-
Cisco IOS Security Command Reference, Release 12.3
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through crypto ca trustpoint
-
Security Commands: crypto dynamic-map through ctype
-
Security Commands: D through ip audit smtp spam
-
Security Commands: ip auth-proxy through ip tcp intercept
-
Security Commands: ip trigger-authentication through pool
-
Security Commands: ppp accounting through radius-server vsa send
-
Security Commands: reverse-route through show crypto isakmp sa
-
Security Commands: show crypto key mypubkey through wins
-
Table Of Contents
aaa accounting connection h323
aaa accounting resource start-stop group
aaa accounting resource stop-failure group
aaa accounting send stop-record authentication failure
aaa accounting session-duration ntp-adjusted
aaa accounting suppress null-username
aaa authentication attempts login
aaa authentication enable default
aaa authentication fail-message
aaa authentication password-prompt
aaa authentication username-prompt
aaa authorization cache filterserver
aaa authorization config-commands
aaa authorization reverse-access
aaa dnis map accounting network
aaa dnis map authentication group
aaa dnis map authorization network group
aaa nas cisco-nas-port use-async-info
Security Commands
This book presents the commands to configure and maintain Cisco IOS security features. The commands are presented in alphabetical order. Some commands required for configuring security features may be found in other Cisco IOS command references. Use the command reference master index or search online to find these commands.
aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
no aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] [broadcast] group groupname
Syntax Description
auth-proxy
Provides information about all authenticated-proxy user events.
system
Performs accounting for all system-level events not associated with users, such as reloads.
network
Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
exec
Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection
Provides information about all outbound conections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin.
commands level
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default
Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
list-name
Character string used to name the list of at least one of the accounting methods described in Table 2.
vrf vrf-name
(Optional) Specifies a Virtual Route Forwarding (VRF) configuration.
Note
VRF is used only with system accounting.
start-stop
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only
Sends a "stop" accounting notice at the end of the requested user process.
none
Disables accounting services on this line or interface.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.
group group-name
At least one of the keywords described in Table 2.
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.
Table 2 contains descriptions of keywords for aaa accounting methods.
In Table 2, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•
•
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table 3.
Note
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
To specify an accounting configuration for a particular virtual route forwarding (VRF), specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes Overview" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
Note
Cisco Service Selection Gateway Broadcast Accounting
To configure Cisco Service Selection Gateway (SSG) broadcast accounting, the list-name argument must be ssg_broadcast_accounting. For more information about configuring SSG, see the chapter "Configuring Accounting for SSG" in the Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4.
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.
aaa new-modelaaa authentication login default group tacacs+aaa authorization auth-proxy default group tacacs+aaa accounting auth-proxy default start-stop group tacacs+The following example defines a default system accounting method list, where accounting services are provided by RADIUS security server "sg_water" with a start-stop restriction. The aaa accounting command specifies accounting for vrf "water."
aaa accounting system default vrf water start-stop group sg_waterRelated Commands
aaa accounting connection h323
To define the accounting method list H.323with RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command.
aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname
no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname
Syntax Description
Defaults
No accounting method list
Command Modes
Global configuration
Command History
Usage Guidelines
This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.
Examples
The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.
aaa new modelgw-accounting h323aaa accounting connection h323 start-stop radiusaaa accounting delay-start
To delay generation of accounting "start" records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command.
aaa accounting delay-start [all] [vrf vrf-name]
no aaa accounting delay-start [all] [vrf vrf-name]
Syntax Description
Defaults
Accounting records are not delayed.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting delay-start command to delay generation of accounting "start" records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting "start" records for individual Virtual Private Network (VPN) routing and forwarding (VRF) users or use the all keyword for all VRF and non-VRF users.
Note
Examples
The following example shows how to delay accounting "start" records until the IP address of the user is established:
aaa new-modelaaa authentication ppp default radiusaaa accounting network default start-stop group radiusaaa accounting delay-startradius-server host 172.16.0.0 non-standardradius-server key rad123The following example shows that accounting "start" records are to be delayed to all VRF and non-VRF users:
aaa new-modelaaa authentication ppp default radiusaaa accounting network default start-stop group radiusaaa accounting delay-start allradius-server host 172.16.0.0 non-standardradius-server key rad123Related Commands
aaa accounting gigawords
To enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.)
aaa accounting gigawords
no aaa accounting gigawords
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady state.
If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command, it takes a reload of the router to actually disable the use of the 64-bit counters.
Note
Examples
The following example shows that the AAA 64-bit counters have been disabled:
no aaa accounting gigawordsaaa accounting nested
To specify that NETWORK records be generated, or nested, within EXEC "start" and "stop" records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. To allow the sending of records for users with a NULL username, use the no form of this command.
aaa accounting nested
no aaa accounting nested
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command when you want to specify that NETWORK records be nested within EXEC "start" and "stop" records, such as for PPP users who start EXEC terminal sessions. In some cases, such as billing customers for specific services, is can be desirable to keep NETWORK "start" and "stop" records together, essentially nesting them within the framework of the EXEC "start" and "stop" messages. For example, a user dialing in using PPP can create the following records: EXEC-start, NETWORK-start, EXEC-stop, NETWORK-stop. By nesting the accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start, NETWORK-start, NETWORK-stop, EXEC-stop.
