Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3481
Views
5
Helpful
2
Replies

Create RSA keys if they do not exist

Gary Keaney
Level 1
Level 1

‎01-28-2015 06:14 AM

Hi all, my first post here.

 

I've tried adapting the script from https://supportforums.cisco.com/discussion/12127976/crypto-generate-script (so thanks already to Joseph Clarke) but not had an awful lot of success.

 

All I'm trying to achieve is a check every ten mins if the router has rsa keys, if they are missing for whatever reason, usually hardware replaced, then run the last five commands.

 

What am I doing wrong?

event manager applet crypto_key
 event timer watchdog time 600
 action 1.0 cli command "show crypto key mypubkey rsa"
 action 1.1 regexp "Key pair was generated" "$_cli_result"
 action 1.2 if $_regexp_result ne "1"
 action 1.3  cli command "enable"
 action 1.4  cli command "config t"
 action 1.5  cli command "file prompt quiet"
 action 1.6  cli command "crypto key generate rsa general-keys modulus 1024"
 action 1.7  cli command "end"

 

Also all of our devices will be using TACACS+ so what are the implications for this? I've read that you need to use event manager session cli username <username>. But my question is how is the user authenticated and what happens if the TACACS+ server is unavailable?

 

Many thanks.

Labels:
0 Helpful
2 Replies 2

ghostinthenet
Level 7
Level 7

‎01-29-2015 11:00 AM

I use the following script to generate the SSH key on reload if there isn't one present already. You can adjust it fairly easily to check every 10 minutes.

event manager applet EEM_SSH_Keygen 
 event timer cron cron-entry "@reboot"
 action 0.0 info type routername
 action 0.1 set status "none"
 action 1.0 cli command "enable"
 action 2.0 cli command "show ip ssh | include ^SSH"
 action 2.1 regexp "([ED][^ ]+)" "$_cli_result" result status
 action 3.0 if $status eq Disabled
 action 3.1  cli command "configure terminal"
 action 3.2  cli command "crypto key generate rsa modulus 2048 label $_info_routername"
 action 3.3  cli command "end"
 action 3.4 end

As for the event manager session cli username <username> configuration command, this only defines how actions appear in the log when the event manager scripts are run. They don't actually perform any kind of authentication. When I set event manager session cli username blah on my router (where the username "blah" doesn't exist anywhere in my authentication methods) the script continues to run normally, but configuration events in the log appear as follows:

028089: Jan 29 2015 13:56:55 EST: %SYS-5-CONFIG_I: Configured from console by blah on vty1 (EEM:EEM_SSH_Keygen)

I hope that helps.

Mark Malone
VIP Alumni
VIP Alumni
In response to ghostinthenet

‎11-08-2017 06:32 AM

Thanks for this tweaked it for my network worked a treat , was downgrading from denali kept blowing the keys away , this has saved me some time

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents