Table Of Contents
encryption re-encrypt obfuscated
eou revalidate (global configuration and interface configuration)
E Commands
This chapter describes the Cisco NX-OS security commands that begin with E.
enable Cert-DN-match
To enable LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login, use the enable Cert-DN-match command. To disable this configuration, use the no form of this command.
enable Cert-DN-match
no enable Cert-DN-match
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
LDAP server group configuration
Command History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to enable LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login:
switch# configure terminal
switch(config)# aaa group server ldap LDAPServer1switch(config-ldap)# server 10.10.2.2switch(config-ldap)# enable Cert-DN-match
switch(config-ldap)Related Commands
enable
To enable a user to move to a higher privilege level after being prompted for a secret password, use the enable command.
enable level
Syntax Description
Defaults
Privilege level 15
Command Modes
EXEC configuration
Command History
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
This command does not require a license.
Examples
This example shows how to enable the user to move to a higher privilege level after being prompted for a secret password:
switch# enable 15Related Commands
enable secret
To enable a secret password for a specific privilege level, use the enable secret command. To disable the password, use the no form of this command.
enable secret [0 | 5] password [priv-lvl priv-lvl | all]
no enable secret [0 | 5] password [priv-lvl priv-lvl | all]
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
This command does not require a license.
Examples
This example shows how to enable a secret password for a specific privilege level:
switch# configure terminal
switch(config)# feature privilegeswitch(config)# enable secret 5 def456 priv-lvl 15switch(config)# username user2 priv-lvl 15switch(config)#Related Commands
enable user-server-group
To enable group validation for an LDAP server group, use the enable user-server-group command. To disable group validation, use the no form of this command.
enable user-server-group
no enable user-server-group
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
LDAP server group configuration
Command History
Usage Guidelines
To use this command, you must configure the LDAP server group name in the LDAP server.
Users can login through public-key authentication only if the username is listed as a member of this configured group in the LDAP server.
This command does not require a license.
Examples
This example shows how to enable group validation for an LDAP server group:
switch# configure terminal
switch(config)# aaa group server ldap LDAPServer1switch(config-ldap)# server 10.10.2.2switch(config-ldap)# enable user-server-group
switch(config-ldap)Related Commands
encryption decrypt type6
To convert type-6 encrypted passwords back to their original state, use the encryption decrypt type6 command.
encryption decrypt type6
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
Usage Guidelines
This command does not require a license.
Examples
This example shows how to convert type6 encrypted passwords back to their original state:
switch # encryption decrypt type6
Please enter current Master Key:Related Commands
Command Descriptionencryption re-encrypt obfuscated
Converts the existing obfuscated passwords to type6 encrypted passwords.
key config-key
Configures the master key for the type-6 encryption.
encrypt pause-frame
To configure pause frame encryption for Cisco Trusted Security (Cisco TrustSec) on an interface, use the encrypt pause-frame command. To remove the pause frame encryption, use the no form of this command.
encrypt pause-frame
no encrypt pause-frame
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled on the line cards that support the encryption of pause frames
Command Modes
Cisco TrustSec 802.1X configuration mode (config-if-cts-manual)
Cisco TrustSec manual configuration mode (config-if-cts-dotx1)Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must enable flow control on the interface by using the flowcontrol {send | receive} command.
When you enter the no encrypt pause-frame command, the pause frames are sent in unencypted. When you enter the encrypt pause-frame command, pause frames are sent encrypted over the Cisco TrustSec link.
You cannot enable Cisco TrustSec on interfaces in half-duplex mode. Use the show interface command to determine if an interface is configured for half-duplex mode.
Note F1 Series modules and the N7K-M132XP-12(L) module support only clear pause frames. All other M1 Series modules support both secure (encrypted and decrypted) and clear pause frames.
Caution For the pause frame encryption or decryption configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.
This command does not require a license.