Examples
The following example enables nesting of NETWORK accounting records for user sessions:
aaa accounting nestedaaa accounting resource start-stop group
To enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination, use the aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the no form of this command.
aaa accounting resource method-list start-stop [broadcast] group groupname
no aaa accounting resource method-list start-stop [broadcast] group groupname
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting resource start-stop group command to send a "start" record at each call setup followed with a corresponding "stop" record at the call disconnect. There is a separate "call setup-call disconnect "start-stop" accounting record tracking the progress of the resource connection to the device, and a separate "user authentication start-stop accounting" record tracking the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call.
You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting records.
Note
All existing AAA accounting method list and server group options are made available to this command.
Examples
The following example shows how to configure resource accounting for "start-stop" records:
aaa new-modelaaa authentication login AOL group radius localaaa authentication ppp default group radius localaaa authorization exec AOL group radius if-authenticatedaaa authorization network default group radius if-authenticatedaaa accounting exec default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting resource default start-stop group radiusRelated Commands
aaa accounting resource stop-failure group
To enable resource failure stop accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable resource failure stop accounting, use the no form of this command.
aaa accounting resource method-list stop-failure [broadcast] group groupname
no aaa accounting resource method-list stop-failure [broadcast] group groupname
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting resource stop-failure group command to generate a "stop" record for any calls that do not reach user authentication; this function creates "stop" accounting records for the moment of call setup. All calls that pass user authentication will behave as before; that is, no additional accounting records will be seen.
All existing authentication, authorization, and accounting (AAA) accounting method list and server group options are made available to this command.
Examples
The following example shows how to configure "stop" accounting records from the moment of call setup:
aaa new-modelaaa authentication login AOL group radius localaaa authentication ppp default group radius localaaa authorization exec AOL group radius if-authenticatedaaa authorization network default group radius if-authenticatedaaa accounting exec default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting resource default stop-failure group radiusRelated Commands
aaa accounting resource start-stop group
Enables full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination.
aaa accounting send stop-record authentication failure
To generate accounting "stop" records for users who fail to authenticate at login or during session negotiation, use the aaa accounting send stop-record authentication failure command in global configuration mode. To stop generating records for users who fail to authenticate at login or during session negotiation, use the no form of this command.
aaa accounting send stop-record authentication failure [vrf vrf-name]
no aaa accounting send stop-record authentication failure
Syntax Description
Defaults
The "stop" records are not generated.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to generate accounting "stop" records for users who fail to authenticate at login or during session negotiation. When the aaa accounting command is activated, by default the Cisco IOS software does not generate accounting records for system users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason.
Use the vrf vrf-name keyword and argument to generate accounting "stop" records per Virtual Private Network (VPN) routing and forwarding (VRF) configuration.
Examples
The following example shows how to generate "stop" records for users who fail to authenticate at login or during session negotiation:
aaa accounting send stop-record authentication failureaaa accounting session-duration ntp-adjusted
To calculate RADIUS attribute 46, Acct-Sess-Time, on the basis of the Network Time Protocol (NTP) clock time, use the aaa accounting session-duration ntp-adjusted command in global configuration mode. To disable the calculation that was configured on the basis of the NTP clock time, use the no form of this command.
aaa accounting session-duration ntp-adjusted
no aaa accounting session-duration ntp-adjusted
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, RADIUS attribute 46 is calculated on the basis of the 64-bit monotonically increasing counter, which is not NTP adjusted.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is not configured, RADIUS attribute 46 can skew the session time by as much as 5 to 7 seconds for calls that have a duration of more than 24 hours. However, you may not want to configure the command for short-lived calls or if your device is up for only a short time because of the convergence time required if the session time is configured on the basis of the NTP clock time.
For RADIUS attribute 46 to reflect the NTP-adjusted time, you must configure the ntp server command as well as the aaa accounting session-duration ntp-adjusted command.
Examples
The following example shows that the attribute 46 session time is to be calculated on the basis of the NTP clock time:
aaa new-modelaaa authentication ppp default group radiusaaa accounting session-time ntp-adjustedaaa accounting network default start-stop group radiusRelated Commands
aaa accounting suppress null-username
To prevent the Cisco IOS software from sending accounting records for users whose username string is NULL, use the aaa accounting suppress null-username command in global configuration mode. To allow sending records for users with a NULL username, use the no form of this command.
aaa accounting suppress null-username
no aaa accounting suppress null-username
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. This command prevents accounting records from being generated for those users who do not have usernames associated with them.
