Checking aaa configuration using LMS Baseline Compliance Checks
Hi, I'm trying to setup a baseline configuration check for our devices that will cover both "types" of aaa accounting commands. Some devices have the commands spread over mutliple lines and some have them in single lines as per the examples below. I can't seem to make an "or" check that will cover both types. Can anyone please assist? I am using Ciscoworks 4.2.
aaa accounting exec default
action-type start-stop
group tacacs+
aaa accounting commands 0 default
action-type start-stop
group tacacs+
aaa accounting commands 15 default
action-type start-stop
group tacacs+
aaa accounting connection default
action-type start-stop
group tacacs+
OR
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting exec default start-stop group tacacs+
Compliance check uses the same devices as everything else in RME. However, you need to make sure your template is configured to match the specific device types that you want to check. When you define your baseline template, you must choose one or more device types. Make sure you've checked all of the appropriate boxes (e.g. Routers and Switches and Hubs).
Similar Messages
-
LMS 4.2.3 baseline compliance template and standard ACL
When using a baseline compliance template to check and deploy a standard ACL, I encountered what seems to be a bug:
I configured a template with these commands:
+ip access-list standard 21
+; Hosts allowed access
+ permit host 10.20.30.40
+ permit host 40.30.20.10
+ deny any log
When I do compliance check and deployment, the last line is dropped by LMS.
In fact, when I look into the job's "Work Order", the commands are:
ip access-list standard 21
; Hosts allowed access
permit host 10.20.30.40
permit host 40.30.20.10
After the job run, "show running-config" shows the access list matching the "Work Order" (without the "deny any log" command.)
Is this a bug?Doesnt have any issues on my Lab 4.2.4. following is the Job Work order :
Name:
Archive Mgmt Job Work Order
Summary:
General Info
JobId: 2704
Owner: admin
Description: test_acl
Schedule Type: Immediate
Job Type: Compliance Check
Baseline Template Name: test_acl
Attachment Option: Disabled
Report Type: NAJob Policies
----------------------------------------------------------------------------------------------E-mail Notification: Not Applicable
Job Based Password: DisabledDevice Details
Device
Commands
Sup_2T_6500
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
10.104.149.180
ip access-list standard 21
permit host 10.20.30.40
permit host 40.30.20.10
deny any log
Check your template, or export it and share, i will try it on my LMS server. also, check the same complaince job on other devices if you have such issues.
-Thanks
Vinod
**Rating Encourages contributors, and its really free. ** -
Baseline Compliance Check Loopback0
I'm working on a Baseline Template for compliance. One of the interfaces that we use across all our routers is Loopback 1. I want to use a baseline template to check if Loopback 0 exists and then if it exists, I want to check certain lines in its interface config. Here is how I have my Template configured:
Prerequisite Command Set - checkLoopback
+interface Loopback1
Subordinate Command Set - checkLoopbackConfig
+description Network Management Interface
+ip address [#172\.16\..*\..*#] [255.255.255.0]
Basically I want to confirm that Loopback 1 exists and then check that the standard description has been used and that the IP Address is within a certain range.
Whether the interfrace is configured or not, when I run the compliance check it reports that the device is compliant. I've also tried "-interface Loopback1" in the Prerequisite Command Set and the result still reports the device is compliant.
How can I accomplish my goal of checking that the interface exists first then check the config of the interface?
Thanks for the help.You can use commandsets. The commandsets are a set of one or more CLI commands. You can define a commandset while creating a Baseline template in the Advanced mode.
The features of the commandsets are:
•If the commands in commandset are in a submode (ip/interface etc.) a submode command must be specified for such a commandset.
•Commandsets can have one or more child commandsets.
•Child commandsets inherit parent's sub-mode command.
You can define commandsets that have to be checked before running the actual commands.
The features of the prerequisite commandsets are:
•A commandset can have another commandset as its prerequisite.
•A prerequisite commandset is used only for comparison and is not deployed onto the device.
•A commandset is compared with the config only if its prerequisite condition is satisfied.
LMS evaluates the commandsets in different ways depending on whether you have defined the commandset as Parent or Prerequisite.
For example, assume that you have defined two commandsets, commandset1 and commandset2:
•Commandset defined as Prerequisite
- commandset1 as the Prerequisite of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
- If commandset1 does not contain submode and is not present in a device, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.
- If commandset1 contains submode and is not present in applicable submodes, then commandset2 is not evaluated and the device is displayed in the excluded list in the compliance report.
•Commandset defined as Parent
- commandset1 as the Parent of commandset2. When LMS evaluates the Baseline template, it evaluates commandset1 first, and commandset2 next.
