("------------- Configuration object created ----------");
  IUserInterface ui = config.getUserInterface();
  System.out.println("------------- UI object created ----------");
  ui.navigateToScreen("Page-1");
  System.out.println("------------- Page navigation ----------");
  =============END CODE==================
  am getting the following error after CIO object is created, while trying to start the configuration, at cioObject.startConfiguration(cp,context). The hostName, portNumber and dbcFileName are correctly provided.
  ============START LOG ====================
  ------------- Context object created ----------
  ------------- ConfigParameters object created ----------
  ------------- CIO object created ----------
  java.lang.RuntimeException: Null JDBC Connection returned from connection pool.
  Contents of CZWebAppsContext error stack: AOLJ_JAVA_EXCEPTION (MESSAGE=Not able to create new database connection. Cause:java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
  SECURITY-No gateway reconnect
  SYSTEM-ERROR (MESSAGE=Io exception: The Network Adapter could not establish the connection)
       at oracle.apps.cz.common.CZWebAppsContext.getJDBCConnection(CZWebAppsContext.java:116)
       at oracle.apps.cz.dio.DbTransaction.<init>(DbTransaction.java:61)
  ==============END LOG=======================
  plz help me in finding the solution.
  Regards,
  Adarsh

  Adarsh,
  Looks like the parameters passed in the constructor call are not valid ones and hence the database connection is not getting done.
  Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
  Check the above call carefully and its parameters. I guess the dbcFileName might be the reason as other 2 entries are pretty easy to know.
  --Shiv                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Variant configuration using Bapi

  hi folks,
  i have an issure regarding variant configuration using bapi 'BAPI BAPI_SALESORDER_CREATEFROMDAT2 '.
  Can this BAPI be extended/modified to accept characteristic
  values - based on characteristic values, it should perform variant matching
  - in case variant matching is successful, the BAPI should replace the
  KMAT material with the exact matched variant material.
  - in case the variant matching is unsuccessful, then retain the KMAT
  material in the sales order line item.
  i have done one sample program where i am executing this bapi by passing all the mandatory values ,....its taking everything except the charactersitics of the material. can any one say me what are the mandatary fieds we need to pass for variant configuration using this bapi..or is there any other bapi which satisfies my problem.
  thnx in advance,
  santosh.

  Hi,
  Just debug your SAP BC service in which you are calling the RFC and check if proper values are getting mappend to your input variables of RFC.
  If that is correct than there wont be much chances of problem in BC.
  \[removed by moderator\]
  Regards,
  Siddhesh S.Tawate
  Edited by: Jan Stallkamp on Jul 1, 2008 4:32 PM