Examples
This example shows how to decrypt an interface:
switch# configure terminal
switch(config)# interface ethernet 2/2
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# no encrypt pause-frame
switch(config-if-cts-dot1x)exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)#Related Commands
encryption delete type6
To delete strongly encrypted passwords on the NX-OS device, use the encryption delete type6 command.
encryption delete type6
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
Usage Guidelines
This command does not require a license.
Examples
This example shows how to delete strongly encrypted passwords:
switch# configure terminal
encryption delete type6
Please enter current Master Key:switch(config)#Related Commands
Command Descriptionencryption re-encrypt obfuscated
Converts the existing obfuscated passwords to type-6 encrypted passwords
key config-key
Configures the master key for the type-6 encryption.
encryption re-encrypt obfuscated
To convert the existing obfuscated passwords to type-6 encrypted passwords, use the encryption re-encrypt obfuscated command.
encryption re-encrypt obfuscated
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
Usage Guidelines
When you use the encryption re-encrypt obfuscated command, the encrypted secrets such as, plain or weakly-encrypted passwords, are converted to type-6 encryption if the encryption service is enabled with a master key.
This command does not require a license.
Examples
This example shows how to convert the existing obfuscated passwords to type-6 encrypted passwords:
switch # encryption re-encrypt obfuscated
Related Commands
Command Descriptionencryption decrypt type6
Converts type6 encrypted passwords back to their original state.
enrollment terminal
To enable manual cut-and-paste certificate enrollment through the switch console, use the enrollment terminal command. To revert to the default certificate enrollment process, use the no form of this command.
enrollment terminal
no enrollment terminal
Syntax Description
This command has no arguments or keywords.
Defaults
The default is the manual cut-and-paste method, which is the only enrollment method that the Cisco NX-OS software supports.
Command Modes
Trustpoint configuration
Command History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to configure trustpoint enrollment through the switch console:
switch# configure terminal
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# enrollment terminal
This example shows how to discard a trustpoint enrollment through the switch console:
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# no enrollment terminalRelated Commands
Command Descriptioncrypto ca authenticate
Authenticates the certificate of the certificate authority.
eou allow clientless
To enable Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) posture validation of clientless endpoint devices, use the eou allow clientless command. To disable posture validation of clientless endpoint devices, use the no form of this command.
eou allow clientless
no eou allow clientless
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to allow EAPoUDP posture validation of clientless endpoint devices:
switch# config tswitch(config)# eou allow clientlessThis example shows how to prevent EAPoUDP posture validation of clientless endpoint devices:
switch# config tswitch(config)# no eou allow clientlessRelated Commands
eou default
To revert to the default global or interface configuration values for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), use the eou default command.
eou default
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Interface configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to change the global EAPoUDP configuration to the default:
switch# config tswitch(config)# eou defaultThis example shows how to change the EAPoUDP configuration for an interface to the default:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou defaultRelated Commands
eou initialize
To initialize Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions, use the eou initialize command.
eou initialize {all | authentication {clientless | eap | static} | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address | posturetoken name}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to initialize all the EAPoUDP sessions:
switch# eou initialize allThis example shows how to initialize the EAPoUDP sessions that were statically authenticated:
switch# eou initialize authentication staticThis example shows how to initialize the EAPoUDP sessions for an interface:
switch# eou initialize interface ethernet 1/1This example shows how to initialize the EAPoUDP sessions for an IP address:
switch# eou initialize ip-address 10.10.1.1This example shows how to initialize all the EAPoUDP sessions for a MAC address:
switch# eou initialize mac-address 0019.076c.dac4This example shows how to initialize all the EAPoUDP sessions for a posture token:
switch# eou initialize posturetoken healthyRelated Commands
eou logging
To enable Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) logging, use the eou logging command. To disable EAPoUDP logging, use the no form of this command.
eou logging
no eou logging
Syntax Description
This command has no arguments or keywords.
Defaults
Global configuration: Disabled
Interface configuration: Global configuration setting
Command Modes
Global configuration
Interface configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The setting for EAPoUDP logging on an interface overrides the global setting.