- If either of these commandsets is missing, the template is considered non-compliant.
-Joe -
Using SCCM 2012 Compliance to check if a GPO applied
Is it possible to use SCCM 2012 Compliance feature to check if a AD GPO settings applied to a Device / User collection or not?
If Yes, then how?You can do this with SCM (Security Compliance Manager), download here:
http://www.microsoft.com/en-us/download/details.aspx?id=16776
Import your GPOs to SCM some guidelines here:
http://4sysops.com/archives/microsoft-security-compliance-manager-scm-v2-part-1
Export your GPO from SCM to DCM format guides here:
http://blogs.msdn.com/b/scom_2012_upgrade_process__lessons_learned_during_my_upgrade_process/archive/2012/09/21/compliance-settings-sccm-2012.aspx
Import your DCM to SCCM and off you go -
This just to share the below post with windows users..
How to install/Configure/Use VT to detect Malware/Unwanted programs in Windows?
http://www.windowstechinfo.com/2014/03/how-to-installconfigureuse-vt-to-detect_29.html
Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)That is interesting. Normally a bootmgr error message means that the boot loader is corrupt and hard disk not "dead".. Replacing the hard drive is a quickie shotgun method of resolving the issue.
Did you give up on the SSD?
The desktop ( w/ASUS Crossfire V Formula-Z mobo) I am using to type this, has the same SSD that you asked about. I used the method I described in the earlier post to clone the OS to the SSD. The SSD is the boot drive.
****Please click on Accept As Solution if a suggestion solves your problem. It helps others facing the same problem to find a solution easily****
2015 Microsoft MVP - Windows Experience Consumer -
Configuring IPSLA using LMS 4.0
Dear all,
It's me again...
I have tried to configure IPSLA using LMS and I'm quite surprised that even if the collectors are running:
and my tagrget has received the IPSLA responder commands - no commands have been received on my source router so my stats are empty .I have no errors messages while configuring the IPSLA.
Any ideas ? where can I find some logs ?
regards,
vincentI'm not sure what you mean by "no commands have been received on my source router." If you mean that you don't see any IP SLA configuration on the source, then this is expected. By default the IP SLA configuration pushed by LMS does not appear in the running config. This can be changed by checking the "Copy IPSLA Configuration to running-config" box under Admin > Collection Settings > Performance > IPSLA application settings. You will then need to reconfigure your collector in LMS.
That said, you don't need to do this. LMS will maintain the IP SLA configuration via SNMP without it needing to show up in the running config. -
Using LMS is there a way to run a job which would extract the VRF name in part of the configuration and then use it as a variable to deploy additional configuration using the VRF name. We have a number of management VRF's and need to deploy a mass configuration change on a number of devices.
aaa group server tacacs+ blah
server x.x.x.x
server x.x.x.x
ip vrf forwarding testI am working for a service provider and I was given a task to configure more than 50000 devices (!). First I started with VBS and some scriptable terminal application, but it was too complicated to handle that much data. I then decided to develop my own application dedicated to device mass-configuration. As I understand your question, you may also find it useful : http://www.prettygoodterminal.com
BR -
How to Backup configuration using tftp/ftp in Prime LMS?
Hi
how can i backup ASA/PIX configuration using tftp/ftp in Prime LMS 4.2.2?
--I discovered those devices and can managed them in the LMS but in the config file backup the passwords are encrypted,
that's why i want to backup them with tftp/ftp.
thanksWrong service names are set in tnsnames.ora
-
AAA Authorization Using Local Database
Hi Guys,
I'm planning to use AAA authorization using local database. I have read already about it, I have configured the AAA new-model command and I have setup user's already. But I'm stuck at the part where I will already give certain user access to certain commands using local database. Hope you can help on this.
FYI: I know using ACS/TACACS+/RADIUS is much more easy and powerful but my company will most likely only use local database.For allowing limited read only access , use this example,
We need these commands on the switch
Switch(config)#do sh run | in priv
username admin privilege 15 password 0 cisco123!
username test privilege 0 password 0 cisco
privilege exec level 0 show ip interface brief
privilege exec level 0 show ip interface
privilege exec level 0 show interface
privilege exec level 0 show switch
No need for user to login to enable mode. All priv 0 commands are now there in the user mode. See below
User Access Verification
Username: test
Password:
Switch>show ?
diagnostic Show command for diagnostic
flash1: display information about flash1: file system
flash: display information about flash: file system
interfaces Interface status and configuration
ip IP information
switch show information about the stack ring
Switch>show switch
Switch/Stack Mac Address : 0015.f9c1.ca80
H/W Current
Switch# Role Mac Address Priority Version State
*1 Master 0015.f9c1.ca80 1 0 Ready
Switch>show run
^
% Invalid input detected at '^' marker.
