ErrorMessage : Error while constructing the Hinav

Downloads: This chapterpdf (PDF - 387.0 KB) | Feedback


Table Of Contents

Symbols - A - C - D - E - F - G - H - I - K - L - M - N - O - P - Q - R - S - T - U - V - X -



<cr>     xv

? command     xiv


AAA (authentication, authorization, and accounting)

resource accounting     SR-94, SR-96

server groups     SR-114, SR-169

aaa accounting command     SR-86

aaa accounting connection h323 command     SR-90

aaa accounting delay-start command     SR-92

aaa accounting nested command     SR-93

aaa accounting resource start-stop group command     SR-94

aaa accounting resource stop-failure group command     SR-96

aaa accounting send stop-record authentication failure command     SR-98

aaa accounting suppress null-username command     SR-99

aaa accounting update command     SR-100

aaa authentication arap command     SR-4

aaa authentication banner command     SR-6

aaa authentication enable default command     SR-8

aaa authentication fail-message command     SR-10

aaa authentication login command     SR-12

aaa authentication nasi command     SR-14

aaa authentication password-prompt command     SR-16

aaa authentication ppp command     SR-18

aaa authentication username-prompt command     SR-20

aaa authorization command     SR-70

aaa authorization config-commands command     SR-74

aaa authorization console command     SR-76

aaa authorization reverse-access command     SR-77

aaa dnis map accounting network command     SR-102

aaa dnis map authentication login group command     SR-22

aaa dnis map authentication ppp group command     SR-24

aaa dnis map authorization network group command     SR-80

aaa group server radius command     SR-114

aaa group server tacacs+ command     SR-169

aaa nas port extended command     SR-116

aaa nas redirected-station command     SR-26

aaa new-model command     SR-28

aaa pod server command     SR-29

aaa preauth command     SR-31

aaa processes command     SR-33

aaa session-mib command     SR-80, SR-104

access-enable command     SR-202

access-list dynamic-extend command     SR-204

access lists

dynamic, extending     SR-204

reflexive     SR-209

See also IPSec

access lists, clearing temporary entries     SR-202

access-profile command     SR-35

replace command form (caution)     SR-36

using per-user configuration (caution)     SR-36

access-template command     SR-205

accounting (AAA) command     SR-105

accounting (gatekeeper) command     SR-107

address command     SR-400

addressed-key command     SR-402

AESOs (Auxiliary Extended Security Options), attaching to interfaces     SR-474



See IKE, algorithms


See IKE, algorithms

arap authentication command     SR-38

using list-names (caution)     SR-38


See also IKE, extended authentication

authentication (IKE policy) command     SR-404

authentication, CAs     SR-368

authorization command     SR-82


ca-identity mode, enabling     SR-377

call guard-timer command     SR-118

carriage return (<cr>)     xv

CAs (certification authorities)

authenticating     SR-368

declaring     SR-377, SR-388

enrolling     SR-374

identity, deleting     SR-377

locations, specifying     SR-388

public keys     SR-368

trusted root

PROXY     SR-379

querying     SR-379

SCEP     SR-379

TFTP     SR-379

URLs, specifying     SR-388

See also Certification Authority Interoperability


access-profile command

replace command form     SR-36

using per-user configuration     SR-36

arap authentication command, using list-names     SR-38

enable password command, using encryption-type     SR-447

enable secret command, using encryption-type     SR-449

Java blocking     SR-251

key config-key command, unrecoverable DES key     SR-197

login authentication command, using list-names     SR-47

nasi authentication command, using list-names     SR-49

ppp authentication command

using list-names (caution)     SR-52

service password-encryption command, security level     SR-457

cautions, usage in text     x

CBAC (Context-based Access Control)

