Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)
aaa nas port extended through address ipv6 (TACACS+)
Downloads: This chapterpdf (PDF - 405.0KB) The complete bookPDF (PDF - 1.27MB) | Feedback

aaa nas port extended through address ipv6 (TACACS+)

aaa nas port extended through address ipv6 (TACACS+)

aaa nas port extended

To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the aaa nas port extendedcommand inglobal configuration mode. To display no extended field information, use the no form of this command.

aaa nas port extended

no aaa nas port extended

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled

Command Modes


Global configuration

Command History

Release

Modification

11.3

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101 due to the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute.

In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco’s vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.

The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.

Examples

The following example specifies that RADIUS will display extended interface information:

radius-server vsa send
aaa nas port extended

Related Commands

Command

Description

radius-server extended-portnames

Displays expanded interface information in the NAS-Port attribute.

radius-server vsa send

Configures the network access server to recognize and use vendor-specific attributes.

aaa new-model

To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.

aaa new-model

no aaa new-model

Syntax Description

This command has no arguments or keywords.

Command Default

AAA is not enabled.

Command Modes


Global configuration

Command History

Release

Modification

10.0

This command was introduced.

12.4(4)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA

12.2(33)SXI

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 2.5

This command was integrated into Cisco IOS XE Release 2.5.

15.1(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services Routers.

Usage Guidelines

This command enables the AAA access control system.

Examples

The following example initializes AAA:

aaa new-model

Related Commands

Command

Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.

aaa authentication arap

Enables an AAA authentication method for ARAP using TACACS+.

aaa authentication enable default

Enables AAA authentication to determine if a user can access the privileged command level.

aaa authentication login

Sets AAA authentication at login.

aaa authentication ppp

Specifies one or more AAA authentication method for use on serial interfaces running PPP.

aaa authorization

Sets parameters that restrict user access to a network.

aaa route download

To enable the static route download feature and set the amount of time between downloads, use the aaa route download command in global configuration mode. To disable this function, use the no form of this command.

aaa route download [time] [ authorization method-list ]

no aaa route download

Syntax Description

time

(Optional) Time between downloads, in minutes. The range is from 1 to 1440 minutes.

authorization method-list

(Optional) Specify a named method list to which RADIUS authorization requests for static route downloads are sent. If these attributes are not set, all RADIUS authorization requests will be sent to the servers that are specified by the default method list.

Command Default

The default period between downloads (updates) is 720 minutes.

Command Modes


Global configuration

Command History

Release

Modification

12.0(3)T

This command was introduced.

12.1

This command was integrated into Cisco IOS Release 12.1.

12.2(8)T

The authorization keyword was added; the method-list argument was added.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRC

This command was integrated into Cisco IOS Release 12.2(33)SRC.

Usage Guidelines

This command is used to download static route details from the authorization, authentication, and accounting (AAA) server if the name of the router is hostname. The name passed to the AAA server for static routes is hostname-1, hostname-2... hostname-n--the router downloads static routes until it fails an index and no more routes can be downloaded.

Examples

The following example sets the AAA route update period to 100 minutes:

aaa route download 100

The following example sets the AAA route update period to 10 minutes and sends static route download requests to the servers specified by the method list name “list1”:

aaa route download 10 authorization list1

Related Commands

Command

Description

aaa authorization configuration default

Downloads static route configuration information from the AAA server using TACACS+ or RADIUS.

clear ip route download

Clears static routes downloaded from a AAA server.

show ip route

Displays all static IP routes, or those installed using the AAA route download function.

aaa server radius dynamic-author

To configure a device as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server, use the aaa server radius dynamic-authorcommand in global configuration mode. To remove this configuration, use the no form of this command.

aaa server radius dynamic-author

no aaa server radius dynamic-author

Syntax Description

This command has no arguments or keywords.

Command Default

The device will not function as a server when interacting with external policy servers.

Command Modes

Global configuration

Command History

Release

Modification

12.2(28)SB

This command was introduced.