Examples
The following example supresses accounting records for users who do not have usernames associated with them:
aaa accounting suppress null-usernameRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa accounting update
To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.
aaa accounting update [newinfo] [periodic number [jitter {maximum max-value}]]
no aaa accounting update
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
•
•
•
•
•
•
Caution
Examples
The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30-minute intervals.
aaa accounting network default start-stop group radiusaaa accounting update newinfo periodic 30The following example sends periodic interim accounting records to the RADIUS server at 30-minute intervals and disables jitter:
aaa accounting update newinfo periodic 30 jitter maximum 0Related Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
gw-accounting aaa
Enables VoIP gateway accounting through the AAA system.
aaa attribute
To add calling line identification (CLID) and dialed number identification service (DNIS) attribute values to a user profile, use the aaa attribute command in AAA-user configuration mode. To remove this command from your configuration, use the no form of this command.
aaa attribute {clid | dnis} attribute-value
no aaa attribute {clid | dnis} attribute-value
Syntax Description
clid
Adds CLID attribute values to the user profile.
dnis
Adds DNIS attribute values to the user profile.
attribute-value
Specifies a name for CLID or DNIS attribute values.
Defaults
If this command is not enabled, you will have an empty user profile.
Command Modes
AAA-user configuration
Command History
Usage Guidelines
Use the aaa attribute command to add CLID or DNIS attribute values to a named user profile, which is created by using the aaa user profile command. The CLID or DNIS attribute values can be associated with the record that is going out with the user profile (via the test aaa group command), thereby providing the RADIUS server with access to CLID or DNIS information when the server receives a RADIUS record.
Examples
The following example shows how to add CLID and DNIS attribute values to the user profile "cat":
aaa user profile cataaa attribute clid clidvalaaa attribute dnis dnisvalRelated Commands
aaa user profile
Creates a AAA user profile.
test aaa group
Associates a DNIS or CLID user profile with the record that is sent to the RADIUS server.
aaa authentication arap
To enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To disable this authentication, use the no form of this command.
aaa authentication arap {default | list-name} method1 [method2...]
no aaa authentication arap {default | list-name} method1 [method2...]
Syntax Description
default
Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name
Character string used to name the following list of authentication methods tried when a user logs in.
method1 [method2...]
At least one of the keywords described in Table 4.
Defaults
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication arap default localCommand Modes
Global configuration
Command History
10.3
This command was introduced.
12.0(5)T
Group server and local-case support were added as method keywords for this command.
Usage Guidelines
The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed in Table 4. You can only use one of these methods; they are mutually exclusive.
Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. See Table 4 for descriptions of method keywords.
To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Use the more system:running-config command to view currently configured lists of authentication methods.
Note
Examples
The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access group tacacs+ noneThe following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:
aaa authentication arap default group tacacs+ noneRelated Commands
aaa authentication attempts login
To set the maximum number of login attempts that will be permitted before a session is dropped, use the aaa authentication attempts login command in global configuration mode. To reset the number of attempts to the default, use the no form of this command.
aaa authentication attempts login number-of-attempts
no aaa authentication attempts login
Syntax Description
Defaults
3 attempts
Command Modes
Global configuration
Command History
Usage Guidelines
The aaa authentication attempts login command configures the number of times a router will prompt for username and password before a session is dropped.
The aaa authentication attempts login command can be used only if the aaa new-model command is configured.
Examples
The following example configures a maximum of 5 attempts at authentication for login:
aaa authentication attempts login 5Related Commands
aaa authentication banner
To configure a personalized banner that will be displayed at user login, use the aaa authentication banner command in global configuration mode. To remove the banner, use the no form of this command.
aaa authentication banner dstringd
no aaa authentication banner
Syntax Description
Defaults
Not enabled
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authentication banner command to create a personalized message that appears when a user logs in to the system. This message or banner will replace the default message for user login.
To create a login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
Note
Examples
The following example shows the default login message if aaa authentication banner is not configured. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication login default group radiusThis configuration produces the following standard output:
User Verification AccessUsername:Password:The following example configures a login banner (in this case, the phrase "Unauthorized use is prohibited.") that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol is used as the delimiter. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication banner *Unauthorized use is prohibited.*aaa authentication login default group radiusThis configuration produces the following login banner:
Unauthorized use is prohibited.Username:Related Commands
aaa authentication fail-message
Configures a personalized banner that will be displayed when a user fails login.
aaa authentication enable default
To enable authentication, authorization, and accounting (AAA) authentication to determine if a user can access the privileged command level, use the aaa authentication enable default command in global configuration mode. To disable this authorization method, use the no form of this command.
aaa authentication enable default method1 [method2...]
no aaa authentication enable default method1 [method2...]
Syntax Description
method1 [method2...]
At least one of the keywords described in Table 5.
Defaults
If the default list is not set, only the enable password is checked. This has the same effect as the following command:
aaa authentication enable default enableOn the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine whether a user can access the privileged command level. Method keywords are described in Table 5. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
All aaa authentication enable default requests sent by the router to a RADIUS server include the username "$enab15$."
Note
If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the more system:running-config command to view currently configured lists of authentication methods.