alert messages, enabling     SR-240

application-layer protocols, configuring     SR-251

audit trail messages

(example)     SR-240

enabling     SR-241

configurations, viewing     SR-267

denial-of-service attacks, detection of     SR-261

disabling     SR-266

fragment inspection, configuring     SR-253

H.323 inspection, configuring     SR-252

half-open sessions

deleting, high threshold     SR-244, SR-255

deleting, low threshold     SR-246, SR-257

description     SR-244

TCP threshold     SR-261

inspection rules

applying (example)     SR-243

defining     SR-248

removing     SR-243

viewing     SR-267


blocking     SR-249

(caution)     1

inspection, configuring     SR-251

RPC inspection, configuring     SR-252

SMTP inspection, configuring     SR-252

TCP inspection, configuring     SR-251


DNS idle, specifying     SR-242

FIN-exchange, specifying     SR-259

overriding     SR-252

synwait, specifying     SR-263

TCP idle, specifying     SR-260

UDP idle, specifying     SR-264

UDP inspection, configuring     SR-251

CEP (Certificate Enrollment Protocol), specifying     SR-391

certificate chain configuration mode, enabling     SR-370

certificate command     SR-362


adding     SR-362

deleting     SR-362, SR-370

requesting     SR-374


resending, number of times     SR-384

resending, wait period     SR-386

retrieving     SR-372

revoking     SR-374

storing     SR-372

verifying     SR-379

viewing     SR-394

Certification Authority Interoperability

CA authentication     SR-368

challenge password     SR-374

commands     SR-361

NVRAM memory usage     SR-372

See also CAs; certificates; CRLs; RSA keys

changed information in this release     ix

Cisco IOS configuration changes, saving     xviii

clear access-template command     SR-207

clear crypto isakmp command     SR-406

clear crypto sa command     SR-310

clear ip audit configuration command     SR-272

clear ip audit statistics command     SR-273

clear ip auth-proxy cache command     SR-290

clear ip trigger-authentication command     SR-40

clear kerberos creds command     SR-186

clid command     SR-119

command modes, understanding     xiii to  xiv


context-sensitive help for abbreviating     xiv

default form, using     xvii

no form, using     xvii

command syntax

conventions     ix

displaying (example)     xv

config-isakmp command mode, enabling     SR-414

configurations, saving     xviii

crl optional command     SR-364

crl query command     SR-366

CRLs (certificate revocation lists)

retrieving     SR-372

storing     SR-372

crypto ca authenticate command     SR-368

crypto ca certificate chain command     SR-370

crypto ca certificate query command     SR-372

crypto ca crl request command     SR-373

crypto ca enroll command     SR-374

crypto ca identity command     SR-377

crypto ca trusted-root command     SR-379

crypto dynamic-map command     SR-312

crypto engine accelerator command     SR-315

crypto ipsec security-association lifetime command     SR-316

crypto ipsec transform-set command     SR-318

crypto isakmp client configuration address-pool local command     SR-407

crypto isakmp enable command     SR-408

crypto isakmp identity command     SR-409

crypto isakmp keepalive command     SR-411

crypto isakmp key command     SR-412

crypto isakmp policy command     SR-414

crypto key generate rsa command     SR-416

crypto key pubkey-chain rsa command     SR-419

crypto key zeroize rsa command     SR-381

crypto map (IPSec global) command     SR-322

crypto map (IPSec interface) command     SR-327

crypto map client authentication list command     SR-421

crypto map client configuration address command     SR-423

crypto map isakmp authorization list command     SR-424

crypto map local-address command     SR-329

crypto transform configuration mode, enabling     SR-320

ctype command     SR-121


deadtime (server-group configuration) command     SR-123

dialer aaa command     SR-124



disconnect ssh command     SR-500

dnis (AAA preauthentication) command     SR-41

dnis (AAA preauthentication configuration) command     SR-126

dnis bypass (AAA preauthentication configuration) command     SR-128

DNS idle timeout, specifying     SR-242

DNSIX (Department of Defense Intelligence Information System Network Security for Information Exchange)