12.4

This command was integrated into Cisco IOS Release 12.4.

Cisco IOS XE Release 2.6

This command was integrated into Cisco IOS XE Release 2.6.

12.2(5)SXI

This command was integrated into Cisco IOS Release 12.2(5)SXI.

15.2(2)T

This command was integrated into Cisco IOS Release 15.2(2)T.

Usage Guidelines

Dynamic authorization allows an external policy server to dynamically send updates to a device. Once the aaa server radius dynamic-author command is configured, dynamic authorization local server configuration mode is entered. Once in this mode, the RADIUS application commands can be configured.

Dynamic Authorization for the Intelligent Services Gateway (ISG)

ISG works with external devices, referred to as policy servers, that store per-subscriber and per-service information. ISG supports two models of interaction between the ISG device and external policy servers: initial authorization and dynamic authorization.

The dynamic authorization model allows an external policy server to dynamically send policies to the ISG. These operations can be initiated in-band by subscribers (through service selection) or through the actions of an administrator, or applications can change policies on the basis of an algorithm (for example, change session quality of service (QoS) at a certain time of day). This model is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server.

Examples

The following example configures the ISG to act as a AAA server when interacting with the client at IP address 10.12.12.12:

aaa server radius dynamic-author
 client 10.12.12.12 key cisco
 message-authenticator ignore

Related Commands

Command

Description

auth-type (ISG)

Specifies the server authorization type.

client

Specifies a RADIUS client from which a device will accept CoA and disconnect requests.

default

Sets a RADIUS application command to its default.

domain

Specifies username domain options.

ignore

Overrides a behavior to ignore certain paremeters.

port

Specifies a port on which local RADIUS server listens.

server-key

Specifies the encryption key shared with RADIUS clients.

access-list (IP standard)

To define a standard IP access list, use the s tandard version of the access-list command in global configuration mode. To remove a standard access list, use the no form of this command.

access-list access-list-number { deny | permit } source [source-wildcard] [ log [word] ]

no access-list access-list-number

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.
  • Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore.
  • Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The log message includes the access list number, whether the packet was permitted or denied, the source address, the number of packets, and if appropriate, the user-defined cookie or router-generated hash value. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

word

(Optional) User-defined cookie appended to the log message. The cookie:

  • cannot be more than characters
  • cannot start with hexadecimal notation (such as 0x)
  • cannot be the same as, or a subset of, the following keywords: reflect, fragment, time-range
  • must contain alphanumeric characters only

The user-defined cookie is appended to the access control entry (ACE) syslog entry and uniquely identifies the ACE, within the access control list, that generated the syslog entry.

Command Default

The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.

Command Modes


Global configuration (config)

Command History

Release

Modification

10.3

This command was introduced.

11.3(3)T

The log keyword was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

12.4(22)T

The word argument was added to the log keyword.

Usage Guidelines

Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.

You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates.

Use the show access-lists EXEC command to display the contents of all access lists.

Use the show ip access-list EXEC command to display the contents of one access list.


Caution


Enhancements to this command are backward compatible; migrating from releases prior to Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This condition could cause you severe security problems. Save your old configuration file before booting these images.


Examples

The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.

access-list 1 permit 192.168.34.0 0.0.0.255
access-list 1 permit 10.88.0.0 0.0.255.255
access-list 1 permit 10.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)

The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.

access-list 1 permit 10.29.2.64 0.0.0.63
! (Note: all other access implicitly denied)

To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:

access-list 2 permit 10.48.0.3
access-list 2 permit 10.48.0.3 0.0.0.0

The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.

access-list 1 permit 10.29.2.64 0.0.0.63 
! (Note: all other access implicitly denied)

The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected. In addition, the logging mechanism is enabled and the word SampleUserValue is appended to each syslog entry.