Note
Examples
The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication enable default group tacacs+ enable noneRelated Commands
aaa authentication fail-message
To configure a personalized banner that will be displayed when a user fails login, use the aaa authentication fail-message command in global configuration mode. To remove the failed login message, use the no form of this command.
aaa authentication fail-message dstringd
no aaa authentication fail-message
Syntax Description
Defaults
Not enabled
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authentication fail-message command to create a personalized message that appears when a user fails login. This message will replace the default message for failed login.
To create a failed-login banner, you need to configure a delimiting character, which notifies the system that the following text string is to be displayed as the banner, and then the text string itself. The delimiting character is repeated at the end of the text string to signify the end of the banner. The delimiting character can be any character in the extended ASCII character set, but once defined as the delimiter, that character cannot be used in the text string making up the banner.
Examples
The following example shows the default login message and failed login message that is displayed if aaa authentication banner and aaa authentication fail-message are not configured. (RADIUS is specified as the default login authentication method.)
aaa new-modelaaa authentication login default group radiusThis configuration produces the following standard output:
User Verification AccessUsername:Password:% Authentication failed.The following example configures both a login banner ("Unauthorized use is prohibited.") and a login-fail message ("Failed login. Try again."). The login message will be displayed when a user logs in to the system. The failed-login message will display when a user tries to log in to the system and fails. (RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is used as the delimiting character.
aaa new-modelaaa authentication banner *Unauthorized use is prohibited.*aaa authentication fail-message *Failed login. Try again.*aaa authentication login default group radiusThis configuration produces the following login and failed login banner:
Unauthorized use is prohibited.Username:Password:Failed login. Try again.Related Commands
aaa authentication banner
Configures a personalized banner that will be displayed at user login.
aaa authentication login
To set authentication, authorization, and accounting (AAA)authentication at login, use the aaa authentication login command in global configuration mode. To disable AAA authentication, use the no form of this command.
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name} method1 [method2...]
Syntax Description
default
Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
list-name
Character string used to name the list of authentication methods activated when a user logs in.
method1 [method2...]
At least one of the keywords described in Table 6.
Defaults
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication login default local
Note
Command Modes
Global configuration
Command History
10.3
This command was introduced.
12.0(5)T
Group server and local-case support were added as method keywords for this command.
Usage Guidelines
The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication login list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in Table 6.
To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.
Note
Examples
The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access group tacacs+ enable noneThe following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:
aaa authentication login default group tacacs+ enable noneThe following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router:
aaa authentication login default krb5Related Commands
aaa new-model
Enables the AAA access control model.
login authentication
Enables AAA authentication for logins.
aaa authentication password-prompt
To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt command in global configuration mode. To return to the default password prompt text, use the no form of this command.
aaa authentication password-prompt text-string
no aaa authentication password-prompt text-string
Syntax Description
Defaults
There is no user-defined text-string, and the password prompt appears as "Password."
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value:
Password:The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ server.
The aaa authentication password-prompt command works when RADIUS is used as the login method. The password prompt that is defined in the command will be shown even when the RADIUS server is unreachable. The aaa authentication password-prompt command does not work with TACACS+. TACACS+ supplies the network access server (NAS) with the password prompt to display to the users. If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that prompt instead of the one defined in the aaa authentication password-prompt command. If the TACACS+ server is not reachable, the password prompt that is defined in the aaa authentication password-prompt command may be used.
Examples
The following example changes the text for the password prompt:
aaa authentication password-prompt "Enter your password now:"Related Commands
aaa authentication ppp
To specify one or more authentication, authorization, and accounting (AAA) authentication methods for use on serial interfaces that are running PPP, use the aaa authentication ppp command in global configuration mode. To disable authentication, use the no form of this command.
aaa authentication ppp {default | list-name} method1 [method2...]
no aaa authentication ppp {default | list-name} method1 [method2...]
Syntax Description
default
Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in.
list-name
Character string used to name the list of authentication methods tried when a user logs in.
method1 [method2...]
Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods. Method keywords are described in Table 7.
Defaults
If the default list is not set, only the local user database is checked. This has the same effect as that created by the following command:
aaa authentication ppp default localCommand Modes
Global configuration
Command History
10.3
This command was introduced.
12.0(5)T
Group server support and local-case were added as method keywords.
Usage Guidelines
The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 7.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.
If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the more system:running-config command to display currently configured lists of authentication methods.
Note
Examples
The following example creates a AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.
aaa authentication ppp MIS-access group tacacs+ noneRelated Commands
aaa authentication username-prompt
To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt command in global configuration mode. To return to the default username prompt text, use the no form of this command.
aaa authentication username-prompt text-string
no aaa authentication username-prompt text-string
Syntax Description
Defaults
There is no user-defined text-string, and the username prompt appears as "Username."
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value:
Username:Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.
Note
Examples
The following example changes the text for the username prompt:
aaa authentication username-prompt "Enter your name here:"Related Commands
aaa authorization
To set parameters that restrict user access to a network, use the aaa authorization command in global configuration mode. To disable authorization for a function, use the no form of this command.