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to enable global EAPoUDP logging:
switch# config tswitch(config)# eou loggingThis example shows how to disable global EAPoUDP logging:
switch# config tswitch(config)# no eou loggingThis example shows how to enable EAPoUDP logging for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou loggingThis example shows how to disable EAPoUDP logging for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# no eou loggingRelated Commands
eou max-retry
To configure the maximum number of attempts for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) globally or for an interface, use the eou max-retry command. To revert to the default, use the no form of this command.
eou max-retry count
no eou max-retry
Syntax Description
Defaults
Global configuration: 3
Interface configuration: global configuration value
Command Modes
Global configuration
Interface configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The maximum retries for an interface takes precedence over the globally configured value.
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to change the global maximum number of EAPoUDP retry attempts:
switch# config tswitch(config)# eou max-retry 2This example shows how to revert to the default global maximum number of EAPoUDP retry attempts:
switch# config tswitch(config)# no eou max-retryThis example shows how to change the maximum number of EAPoUDP retry attempts for an interface:
switch# config tswitch(config) interface ethernet 1/1switch(config-if)# eou max-retry 3This example shows how to revert to the maximum number of EAPoUDP retry attempts for an interface:
switch# config tswitch(config) interface ethernet 1/1switch(config-if)# no eou max-retryRelated Commands
eou port
To configure the User Datagram Protocol (UDP) port number for Extensible Authentication Protocol over UDP (EAPoUDP), use the eou port command. To revert to the default, use the no form of this command.
eou port udp-port
no eou port
Syntax Description
Defaults
21862 (0x5566)
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to change the UDP port number for EAPoUDP:
switch# config tswitch(config)# eou port 21856This example shows how to revert to the default UDP port number for EAPoUDP:
switch# config tswitch(config)# no eou portRelated Commands
eou ratelimit
To configure the number of simultaneous posture validation sessions for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP), use the eou ratelimit command. To revert to the default, use the no form of this command.
eou ratelimit sessions
no eou ratelimit
Syntax Description
sessions
Maximum number of simultaneous EAPoUDP posture validation sessions. The range is from 0 to 200.
Defaults
Global configuration: 20
Interface configuration: Global configuration setting
Command Modes
Global configuration
Interface configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Setting the EAPoUDP rate limit to zero (0) allows no simultaneous posture validation sessions.
The EAPoUDP rate limit for an interface overrides the globally EAPoUDP rate limit setting.
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to change the global maximum number of simultaneous EAPoUDP posture-validation sessions:
switch# config tswitch(config)# eou ratelimit 30This example shows how to revert to the default global maximum number of simultaneous EAPoUDP posture-validation sessions:
switch# config tswitch(config)# no eou ratelimitThis example shows how to change the maximum number of simultaneous EAPoUDP posture-validation sessions for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou ratelimit 30This example shows how to revert to the default maximum number of simultaneous EAPoUDP posture-validation sessions for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# no eou ratelimitRelated Commands
eou revalidate (EXEC)
To revalidate Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions, use the eou revalidate command.
eou revalidate {all | authentication {clientless | eap | static} | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address | posturetoken name}
Syntax Description
Defaults
None
Command Modes
Any command mode
Note The Cisco NX-OS software supports an eou revalidate command in global configuration mode. To use an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to revalidate all the EAPoUDP sessions:
switch# eou revalidate allThis example shows how to revalidate all the EAPoUDP sessions:
switch# eou revalidate authentication staticThis example shows how to revalidate all the EAPoUDP sessions:
switch# eou revalidate interface ethernet 1/1This example shows how to revalidate all the EAPoUDP sessions:
switch# eou revalidate ip-address 10.10.1.1This example shows how to revalidate all the EAPoUDP sessions:
switch# eou revalidate mac-address 0019.076c.dac4This example shows how to revalidate all the EAPoUDP sessions:
switch# eou revalidate posturetoken healthyRelated Commands
eou revalidate (global configuration and interface configuration)
To enable automatic periodic revalidation of Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions globally or for a specific interface, use the eou revalidate command. To revert to the default, use the no form of this command.
eou revalidate
no eou revalidate
Syntax Description
This command has no arguments or keywords.
