Ciscoworks 3.2 RME Compliance Management w/ 802.1x Port Configs
I am currently trying to use LMS 3.2 Compliance management to verify and alter our access port configurations for 802.1x. Below is our current configuration:
switchport access vlan XX
switchport mode access
authentication control-direction in
authentication event fail retry 0 action authorize vlan XXX
authentication event no-response action authorize vlan XXX
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
dot1x max-req 1
dot1x max-reauth-req 1
storm-control broadcast level 75.00
spanning-tree portfast
spanning-tree bpduguard enable
I require the configurations to be changed to:
switchport access vlan XX
switchport mode access
authentication event fail action authorize vlan XXX
authentication event no-response action authorize vlan XXX
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout tx-period 8
storm-control broadcast level 10.00
storm-control multicast level 10.00
spanning-tree portfast spanning-tree bpduguard enable
Addtionally, I require LMS to verify that the port is indeed an access port with 802.1x already applied to it before adjusting the configurations. I have tried pushing this compliance check out with a prerequisite of having "switchport mode access" applied to it, and then having the next command set state:
Submode: interface [#Ethernet*/*/*#]
- dot1x max-req 1
- dot1x max-reauth-req 1
+ no dot1x max-req 1
+ no dot1x max-reauth-req 1
This was a simple test on a single device to see if I could remove the limits on authentication and requests entered. The job states successful and there are no devices that are non-compliant, however no changes to the device configurations have been made. I seek assistance in command syntax or if there is another way to push this out, as I have about 1k network devices to go through and make these changes.
The following tempalte should do what you want:
Name: Global SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : none Parent: none
Name: Switchport SubMode: Yes isPrerequisite: Yes
Ordered : No Prerequisite-Commandset : none Parent: none
interface [#FastEthernet.*#]
+[#switchport mode access#]
Name: 802fix SubMode: No isPrerequisite: No
Ordered : No Prerequisite-Commandset : Switchport Parent: Switchport
-dot1x max-req 1
-dot1x max-reauth-req 1
Note that I have changed to [#FastEthernet.*#] to be applied on
FastEthernet interfaces.
Similar Messages
-
RME - Compliance Management - Deploy strangeness
Hi All,
Here is an interesting one. Got a selection of Compliance management jobs and am having trouble with the deploy phase. Basically I am looking for the following on a series of devices and then removing it.
- [#radius-server host.*#]
So when this runs, it matches what I expect (shown below)
no radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXX
However when I deploy this, the line above remains on the device?
I have tried changing the compliance check to
- radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXX
To see if its a regex problem of some form and the job does exactly the same, i.e. it matches the line and tries to deploy however doesn't work?
Any ideas?Hi Yidabear,
Its not a pre-requisite problem as the pre-requisites are fillfilled and hence it deploys the rest of the config to the devices in question. For some reason it is just this one line that it has a problem with. Strangely enough, we had a similar issue with the same format of TACACS server line. It seems to happen when you have the "key 7 xxxxxxxxx" value at the end? Even though it finds it and tried to remove it it fails. -
Ciscoworks LMS 3.2 - Compliance mgmt negation problem
Hi,
Strange problem, that I am sure is being caused by me.
Basically trying to run an advanced Compliance mgmt job, looking for a set of pre-requisites (this is working) and then removing all non compliance SNMP community strings from a sample device.
I use two lines for this removal
- snmp-server community [#!testR[OW]mon#] [#.*#] [#.*#]
- snmp-server community [#!SNMP#] [#.*#] [#.*#]
From what I see, this should remove all snmp-server communities from a device other than "testROmon", "testRWmon" and "SNMP". Obvious caveat is that they would all need to have two words after this (in this case, these are ro or rw and an ACL).
When I run this it seems to try and remove twice as many snmp community strings as there actually are on the device config? So I guess the core questions are: -
1) Does the above look sound and would it do what I think
2) Does the Compliance management engine parse the entire config independantly for each line of the above and hence explain why I am getting more removals than I would expect or is there a problem somewhere?
Any help on this appreciated as its driving me nutsThanks Joseph,
So if I also wanted to remove all SNMP traps bar: -
snmp-server host 10.10.10.x (where x is any ip in the last octet)
From a device, would I use
- [#snmp-server host (!#10\.10\.10\..*#).#]
Or doesn't this make sense? -
Sun Identity Compliance Manager Questions
Hi Everyone,
We are looking for a complete list of supported managed resources for the Sun Identity Compliance Manager (SICM) tool.
Also we have the following specific questions:
1. Does SICM have connectors/adapters to Solaris 8/9/10 and Oracle EBS (as managed resources) to perform access certification of user accounts and associated entitlements/privileges/roles.
For example: Can SICM be used to analyze/report on the status of current and newly provisioned Solaris unix-level accounts and associated RBAC roles (say) -or- Oracle EBS accounts and associated roles /responsibilities to identify if they have been certified or have any SOD conflicts?