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]
no aaa authorization {network | exec | commands level | reverse-access | configuration | default | list-name}
Syntax Description
network
Runs authorization for all network-related service requests, including Serial Line Internet Protoco (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote Access (ARA).
exec
Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information.
commands
Runs authorization for all commands at the specified privilege level.
level
Specific command level that should be authorized. Valid entries are
0 through 15.reverse-access
Runs authorization for reverse access connections, such as reverse Telnet.
configuration
Downloads the configuration from the AAA server.
default
Uses the listed authorization methods that follow this argument as the default list of methods for authorization.
list-name
Character string used to name the list of authorization methods.
method1 [method2...]
One of the keywords listed in Table 8.
Defaults
Authorization is disabled for all actions (equivalent to the method keyword none).
Command Modes
Global configuration
Command History
10.0
This command was introduced.
12.0(5)T
Group server support was added as a method keyword for this command.
Usage Guidelines
Use the aaa authorization command to enable authorization and to create named methods lists, defining authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be used (such as RADIUS or TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
Note
If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.
Use the aaa authorization command to create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization method(s) tried in the given sequence.
Note
Method keywords are described in Table 8.
Cisco IOS software supports the following six methods for authorization:
•
•
•
•
•
•
Method lists are specific to the type of authorization being requested. AAA supports five different types of authorization:
•
•
•
•
•
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:
•
•
•
For a list of supported RADIUS attributes, refer to the appendix "RADIUS Attributes" in the
Cisco IOS Security Configuration Guide. For a list of supported TACACS+ AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
Note
Examples
The following example defines the network authorization method list named "scoobee", which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization will be performed.
aaa authorization network scoobee group radius localRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa new-model
Enables the AAA access control model.
aaa authorization cache filterserver
To enable authentication, authorization, and accounting (AAA) authorization caches and the downloading of access control list (ACL) configurations from a RADIUS filter server, use the aaa authorization cache filterserver command in global configuration mode. To disable AAA authorization caches, use the no form of this command.
aaa authorization cache filterserver default methodlist [methodlist2...]
no aaa authorization cache filterserver default
Syntax Description
default
Default authorization list.
methodlist [methodlist2...]
One of the keywords listed in Table 9.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa authorization cache filterserver command to enable the RADIUS ACL filter server.
Method keywords are described in Table 9.
This command functions similarly to the aaa authorization command with the following exceptions:
•
•
•
Examples
The following example shows how to configure the default RADIUS server group as the desired filter. If the request is rejected or a reply is not returned, local configuration will be consulted. If the local filter does not respond, the call will be accepted but filtering will not occur.
aaa authorization cache filterserver group radius local noneRelated Commands
aaa authorization
Sets parameters that restrict user access to a network.
aaa group server radius
Groups different RADIUS server hosts into distinct lists and distinct methods.
aaa authorization config-commands
To reestablish the default created when the aaa authorization commands command was issued, use the aaa authorization config-commands command in global configuration mode. To disable authentication, authorization, and accounting (AAA) configuration command authorization, use the no form of this command.
aaa authorization config-commands
no aaa authorization config-commands
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.0(6.02)T
This command was changed from being enabled by default to being disabled by default.
Usage Guidelines
If the aaa authorization commands level method command is enabled, all commands, including configuration commands, are authorized by authentication, authorization, and accounting (AAA) using the method specified. Because there are configuration commands that are identical to some EXEC-level commands, there can be some confusion in the authorization process. Using the no aaa authorization config-commands command stops the network access server from attempting configuration command authorization.
After the no form of this command has been entered, AAA authorization of configuration commands is completely disabled. Care should be taken before entering the no form of this command because it potentially reduces the amount of administrative control on configuration commands.
Use the aaa authorization config-commands command if, after using the no form of this command, you need to reestablish the default set by the aaa authorization commands level method command.
Note
The following example specifies that TACACS+ authorization is run for level 15 commands and that AAA authorization of configuration commands is disabled:
aaa new-modelaaa authorization command 15 group tacacs+ noneno aaa authorization config-commandsRelated Commands
aaa authorization console
To apply authorization to a console, use the aaa authorization console command in global configuration mode. To disable the authorization, use the no form of this command.
aaa authorization console
no aaa authorization console
Syntax Description
This command has no arguments or keywords.
Defaults
Authentication, authorization, and accounting (AAA) authorization is disabled on the console.
Command Modes
Global configuration
Command History
Usage Guidelines
If the aaa new-model command has been configured to enable the AAA access control model, the no aaa authorization console command is the default, and the authorization that is configured on the console line will always succeed. If you do not want the default, you need to configure the aaa authorization console command.