collection center, specifying     SR-467

enabling     SR-470

hosts that receive messages

alternate     SR-469

primary     SR-468

number of records in a packet, specifying     SR-471

retransmit count     SR-466

dnsix-dmdp retries command     SR-466

dnsix-nat authorized-redirection command     SR-467

dnsix-nat primary command     SR-468

dnsix-nat secondary command     SR-469

dnsix-nat source command     SR-470

dnsix-nat transmit-count command     SR-471


conventions     ix

feedback, providing     xi

modules     v to  vii

online, accessing     x

ordering     xi

Documentation CD-ROM     x

documents and resources, supporting     viii

dynamic ACL, extending     SR-204


enable password command     SR-446

using encryption-type (caution)     SR-447

enable secret command     SR-448

using encryption-type (caution)     SR-449

encryption algorithm

See IKE, algorithms

encryption (IKE policy) command     SR-426

enrollment mode ra command     SR-383

enrollment retry-count command     SR-384

enrollment retry-period command     SR-386

enrollment url command     SR-388

evaluate command     SR-210


Feature Navigator

See platforms, supported

filtering output, show and more commands     xviii

FIN-exchange timeout, specifying     SR-259


gatekeeper, security, enabling     SR-107

global configuration mode, summary of     xiv

group (AAA preauthentication configuration) command     SR-129

group (IKE policy) command     SR-427

group tacacs+ (AAA preauthentication configuration) command     SR-43


H.323 gatekeeper, enabling     SR-107

hardware platforms

See platforms, supported

hash (IKE policy) command     SR-428

hash algorithm

See IKE, algorithms

help command     xiv


IKE (Internet Key Exchange) security protocol

AAA, querying     SR-424


encryption     SR-426

hash     SR-428

authentication methods, specifying     SR-404

commands     SR-399

connections, clearing     SR-406

DH group identifier, specifying     SR-427

disabling     SR-408

enabling     SR-408

extended authentication     SR-421

group identifier, specifying     SR-427


See keys, preshared using AAA server


states     SR-437


multiple     SR-414

parameters, specifying     SR-414

parameters, viewing     SR-435

viewing     SR-435


IPSec peers     SR-408

See also IPSec; SAs

indexes, master     viii

interface configuration mode, summary of     xiv



ip audit attack command     SR-275

ip audit command     SR-274

ip audit info command     SR-276

ip audit name command     SR-277

ip audit notify command     SR-278

ip audit po local command     SR-279

ip audit po max-events command     SR-280

ip audit po protected command     SR-281

ip audit po remote command     SR-282

ip audit signature command     SR-284

ip audit smtp command     SR-285

ip auth-proxy (global) command     SR-291

ip auth-proxy (interface) command     SR-292

ip auth-proxy auth-proxy-banner command     SR-293

ip auth-proxy name command     SR-295

ip inspect (interface configuration) command     SR-243

ip inspect alert-off command     SR-240

ip inspect audit trail command     SR-241

ip inspect dns-timeout command     SR-242

ip inspect max-incomplete high command     SR-244

ip inspect max-incomplete low command     SR-246

ip inspect name command     SR-248

ip inspect one-minute high command     SR-255

ip inspect one-minute low command     SR-257

ip inspect tcp finwait-time command     SR-259

ip inspect tcp idle-time command     SR-260

ip inspect tcp max-incomplete host command     SR-261

ip inspect tcp synwait-time command     SR-263

ip inspect udp idle-time command     SR-264

ip port-map command     SR-300

ip radius source-interface command     SR-131

ip reflexive-list timeout command     SR-212

IPSec (IPSec network security protocol)

commands     SR-309

crypto access lists, specifying     SR-331

crypto map entries

creating     SR-322

lifetime values, overriding     SR-341

specifying a peer     SR-335

crypto maps

applying     SR-327

creating     SR-312

dynamic, viewing     SR-349

interfaces, identifying     SR-329

priorities     SR-324

purpose     SR-323

viewing     SR-349, SR-358

lifetimes, viewing     SR-356

requirements, IKE     SR-408


clearing     SR-310

lifetimes, changing     SR-316

requesting     SR-339

viewing     SR-354

session keys, specifying manually     SR-344


allowed combinations     SR-319

changing     SR-320

selecting     SR-320

transform sets

defining     SR-318

mode, changing     SR-333

specifying     SR-347

viewing     SR-357

ip security add command     SR-472

ip security aeso command     SR-474

ip security dedicated command     SR-475

ip security eso-info command     SR-477

ip security eso-max command     SR-478

ip security eso-min command     SR-480

ip security extended-allowed command     SR-482

ip security first command     SR-483

ip security ignore-authorities command     SR-484

ip security implicit-labelling command     SR-485

ip security multilevel command     SR-487

ip security reserved-allowed command     SR-489

ip security strip command     SR-491

IPSO (IP Security Option)