Switch>show aaa server
^
% Invalid input detected at '^' marker.
Switch>show inter
Switch>show interfaces
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is 0015.f9c1.cac0 (bia 0015.f9c1.cac0)
Internet address is 192.168.26.3/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Switch>
Please check this link,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
Regards,
~JG
Do rate helpful posts -
Using RME baseline templates to find non-compliant SNMP strings
Running LMS3.2.1
A. Can I run a compliance check using RME baseline template to find devices which have non standard SNMP strings IN ADDITION to the correct one?
How will the regular expression look like if we want to say
+ snmp-server community cisco123 ro
+ snmp-server community cisco456 rw 1
- snmp-server community [anything else] ro
- snmp-server community [anything else] rw [#.*#]
B. Is it possible to run a clean up job on the violating devices by using DEPLOY (or NetConfig, etc.)?- [#snmp-server community (?!cisco123|cisco456).*#]
+ snmp-server community cisco123 RO
+ snmp-server community cisco456 RW
From the compliance job result GUI, you can deploy the job directly after verifying the results. When you deploy this template, it will remove any community that does not match "cisco123" or "cisco456", and then add them if the device does not already have them. -
Cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Hi,
we have several cisco pix 525 and 515 cannot archieve configuration in LMS 3.0.1
Any help would be greatly appriciated.
Thanks in advance
SamirHi,
Here is the output.
*** Device Details for ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
RUNNING
CM0151 PRIMARY RUNNING Config fetch failed for ********* Cause: SSH: Failed to establish SSH connection to 10.192.18.10 - Cause: Authentication failed on device 3 times.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
But when I do mangement station to Device it gives me following results:
Interface Found: 10.192.18.10
Status: UP
Test Results
UDP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 64 protocol: udp port: 7
TCP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 0 size: 0 protocol: tcp port: 7
HTTP Failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 33 protocol: http port: 80
TFTP Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 25 protocol: tftp port: 69
SNMPRv2c(Read) Okay
sent: 5 recvd: 5 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_get port: 0
SNMPWv2c(Write) Failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 min_size: 1472 protocol: snmpv3_set port: 0
SSHv2 Failed
TELNET Okay
Waiting for your reply.
Samir -
Configuring using AAEI have been going through the following document. http
I have been going through the following document.
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/700058f0-b1a1-2a10-39a8-ab2627b87cfa?quicklink=index&overridelayout=true
1. I have a JMS to Proxy scenario async. How do I make this scenario configured using Integrated configuration in 7.11 using AAE to improve the performance of this scenario?
I know it is not supported by Proxies?
Plz let me know the steps required for the same?
2. I have a file to Proxy scenario - Async. Can I configure the same using integrated configuration scenario?
Thanks
~NHi
Please check the following links for AAE with proxy
ABAP Proxy sender possible in integrated configuration AAE with PI 7.11
/people/makoto.sugishita/blog/2009/10/23/a-new-feature-in-netweaver-pimessage-protocol-xi-30-in-soap-adapter
Regards
Abhijit -
How to find the configuration use the Z message class.
Usually when I do some configuration, it may need to create some message. such as the Validation.
It raise a message when I run some standard t-code. So when I check some Z message class to find what program use this message, i can not find anything. So I assume there might two situation:
1、we can not trace it dome when the program didn't write like this way: MESSAGE E003(ZFI).
2、this message might be used in some configuration,not in program.
so how do we find the configuration use this message? or Is there any way can trace all message ?
Thank you so much for your sincere answer.Hi,
Case 1: Message is defined correctly with message number & message class.
Example - Message E003(ZFI).
Easy to locate the message using whereused list.
Case 2 :
There are some FM's like BALW_BAPIRETURN_GET where we pass the message details.
For example :
call function 'BALW_BAPIRETURN_GET'
exporting
type = p_message-msgty
cl = p_message-msgid
number = p_message-msgno
par1 = p_message-msgv1
par2 = p_message-msgv2
par3 = p_message-msgv3
par4 = p_message-msgv4
* LOG_NO = ' '
* LOG_MSG_NO = ' '
importing
bapireturn = p_return
exceptions
others = 1.
In these case, we won't be able to track the message number from where used list. So, what we do is before calling these FM we use the below statement,
IF 1 = 2. message e003(zfi). ENDIF.
so that message can be tracked using where used list.