Note
If you are trying to enable authorization and the no aaa authorization console command is configured by default, you will see the following message:
%Authorization without the global command aaa authorization console is useless.Examples
The following example shows that the default authorization that is configured on the console line is being disabled:
Router (config)# aaa authorization consoleRelated Commands
aaa authorization reverse-access
To configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session, use the aaa authorization reverse-access command in global configuration mode. To restore the default value for this command, use the no form of this command.
aaa authorization reverse-access {group radius | group tacacs+}
no aaa authorization reverse-access {group radius | group tacacs+}
Syntax Description
Defaults
This command is disabled by default, meaning that authorization for reverse Telnet is not requested.
Command Modes
Global configuration
Command History
11.3
This command was introduced.
12.0(5)T
Group server support was added as various method keywords for this command.
Usage Guidelines
Telnet is a standard terminal emulation protocol used for remote terminal connection. Normally, you log in to a network access server (typically through a dialup connection) and then use Telnet to access other network devices from that network access server. There are times, however, when it is necessary to establish a reverse Telnet session. In reverse Telnet sessions, the Telnet connection is established in the opposite direction—from inside a network to a network access server on the network periphery to gain access to modems or other devices connected to that network access server. Reverse Telnet is used to provide users with dialout capability by allowing them to open Telnet sessions to modem ports attached to a network access server.
It is important to control access to ports accessible through reverse Telnet. Failure to do so could, for example, allow unauthorized users free access to modems where they can trap and divert incoming calls or make outgoing calls to unauthorized destinations.
Authentication during reverse Telnet is performed through the standard AAA login procedure for Telnet. Typically the user has to provide a username and password to establish either a Telnet or reverse Telnet session. This command provides an additional (optional) level of security by requiring authorization in addition to authentication. When this command is enabled, reverse Telnet authorization can use RADIUS or TACACS+ to authorize whether or not this user is allowed reverse Telnet access to specific asynchronous ports, after the user successfully authenticates through the standard Telnet login procedure.
Examples
The following example causes the network access server to request authorization information from a TACACS+ security server before allowing a user to establish a reverse Telnet session:
aaa new-modelaaa authentication login default group tacacs+aaa authorization reverse-access default group tacacs+!tacacs-server host 172.31.255.0tacacs-server timeout 90tacacs-server key goawayThe lines in this sample TACACS+ reverse Telnet authorization configuration are defined as follows:
•
•
•
•
•
•
The following example configures a generic TACACS+ server to grant a user, "jim," reverse Telnet access to port tty2 on the network access server named "site1" and to port tty5 on the network access server named site2:
user = jimlogin = cleartext labservice = raccess {port#1 = site1/tty2port#2 = site2/tty5}
Note
The following example configures the TACACS+ server (CiscoSecure) to authorize a user named Jim for reverse Telnet:
user = jimprofile_id = 90profile_cycle = 1member = Tacacs_Usersservice=shell {default cmd=permit}service=raccess {allow "c2511e0" "tty1" ".*"refuse ".*" ".*" ".*"password = clear "goaway"
Note
An empty "service=raccess {}" clause permits a user to have unconditional access to network access server ports for reverse Telnet. If no "service=raccess" clause exists, the user is denied access to any port for reverse Telnet.
For more information about configuring TACACS+, refer to the chapter "Configuring TACACS+" in the Cisco IOS Security Configuration Guide. For more information about configuring CiscoSecure, refer to the CiscoSecure Access Control Server User Guide, version 2.1(2) or later.
The following example causes the network access server to request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session:
aaa new-modelaaa authentication login default group radiusaaa authorization reverse-access default group radius!radius-server host 172.31.255.0radius-server key goawayThe lines in this sample RADIUS reverse Telnet authorization configuration are defined as follows:
•
•
•
•
•
The following example configures the RADIUS server to grant a user named "jim" reverse Telnet access at port tty2 on network access server site1:
Password = "goaway"User-Service-Type = Shell-Usercisco-avpair = "raccess:port#1=site1/tty2"The syntax "raccess:port=any/any" permits a user to have unconditional access to network access server ports for reverse Telnet. If no "raccess:port={nasname}/{tty number}" clause exists in the user profile, the user is denied access to reverse Telnet on all ports.
For more information about configuring RADIUS, refer to the chapter "Configuring RADIUS" in the Cisco IOS Security Configuration Guide.
aaa authorization template
To enable usage of a local or remote customer template on the basis of Virtual Private Network (VPN) routing and forwarding (VRF), use the aaa authorization template command in global configuration mode. To disable the new authorization, use the no form of this command.
aaa authorization template
no aaa authorization template
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Examples
The following example enables usage of a remote customer template:
aaa authorization templateRelated Commands
aaa cache filter
To enable filter cache configuration, use the aaa cache filter command in global configuration mode. To disable this functionality, use the no form of this command.
aaa cache filter
no aaa cache filter
Syntax Description
This command has no arguments or keywords.
Defaults
Filter cache configuration is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa cache filter command to begin filter cache configuration and enter AAA filter configuration mode (config-aaa-filter).