2. Can SICM be implemented as a fully functional stand-alone product as opposed to it being integrated with Sun Identity Manager (SIM) ?
3. In a scenario where SIM and SICM are integrated, can SIM do a hand-off to SICM for SOD analysis and checking as part of it account provisioning workflows?
Any insight and/or pointers will be greatly appreciated!
Thanks in advance and please let me know if there is a more relevant forum to post this question.
-TSI have resolved the problem, the problem is because of the idmmanager attribute. In onsite they are using some other idm 6.0 with some patch, so they are getting the idm manager attribute but in offshore we dont have any patch installed for getting the idm manager attribute. Do you have any idea about how to get the idm manager attribute in the idm 6.0 with some patch? Thanks for your help ya.
-
Ciscowork 3.2.1 daemon manager is not working after patch installation
Hi Team
Ciscowork 3.2.1 daemon manager is not working after patch installation.
C:\Documents and Settings\Administrator>net start crmdmgtd
The CiscoWorks Daemon Manager service is starting.
The CiscoWorks Daemon Manager service could not be started.
The service did not report an error.
More help is available by typing NET HELPMSG 3534.
Also I checked syslog.log and it is showing below error
an 17 14:39:34 127.0.0.1 100: <28> dmgt[1316]: 2507(W):Daemon manager anonymous user has not been set up: 00000569
Please suggest.
With Regards,
neenaDuring installation, an user casuser is created with certian security settings and if those are modified\removed, DM will not start.
Following message will be seen in /log/syslog.log
Daemon manager anonymous user has not been set up: 00000775
To solve the issue, run resetcasuser.exe located under /setup.support to recreate the settings.
Make sure casuser account is not locked out. Make sure casuser is a member of casusers group and is set to "password never expires".
Additionally you can try to make casuser a member of adiministrators group.
-Thanks -
Hi, can anyone help in how we can answer for Compliance Management in B2B
Hello,
Can you please elaborate this query to help us answer better.
Rgds,Ramesh -
Compliance Management in LMS 3.2
I'm having a hard time getting Compliance Manager to accept a "banner login" command I'm attempting to use on 6500 IOS switches. I've edited the template, tried cut-&-paste, looked for the archive file on the server to directly modify it (without success), among other things. I have this feature functioning correctly on CatOS switches, but can't seem to get it properly set on IOS switches. What's the limit, as far as the template is concerned, on the number of characters with this type of command? Where are the archive configs located on the server; in the "shadow" directory?
Thanks,
RickNot sure what you mean when you say "not accepting", but I had some trouble with compliance templates and checking banners. My issue was with multi-line commands as mentioned in the last post of this thread: https://supportforums.cisco.com/message/638950#638950
Once I put the in the template it worked fine. The thread is discussing LMS 2.6 but was applicable in my 3.2 environment. Hope that helps. -
Does Cisco Prime have a replacement product for NCM or Network Compliance Manager?
Does the Cisco Prime application development team have a product that replaces the NCM or Network Compliance Manager?
Both Prime and LMS can do baseline compliance, after a fashion. LMS's is much more mature in my estimation. Prime is more around the lines of deploying templates.
The regulatory compliance functions as of now are in only LMS's Compliance and Audit Manager (CAAM) function. It's quite useful, matching the baseline compliance features.
An LMS license is included with PI, but it does need to be on its own server (or separate VM). -
Installing Security and Compliance Manager on Windows 8.1
Hi
I am trying to install Security and Compliance Manager on my Windows 8.1 workstation. The install is trying to install SQL Express 2008 which seems to not be compatible with Windows 8.1 and that is were the install ends.
I tried installing SQL Express 2012 and then running the install but it looks like the database is not installed.
Is there a new version of Security and Compliance Manager that addresses this or does anyone know how to set up SQL to accept Compliance Manager?Open Regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
Delete this key under Session Manager "PendingFileRenameOperations". Restart the installation and it will work fine.
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Microsoft Security Compliance Manager V3 and create GPO
I have created a GPO backup from the compliance manager for Windows 7 SP1. I am trying to find documentation for the exact process of importing these settings into a newly created "blank" gpo. In review of the Backup.xml file, I can see that
it references Contoso.com (the generic MS domain for examples, etc). Is there a clear documented process for configuring the template then creating a domain GPO? Any help is greatly appreciated!
wjkHi,
Thanks for your post.
SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!
http://blogs.technet.com/b/secguide/archive/2014/09/04/scm-baselines-for-windows-8-1-ie-11-and-server-2012-r2-are-now-live.aspx
For more SCM related issue, i think you may ask in:
https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Cisco Works Network Compliance Manage NCM
I'm working on the Cisco Works Network Compliance Manager.
I would like to add a device which is behind a firewall.