Defaults
Global configuration: Enabled
Interface configuration: Global configuration value
Command Modes
Global configuration
Interface configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The automatic revalidation setting for an interface overrides the global setting for automatic revalidation.
Note The Cisco NX-OS software supports an eou revalidate command in EXEC configuration mode. To use an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to disable global automatic revalidation of EAPoUDP sessions:
switch# config tswitch(config)# no eou revalidateThis example shows how to enable global automatic revalidation of EAPoUDP sessions:
switch# config tswitch(config)# eou revalidateThis example shows how to disable automatic revalidation of EAPoUDP sessions for an interface:
switch# config tswitch(config)# no eou revalidateThis example shows how to enable automatic revalidation of EAPoUDP sessions for an interface:
switch# config tswitch(config)# eou revalidateRelated Commands
Command Descriptionfeature eou
Enables EAPoUDP.
eou timeout
Configures the timeout interval for EAPoUDP automatic periodic validation.
show eou
Displays EAPoUDP information.
eou timeout
To configure timeout intervals for the global Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) timers or for the EAPoUDP timers for an interface, use the eou timeout command. To revert to the default, use the no form of this command.
eou timeout {aaa seconds | hold-period seconds | retransmit seconds | revalidation seconds | status-query seconds}
no eou timeout {aaa | hold-period | retransmit | revalidation | status-query}
Syntax Description
Defaults
Global AAA timeout interval: 60 seconds (1 minute)
Global hold-period timeout: 180 seconds (3 minutes)
Global retransmit timeout interval: 3 seconds
Global revalidation timeout interval: 36000 seconds (10 hours)
Global status query timeout interval: 300 seconds (5 minutes)
Interface timeout intervals: Global configuration values
Command Modes
Global configuration
Interface configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The timeout interval values for the interface timers override the global timeout values.
You must use the feature eou command before you configure EAPoUDP.
This command does not require a license.
Examples
This example shows how to change the global AAA timeout interval:
switch# config tswitch(config)# eou timeout aaa 50This example shows how to change the AAA timeout interval for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou timeout aaa 60This example shows how to change the global hold-period timeout interval:
switch# config tswitch(config)# eou timeout hold-period 480This example shows how to change the hold-period timeout interval for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou timeout hold-period 540This example shows how to change the global retransmit timeout interval:
switch# config tswitch(config)# eou timeout retransmit 5This example shows how to change the retransmit timeout interval for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou timeout retransmit 4This example shows how to change the global revalidation timeout interval:
switch# config tswitch(config)# eou timeout revalidation 34000This example shows how to change the revalidation timeout interval for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou timeout revalidation 30000This example shows how to change the global status-query timeout interval:
switch# config tswitch(config)# eou timeout status-query 240This example shows how to change the status-query timeout interval for an interface:
switch# config tswitch(config)# interface ethernet 1/1switch(config-if)# eou timeout status-query 270Related Commands
Command Descriptionfeature eou
Enables EAPoUDP.
eou revalidate (global configuration)
Enables periodic automatic revalidation of endpoint devices.
show eou
Displays EAPoUDP information.
eq
To specify a single port as a group member in an IP port object group, use the eq command. To remove a single port group member from the port object group, use the no form of this command.
[sequence-number] eq port-number
no {sequence-number | eq port-number}
Syntax Description
Defaults
None
Command Modes
IP port object group configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
IP port object groups are not directional. Whether an eq command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
This command does not require a license.
Examples
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443:
switch# config tswitch(config)# object-group ip port port-group-05switch(config-port-ogroup)# eq 443Related Commands