cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

Cisco Banner Login Change Template- Is there Multi-Line support?

Thought this would be simple but we have a multi line banner login message that we need to replace on all our Cisco gear.

If I try to use the Cisco Login banner change template provided it seems to only like single line and cuts off the text.  If I write my own it seems when a new line character is given the device prompt on Cisco IOS disappears so NCM stops sending the remainder of the config lines.

Any way to write the change template to push multi-line banner message?

Labels (1)
0 Kudos
8 Replies
Level 10

Just wanted to add that (at least in 7.5) I've been using the Policy Report to check for and remediate banners.  I have a policy report rule that has a regex that checks for the correct banner with a remediation script attached that that applies the correct banner if not found.  My remediation script has not problem with the line breaks and uses a format like:

conf t

no banner exec

no banner motd

banner login #

******************************************************

*                                                    *

* Access or use of this computer system by any       *

* unauthorized person is forbidden.                  *

*                                                    *

******************************************************

#

end

${SaveConfig}

0 Kudos

I usually have something like this:

copy tftp://1.2.3.4/mybanner.txt run

running-config

wr mem

y

dir

This was adjusted I think around NCM7.4 when they stopped accepting extra newlines in compliance remediation scripts, which is where I generally use this.   I check to see if my standard banner exists, and if not, TFTP in the standard banner.  The adjustments that were made were to accommodate for not being able to have newlines in these scripts. 

So, where I used to just have a couple newlines for it to choose the default answer when doing a "copy", now I have to put in "running-config" to have it merge the changes with the running-config.  On the line before it you can abbreviate the "running-config", but when it prompts you for the name it HAS to be exact. 

Then the "write mem" with a "y" on the line after it.  This is only needed if the IOS was upgraded recently and it will ask you if you want to overwrite the config file for the older IOS version.   But, you're better off having it "just-in-case" than not.   The "Y" will tell it to overwrite the config if needed, otherwise it just produces an error on the box, which is ignored.   The "dir" after the "y" is so that it does actually put in a newline after the "y", otherwise it might just sit there.  Better save than sorry!

1.2.3.4 is the IP of your TFTP server.    If you're having problems with this where it doesn't copy in, you might need to set the TFTP source-interface on your box.

0 Kudos
Level 13

Here's a suggestion: copy the template, then edit the template to include the template in a static manner. It doesn't matter what you enter in the prompt for the banner if you don't put the banner variable in the output to the device. I found I still needed to have the variable in the template. Unfortunately, this solution truncates multiple spaces to a single space. Note: This template is for MOTD, rather than Login banner, but the solution is basically the same.

*
.CHANGE_TEMPLATE_DESCRIPTION
        Change Login Banner on Cisco IOS devices
.CHANGE_TEMPLATE_TAGS
Cisco
.PLATFORM_DESCRIPTION
        Cisco IOS
.PARAMETER_LABEL @ContextNode
        NCM Node
.PARAMETER_DESCRIPTION @ContextNode
        The node the template will operate on.  All templates require this by default. The target node is selected during the first part of the wizard so it will not be available for selection when defining values of variables.

*/

script ChangeMOTDBannerCiscoIOS ( NCM.Nodes @ContextNode,
                                  string @LoginBanner  )
{
  CLI
  {
    configure terminal
    no banner motd
    banner motd ^C
        ******************************************
        **          SW-Name-A-01 3750X          **
        **       Mega Corp System Network       **
        **  Unauthorized access is prohibited.  **
        ******************************************^C
    exit
  }

}

0 Kudos
Level 12

Thanks for your reply but that is what I have as well unfortunately as a watch a session trace the config template will run until the normal cisco prompt disappears (after entering banner motd or login line).  Once the normal prompt disappears the config template stops running so all the message lines aren't entered and it eventually times out.  I have tried putting in the lines like above..I have tried ${CRLF} after each line and I have tried using the string @LoginBanner and providing the entire banner that way as well.  I have even tried embedding the ^C beginning and ending inside the string line to see if it would paste it all in at once with no luck.

Anyone willing to share a working banner script?

0 Kudos
Level 13

Hi again Brian. Perhaps updating from the Config management > Script Management instead of from Config Change Templates might help. It's worth a try.

The banner script I posted above does work in my environment on Cisco IOS devices. I changed the text of the MOTD before posting here. When I run exactly what I posted above, it works on the c3560g-8 that I have at my desk.  Just to verify -- you are working with IOS devices, correct -- not catalyst or ASA?

0 Kudos
Level 12

Just tried from Script mgmt too.  Tried to run script and nada.  Seems to hang at same part.  Tried going back to default NCM Cisco IOS proflle.  No good.  I have seen this issue before when the device prompt doesn't return NCM doesn't continue to send commands.

I am running the latest NPM/NCM versions.  This issue only comes up with adding a banner since the prompt doesn't return until the quit character is given which is after many new lines which aren't executing.  Is there something I am missing in the device profile that would ignore the fact that Cisco does the strange behavior of not showing the device prompt when configuring banners?  One more reason I prefer JUNOS to Cisco.

0 Kudos

The problem is, that when putting in a banner you don't get prompted for each line.  So it has to time out before it tries putting in the next line.  Doesn't work very well...

The solution I found is just TFTP the banner in via your script.  Works great!!   Then I use a compliance rule to make sure its set correctly...

0 Kudos
Level 7

how to TFTP the banner in my script

0 Kudos