For this I use the option bastion host to authen. on the firewall and
to get access to the device self.
The problem is the firewall is not listing to the port 22/23, it a different port number
like example 1234.
Is it possible to change the port manually in a configfile, as the webinterface has no option for this ?
I use the version 1.7.1 the latest one.Both Prime and LMS can do baseline compliance, after a fashion. LMS's is much more mature in my estimation. Prime is more around the lines of deploying templates.
The regulatory compliance functions as of now are in only LMS's Compliance and Audit Manager (CAAM) function. It's quite useful, matching the baseline compliance features.
An LMS license is included with PI, but it does need to be on its own server (or separate VM). -
Security Compliance Manager - version 3.0.60
Does anyone know if this version of Security Compliance Manager supports Windows Server 2012 R2:
3.0.60Hi sayerdi,
As this question is related to Security Compliance Manager (SCM), for quick and accurate response, I would like to recommend that you ask the question in the SCM forum at
https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement . It is appropriate and more experts will assist you.
Additionally, there is a similar thread about SCM for Windows Server 2012 R2 for your reference.
https://social.technet.microsoft.com/Forums/en-US/9a0b831e-5d38-4b26-9191-16286f10ecab/scm-update-for-windows-81-and-windows-2012-r2?forum=compliancemanagement
Thanks,
Lydia Zhang -
Microsoft Security Compliance Manager - Failed to installed
Every time I try to install Microsoft Security Compliance Manager right when I getto the part where I'm installing it, it gives me this error:
Microsoft Security Compliance Manager Setup Wizard failed while starting the installation/uninstallation The given path's format is not supported.
Then closing the installation and telling me it failed.
Please help I need to install this for a class.Hi,
Thanks for your post.
SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!
http://blogs.technet.com/b/secguide/archive/2014/09/04/scm-baselines-for-windows-8-1-ie-11-and-server-2012-r2-are-now-live.aspx
For more SCM related issue, i think you may ask in:
https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
I have downloaded the MS Security Compliance Manager, which is in two parts: MS SQL Server 2008 Express Edition & the SCM. The install instructions state the the server needs to be install before the SCM. So as the install continues I get
an error message, which cancels the installation. So, I am trying to install SQL 2008 EE separate from SCM. My question is:
Can I upgrade from my current SQL Server 2005 Compact Edition [ENU]
directly to SQL Server 2008 Express Edition (or higher)?So as the install continues I get an error message, which cancels the installation.
And which error message did you got?
SQL Server Compact Edition is something different then SQL Server Express (or Standard) Edition, you can't upgrade it as you asked for,.
Olaf Helper
[ Blog] [ Xing] [ MVP] -
Hello
Can someone please help me with the following question.
I have a standalone Server and need to apply settings from SCM, I can see how to do this following the instructions in the following article
http://windowsitpro.com/security/q-how-can-i-apply-security-baseline-i-defined-through-microsoft-security-compliance-manager
The problem is the LocalGPO.wsf that ships with the above version of SCM does not run on Server 2012 R2 (only Server 2012)
my question is,
is there a later version of LocalGPO.wsf I can use that works on Server 2012 R2 ?
Thanks
AAnotherUser__
AAnotherUser__Hi,
Thanks for your post.
SCM Baselines for Windows 8.1, IE 11 and Server 2012 R2 are now live!
http://blogs.technet.com/b/secguide/archive/2014/09/04/scm-baselines-for-windows-8-1-ie-11-and-server-2012-r2-are-now-live.aspx
For more SCM related issue, i think you may ask in:
https://social.technet.microsoft.com/Forums/en-US/home?forum=compliancemanagement
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Error in reports after upgrade from OBIEE 10g to 11g : [nQSError: 14025]
Hi All, We upgraded RPD and web catalog from OBIEE 10g to 11.1.1.5. I see the following error while running few reports. Error: State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] M
-
Class Cast Exception in EJB2.0
DEBUG com.pack.ApplSessListener 16 - vattributeAdded : errorencountered,java.lang.ClassCastException: java.lang.String cannot be cast to com.pack1.class1 The task for which i getting this exception is.. We have stateful and stateless methods in one b
-
Workflow : attributes and methods in BOR
Hi to all, I need to create a custom attribute in custom BOR object. I want to put some value in custom attribute by using select statement . where do i write the code for that attribute in BOR. In standard methods i have seen that ex: gw_purcha
-
Hi, Please give your suggestion for following problem. we are loading data from ETL (Flat File - Data Stage) into SAP BW 3.1. data may contain Zero records. When we try to push the data into BW. At ETL side, it is showing successful data transfer. At
-
FSG - Overriding the Account Row Assigment for a column
In an FSG we would like to have a column which returns a stat value from a code combination in order have a calculation in the report. For example - see table below - the "opening hours" are posted into a code combination which we'd like to use in ea