After enabling this command, you can specify filter cache parameters with the following commands:
•
•
•
•
•
Note
Examples
The following example shows how to enable filter cache configuration and specify cache parameters.
aaa cache filterpassword myciscono cache refreshcache max 100Related Commands
aaa configuration route
To configure the username and password that are to be used when downloading static routes via RADIUS, use the aaa configuration route command in global configuration mode. To disable this feature, use the no form of this command.
aaa configuration route username username [password [0 | 7] password]
no aaa configuration route username username [password [0 | 7] password]
Syntax Description
Defaults
The hostname of the router and the password "cisco" are used during the static route configuration download.
Command Modes
Global configuration
Command History
Usage Guidelines
The aaa configuration route command allows you to specify a username other than the router's hostname and a stronger password than the default "cisco."
Examples
The following example shows how to specify the username "MyUsername" and the password "MyPass" when downloading a static route configuration:
aaa new-modelaaa group server radius rad1server 1.1.1.1exitaaa authorization configuration default group radiusaaa authorization configuration foo group rad1aaa route download 1 authorization fooaaa configuration route username MyUsername password 0 MyPassradius-server host 2.2.2.2radius-server key 0 RadKeyRelated Commands
aaa route download
Enables the static route download feature and sets the amount of time between downloads.
aaa dnis map accounting network
To map a Dialed Number Information Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group that will be used for AAA accounting, use the aaa dnis map accounting network command in global configuration mode. To remove DNIS mapping from the named server group, use the no form of this command.
aaa dnis map dnis-number accounting network [start-stop | stop-only | none] [broadcast] group groupname
no aaa dnis map dnis-number accounting network
Syntax Description
dnis-number
Number of the DNIS.
start-stop
(Optional) Indicates that the defined security server group will send a "start accounting" notice at the beginning of a process and a "stop accounting" notice at the end of a process. The "start accounting" record is sent in the background. (The requested user process begins regardless of whether the "start accounting" notice was received by the accounting server.)
stop-only
(Optional) Indicates that the defined security server group will send a "stop accounting" notice at the end of the requested user process.
none
(Optional) Indicates that the defined security server group will not send accounting notices.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.
group groupname
At least one of the keywords described in Table 10.
Defaults
This command is disabled by default.
Command Modes
Global configuration
Command History
Usage Guidelines
This command lets you assign a DNIS number to a particular AAA server group so that the server group can process accounting requests for users dialing in to the network using that particular DNIS. To use this command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
Table 10 contains descriptions of accounting method keywords.
In Table 10, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for accounting requests for users dialing in with DNIS 7777.
aaa new-modelradius-server host 172.30.0.0 acct-port 1646 key cisco1aaa group server radius group1server 172.30.0.0aaa dnis map enableaaa dnis map 7777 accounting network group group1Related Commands
aaa dnis map authentication group
To map a dialed number identification service (DNIS) number to a particular authentication server group (this server group will be used for authentication, authorization, and accounting [AAA] authentication), use the aaa dnis map authentication group command in aaa-server-group configuration mode. To remove the DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number authentication {ppp | login} group server-group-name
no aaa dnis map dnis-number authentication {ppp | login} group server-group-name
Syntax Description
Command Default
Disabled
Command Modes
AAA-server-group configuration
Command History
Usage Guidelines
Use the aaa dnis map authentication group command to assign a DNIS number to a particular AAA server group so that the server group can process authentication requests for users that are dialing in to the network using that particular DNIS. To use the aaa dnis map authentication group command, you must first enable AAA, define a AAA server group, and enable DNIS mapping.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 uses RADIUS server 172.30.0.0 for authentication requests for users dialing in with DNIS number 7777.
aaa new-modelradius-server host 172.30.0.0 auth-port 1645 key cisco1aaa group server radius group1server 172.30.0.0aaa dnis map enableaaa dnis map 7777 authentication ppp group group1aaa dnis map 7777 authentication login group group1Related Commands
aaa dnis map authorization network group
To map a Dialed Number Identification Service (DNIS) number to a particular authentication, authorization, and accounting (AAA) server group (the server group that will be used for AAA authorization), use the aaa dnis map authorization network group command in global configuration mode. To unmap this DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number authorization network group server-group-name
no aaa dnis map dnis-number authorization network group server-group-name
Syntax Description
dnis-number
Number of the DNIS.
server-group-name
Character string used to name a group of security servers functioning within a server group.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
This command lets you assign a DNIS number to a particular AAA server group so that the server group can process authorization requests for users dialing in to the network using that particular DNIS number. To use this command, you must first enable AAA, define a AAA server group, and enable DNIS mapping.