authorities and bit patterns

(table)     SR-476

definition     SR-476

basic configuring     SR-472


configuring     SR-474

defaults     SR-477

maximum sensitivity levels     SR-478

minimum sensitivity levels     SR-480

labels, definition of     SR-476

levels and bit patterns     SR-475

ip ssh command     SR-501

ip tacacs source-interface command     SR-171

ip tcp intercept connection-timeout command     SR-220

ip tcp intercept drop-mode command     SR-221

ip tcp intercept finrst-timeout command     SR-223

ip tcp intercept list command     SR-224

ip tcp intercept max-incomplete high command     SR-225

ip tcp intercept max-incomplete low command     SR-227

ip tcp intercept mode command     SR-229

ip tcp intercept one-minute high command     SR-230

ip tcp intercept one-minute low command     SR-232

ip tcp intercept watch-timeout command     SR-234

ip trigger-authentication (global) command     SR-44

ip trigger-authentication (interface) command     SR-46

ip verify unicast reverse path command     SR-494




kerberos clients mandatory command     SR-187

kerberos credentials forward command     SR-188

kerberos instance map command     SR-189

kerberos local-realm command     SR-190

kerberos preauth command     SR-191

kerberos realm command     SR-192

kerberos server command     SR-193

kerberos srvtab entry command     SR-194

kerberos srvtab remote command     SR-196

key config-key command     SR-197

unrecoverable DES key (caution)     SR-197



AAA server, configuring     SR-424

deleting     SR-412

masks     SR-412

specifying (example)     SR-412

key-string (IKE) command     SR-429


lifetime (IKE policy) command     SR-431


idle timeouts     SR-202

temporary entries

clearing manually     SR-202, SR-207

creating manually     SR-205

enabling     SR-202

login authentication command     SR-47

using list-names (caution)     SR-47


match address (IPSec) command     SR-331

memory usage, and Certification Authority Interoperability     SR-372

MIB, descriptions online     viii

mode (IPSec) command     SR-333


ca-identity, enabling     SR-377

certificate chain configuration, enabling     SR-370

query, enabling     SR-372

RA, enabling     SR-383

See command modes

trusted root, enabling     SR-379


named-key command     SR-433

nasi authentication command     SR-49

using list-names

(caution)     SR-49

new information in this release     ix

no ip inspect command     SR-266

notes, usage in text     x


Oakley key exchange protocol



PAM (port to application mapping)