Router(config)# access-list 1 permit 10.29.2.64 0.0.0.63 log SampleUserValue

Related Commands

Command

Description

access-class

Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.

access-list (IP extended)

Defines an extended IP access list.

access-list remark

Writes a helpful comment (remark) for an entry in a numbered IP access list.

deny (IP)

Sets conditions under which a packet does not pass a named access list.

distribute-list in (IP)

Filters networks received in updates.

distribute-list out (IP)

Suppresses networks from being advertised in updates.

ip access-group

Controls access to an interface.

ip access-list logging hash-generation

Enables hash value generation for ACE syslog entries.

permit (IP)

Sets conditions under which a packet passes a named access list.

remark (IP)

Writes a helpful comment (remark) for an entry in a named IP access list.

show access-lists

Displays the contents of current IP and rate-limit access lists.

show ip access-list

Displays the contents of all current IP access lists.

address ipv6 (config-radius-server)

To configure the IPv6 address for the RADIUS server accounting and authentication parameters, use the address ipv6 command in RADIUS server configuration mode. To remove the specified RADIUS server accounting and authentication parameters, use the no form of this command.

address ipv6 { hostname | ipv6address } [ acct-port port | alias { hostname | ipv6address } | auth-port port [ acct-port port ] ]

no address ipv6 { hostname | ipv6address } [ acct-port port | alias { hostname | ipv6address } | auth-port port [ acct-port port ] ]

Syntax Description

hostname

Domain Name System (DNS) name of the RADIUS server host.

ipv6address

RADIUS server IPv6 address.

acct-port port

(Optional) Specifies the User Datagram Protocol (UDP) port for the RADIUS accounting server for accounting requests. The default port is 1646.

alias {hostname | ipv6address}

(Optional) Specifies an alias for this server. The alias can be an IPv6 address or hostname. Up to eight aliases can be configured for this server.

auth-port port

(Optional) Specifies the UDP port for the RADIUS authentication server. The default port is 1645.

Command Default

The RADIUS server accounting and authentication parameters are not configured.

Command Modes


RADIUS server configuration (config-radius-server)

Command History

Release

Modification

15.2(2)T

This command was introduced.

Usage Guidelines

The aaa new-model command must be configured before accessing this command.

The Cisco TrustSec (CTS) feature uses Secure RADIUS to prescribe a process of authentication, authorization, session association, encryption, and traffic filtering.

Before an alias can be configured for the RADIUS server, the server’s IPv6 address or DNS name must be configured. This is accomplished by using the address ipv6 command and the hostname argument. An alias can then be configured by using the address ipv6 command, the alias keyword, and the hostname argument.

Examples

The following example shows how to configure the RADIUS server accounting and authentication parameters:

Device(config)# aaa new-model
Device(config)# radius server myserver
Device(config-radius-server)# address ipv6 2001:DB8:1::1 acct-port 1813 auth-port 1812

Related Commands

Command

Description

aaa new-model

Enables the AAA access control model.

address ipv4

Configures the IPv4 address for the RADIUS server accounting and authentication parameters.

radius server

Specifies the name for the RADIUS server configuration and enters RADIUS server configuration mode.

address ipv6 (TACACS+)

To configure the IPv6 address of the TACACS+ server, use the address ipv6 command in TACACS+ server configuration mode. To remove the IPv6 address, use the no form of this command.

address ipv6 ipv6-address

no address ipv6 ipv6-address

Syntax Description

ipv6-address

The private TACACS+ server host.

Command Default

No TACACS+ server is configured.

Command Modes


TACACS+ server configuration (config-server-tacacs)

Command History

Release

Modification

Cisco IOS XE Release 3.2S

This command was introduced.

Usage Guidelines

Use the address ipv6 (TACACS+) command after you have enabled the TACACS+ server using the tacacs server command.

Examples

The following example shows how to specify the IPv6 address on a TACACS+ server named server1:

Router (config)# tacacs server server1
Router(config-server-tacacs)# address ipv6 2001:0DB8:3333:4::5

Related Commands

Command

Description

tacacs server

Configures the TACACS+ server for IPv6 or IPv4 and enters config server tacacs mode.