Case 3: Some messages can be configured in message control.( Table T100S ) . For those
messages we search for table T100S in the program.
Regards,
DPM -
Launch Configuration using CIO object
Hi,
I am trying to launch Configuration using CIO object.
plz find the code below, that am using.
===========START CODE==================
Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
System.out.println("------------- Context object created ----------");
ConfigParameters cp = new ConfigParameters(79160);
System.out.println("------------- ConfigParameters object created ----------");
CIO cioObject = new CIO();
System.out.println("------------- CIO object created ----------");
Configuration config = cioObject.startConfiguration(cp,context);
System.out.println("------------- Configuration object created ----------");
IUserInterface ui = config.getUserInterface();
System.out.println("------------- UI object created ----------");
ui.navigateToScreen("Page-1");
System.out.println("------------- Page navigation ----------");
=============END CODE==================
am getting the following error after CIO object is created, while trying to start the configuration, at cioObject.startConfiguration(cp,context). The hostName, portNumber and dbcFileName are correctly provided.
============START LOG ====================
------------- Context object created ----------
------------- ConfigParameters object created ----------
------------- CIO object created ----------
java.lang.RuntimeException: Null JDBC Connection returned from connection pool.
Contents of CZWebAppsContext error stack: AOLJ_JAVA_EXCEPTION (MESSAGE=Not able to create new database connection. Cause:java.sql.SQLException: Io exception: The Network Adapter could not establish the connection)
SECURITY-No gateway reconnect
SYSTEM-ERROR (MESSAGE=Io exception: The Network Adapter could not establish the connection)
at oracle.apps.cz.common.CZWebAppsContext.getJDBCConnection(CZWebAppsContext.java:116)
at oracle.apps.cz.dio.DbTransaction.<init>(DbTransaction.java:61)
==============END LOG=======================
plz help me in finding the solution.
Regards,
AdarshAdarsh,
Looks like the parameters passed in the constructor call are not valid ones and hence the database connection is not getting done.
Context context = new CZWebAppsContext("hostName","portNumber","dbcFileName");
Check the above call carefully and its parameters. I guess the dbcFileName might be the reason as other 2 entries are pretty easy to know.
--Shiv -
Variant configuration using Bapi
hi folks,
i have an issure regarding variant configuration using bapi 'BAPI BAPI_SALESORDER_CREATEFROMDAT2 '.
Can this BAPI be extended/modified to accept characteristic
values - based on characteristic values, it should perform variant matching
- in case variant matching is successful, the BAPI should replace the
KMAT material with the exact matched variant material.
- in case the variant matching is unsuccessful, then retain the KMAT
material in the sales order line item.
i have done one sample program where i am executing this bapi by passing all the mandatory values ,....its taking everything except the charactersitics of the material. can any one say me what are the mandatary fieds we need to pass for variant configuration using this bapi..or is there any other bapi which satisfies my problem.
thnx in advance,
santosh.Hi,
Just debug your SAP BC service in which you are calling the RFC and check if proper values are getting mappend to your input variables of RFC.
If that is correct than there wont be much chances of problem in BC.
\[removed by moderator\]
Regards,
Siddhesh S.Tawate
Edited by: Jan Stallkamp on Jul 1, 2008 4:32 PM
Maybe you are looking for
-
I have an HDTV that has an HDMI port. Presently, I have my computer connected to the TV with a DVI cable to the TV and the computer. I also have an HDMI-ported satellite box (DirecTV) connected to the single HDMI port on the same TV. I switch between
-
SQL Developer: Failure -Test failed: IO Error: Network Adapter No Conn
SQL Developer: Failure -Test failed: IO Error: The Network Adapter could not establish the connection Hi, and sorry this is a really common questions and yes I did do a search, but I don't understand it. First let me just tell you that Oracle 11g is
-
Hi Experts, Is it possible to include Cash Desk in additional selections of F-03 (GL Clearing) screen despite the same GL can be assiged to more than one cash desks and clearing can be done at GL Level? I have gone through the fields in O7F1 but Cas
-
I have some issues with digital signatures in Interactive Forms (NW2004, SPS 14). It is not possible to sign a Interactive Form via signature field. When I try to sign a form a dialogbox with the following message opens: The document could not be sig
-
What is the role of an abaper in upgradation project from 4.7 to ecc6.0?
Hi anybody pls forward any documentation and ppts to understand the upgradation project What is the role of an abaper in upgradation project from 4.7 to ecc6.0? what we have to check and we have to upgrade give some guidance thanks in advance.