commands     SR-299

password command     SR-451

password encryption     SR-457

permit (reflexive) command     SR-214

PFS (perfect forward secrecy), specifying     SR-337

platforms, supported

Feature Navigator, identify using     xix

release notes, identify using     xix

ppp accounting command     SR-108

ppp authentication command     SR-51

using list-names (caution)     SR-52

ppp authorization command     SR-84

ppp chap hostname command     SR-54

ppp chap password command     SR-56

ppp chap refuse command     SR-58

ppp chap wait command     SR-60

ppp pap refuse command     SR-62

ppp pap sent-username command     SR-63


clid     SR-119

ctype     SR-121

dnis     SR-126

privilege command     SR-452

privileged EXEC mode, summary of     xiv

privilege level (line) command     SR-455

privilege level, displaying     SR-459

privilege level command     SR-455

prompts, system     xiv

PROXY, specifying     SR-392

public key configuration mode, enabling     SR-419, SR-433


query mode, enabling     SR-372

query url command     SR-389

question mark (?) command     xiv


radius-server attribute 188 format non-standard command     SR-138

radius-server attribute 32 include-in-access-req command     SR-133

radius-server attribute 44 include-in-access-req command     SR-134

radius-server attribute 55 include-in-acct-req command     SR-135

radius-server attribute 69 clear command     SR-137

radius-server attribute nas-port extended command     SR-139

radius-server attribute nas-port format command     SR-140

radius-server challenge-noecho command     SR-142

radius-server configure-nas command     SR-143

radius-server deadtime command     SR-144

radius-server directed-request command     SR-145

radius-server extended-portnames command     SR-147

radius-server host command     SR-148

radius-server host non-standard command     SR-151

radius-server key command     SR-152

radius-server optional passwords command     SR-154

radius-server retransmit command     SR-155

radius-server timeout command     SR-156

radius-server unique-ident command     SR-157

radius-server vsa send command     SR-158

RA mode, enabling     SR-383

RAs (registration authorities), enabling     SR-383

Reflexive Access Lists

configuring (examples)     SR-211, SR-216

temporary entries     SR-216

timeouts, global (examples)     SR-212

release notes

See platforms, supported


full text, obtaining     viii

ROM monitor mode, summary of     xiv

root CEP command     SR-391

root PROXY command     SR-392

root TFTP command     SR-393

RPC inspection

See CBAC, RPC inspection

RSA, encrypted nonces     SR-404

RSA keys

deleting     SR-381

IP address, specifying     SR-400

manually specifying     SR-419

public key record     SR-368

remote peer, specifying     SR-429

specifying     SR-402, SR-433

viewing     SR-439, SR-440

RSA signatures     SR-404


SAs (security associations)

lifetimes, configuring     SR-431

parameters     SR-414

viewing     SR-437

SCEP (Simple Certificate Enrollment Protocol)     SR-391

server (RADIUS) command     SR-160

server (TACACS+) command     SR-173

server groups     SR-114, SR-169

server hosts, RADIUS     SR-114

server hosts,TACACS+     SR-169

service password-encryption command     SR-457

security level (caution)     SR-457

set peer (IPSec) command     SR-335

set peer command     SR-335

set pfs command     SR-337

set security-association level per-host command     SR-339

set security-association lifetime command     SR-341

set session-key command     SR-344

set transform-set command     SR-347

show accounting command     SR-109

show crypto ca certificates command     SR-394

show crypto ca crls command     SR-396

show crypto ca roots command     SR-397

show crypto dynamic-map command     SR-349

show crypto engine accelerator logs command     SR-351

show crypto engine accelerator sa-database command     SR-353

show crypto ipsec sa command     SR-354, SR-356

show crypto ipsec security-association lifetime command     SR-356

show crypto ipsec transform-set command     SR-357

show crypto isakmp policy command     SR-435

show crypto isakmp sa command     SR-437

show crypto key mypubkey rsa command     SR-439

show crypto key pubkey-chain rsa command     SR-440

show crypto map (IPSec) command     SR-358

show dnsix command     SR-492

show ip audit configuration command     SR-286

show ip audit interface command     SR-287

show ip audit statistics command     SR-288

show ip auth-proxy command     SR-297

show ip inspect command     SR-267

show ip port-map command     SR-304

show ip ssh command     SR-502

show ip trigger-authentication command     SR-65

show kerberos creds command     SR-198

show ppp queues command     SR-66

show privilege command     SR-459

show radius statistics command     SR-162

show ssh command     SR-503

show tacacs command     SR-174

show tcp intercept connections command     SR-235

show tcp intercept statistics command     SR-237

Skeme key exchange protocol


spam attack     SR-285

SSH (Secure Shell), description     SR-499

ssh command     SR-504


Tab key, command completion     xiv


command comparison (table)     SR-167

server hosts     SR-169

tacacs-server administration command     SR-176

tacacs-server directed-request command     SR-177

tacacs-server dns-alias-lookup command     SR-178

tacacs-server extended command     SR-178

tacacs-server host command     SR-179

tacacs-server key command     SR-181

tacacs-server packet command     SR-182

tacacs-server timeout command     SR-183

TCP idle timeout, specifying     SR-260

TCP Intercept

enabling     SR-224


intercept mode     SR-229

watch mode     SR-229

timeouts     SR-223

TFTP (Trivial File Transfer Protocol), specifying     SR-393

timeout intervals

See CBAC, timeouts

timeout login response command     SR-68

traffic filtering     SR-219

transport mode     SR-334

trusted root

configuring     SR-379

PROXY     SR-379

querying     SR-379

SCEP     SR-379

TFTP     SR-379

viewing     SR-397

tunnel mode     SR-334


UDP idle timeout, specifying     SR-264

user EXEC mode, summary of     xiv

username command     SR-460


vpdn aaa attribute command     SR-164


Xauth     SR-421

See also IKE, extended authentication