Examples
The following example maps DNIS number 7777 to the RADIUS server group called group1. Server group group1 will use RADIUS server 172.30.0.0 for authorization requests for users dialing in with DNIS 7777:
aaa new-modelradius-server host 172.30.0.0 auth-port 1645 key cisco1aaa group server radius group1server 172.30.0.0aaa dnis map enableaaa dnis map 7777 authorization network group group1Related Commands
aaa group server radius
To group different RADIUS server hosts into distinct lists and distinct methods, enter the aaa group server radius command in global configuration mode. To remove a group server from the configuration list, enter the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
A group server is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A group server is used in conjunction with a global server host list. The group server lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA group server named radgroup1 that comprises three member servers:
aaa group server radius radgroup1server 1.1.1.1 auth-port 1700 acct-port 1701server 2.2.2.2 auth-port 1702 acct-port 1703server 3.3.3.3 auth-port 1705 acct-port 1706
Note
Related Commands
aaa group server tacacs+
To group different TACACS+ server hosts into distinct lists and distinct methods, use the aaa group server tacacs+ command in global configuration mode. To remove a server group from the configuration list, use the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The authentication, authorization, and accounting (AAA) server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction with a global server host list. The server group lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA group server named tacgroup1 that comprises three member servers:
aaa group server tacacs+ tacgroup1server 1.1.1.1server 2.2.2.2server 3.3.3.3Related Commands
aaa nas cisco-nas-port use-async-info
To display physical interface information and parent interface details as part of the of the cisco-nas-port vendor-specific attribute (VSA) for login calls, use the aaa nas cisco-nas-port use-async-info command in global configuration mode. To disable the command, use the no form of the command.
aaa nas cisco-nas-port use-async-info
no aaa nas cisco-nas-port use-async-info
Syntax Description
This command has no arguments or keywords.
Defaults
The cisco-nas-port attribute has the format of ttyx/y for login calls. Physical interface information is not included.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables the display of interface and parent interface details for login calls.
When this command is not configured, the cisco-nas-port attribute provides only ttyx/y information for login calls. No physical interface information is included. For example:
Oct 14 18:42:53.113: RADIUS: Vendor, Cisco [26] 17Oct 14 18:42:53.113: RADIUS: cisco-nas-port [2] 11 "tty1/2/07"Other calls, such as PPP, include the physical interface and parent interface details. For example:
Oct 14 18:36:00.692: RADIUS: Vendor, Cisco [26] 33Oct 14 18:36:00.692: RADIUS: cisco-nas-port [2] 27 "Async1/2/07*Serial1/1/2:0"When you issue the aaa nas cisco-nas-port use-async-info command, the interface and parent interface details are included in the login calls.
Examples
The following example shows how to enable the display of interface and parent interface details in the login calls:
aaa nas cisco-nas-port use-async-infoRelated Commands
aaa nas port extended
Replaces the NAS-port attribute with RADIUS IETF attribute 26 and displays extended field information.
aaa nas port extended
To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the aaa nas port extended command in global configuration mode. To display no extended field information, use the no form of this command.
aaa nas port extended
no aaa nas port extended
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as
NAS-Port = 20101 due to the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute.In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco's vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
Examples
The following example specifies that RADIUS will display extended interface information:
radius-server vsa sendaaa nas port extendedRelated Commands
aaa nas redirected-station
To include the original number in the information sent to the authentication server when the number dialed by a device is redirected to another number for authentication, use the aaa nas redirected-station command in global configuration mode. To leave the original number out of the information sent to the authentication server, use the no form of this command.
aaa nas redirected-station
no aaa nas redirected-station
Syntax Description
This command has no arguments or keywords.
Defaults
The original number is not included in the information sent to the authentication server.
Command Modes
Global configuration
Command History
Usage Guidelines
If a customer is being authenticated by a RADIUS or TACACS+ server and the number dialed by the cable modem (or other device) is redirected to another number for authentication, the aaa nas redirected-station command will enable the original number to be included in the information sent to the authentication server.
This functionality allows the service provider to determine whether the customer dialed a number that requires special billing arrangements, such as a toll-free number.
The original number can be sent as a Cisco Vendor Specific Attribute (VSA) for TACACS+ servers and as RADIUS Attribute 93 (Ascend-Redirect-Number) for RADIUS servers. The RADIUS Attribute 93 is sent by default; to also send a VSA attribute for TACACS+ servers, use the radius-server vsa send accounting and radius-server vsa send authentication commands. To configure the RADIUS server to use RADIUS Attribute 93, add the non-standard option to the radius-server host command.
Note
Examples
The following example enables the original number to be forwarded to the authentication server:
!aaa authorization config-commandsaaa accounting exec default start-stop group radiusaaa accounting system default start-stop broadcast group apn23aaa nas redirected-stationaaa session-id commonip subnet-zero!Related Commands
radius-server host
Specifies a RADIUS server host.
radius-server vsa
Configures the network access server to recognize and use vendor-specific attributes.
aaa new-model
To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.
aaa new-model
no aaa new-model
Syntax Description
This command has no arguments or keywords.
Defaults
AAA is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables the AAA access control system.
Examples
The following example initializes AAA:
aaa new-modelRelated Commands
aaa pod server
To enable inbound user sessions to be disconnected when specific session attributes are presented, use the aaa pod server command in global configuration mode. To disable this feature, use the no form of this command.
aaa pod server [port port number] [auth-type {any | all | session-key}] server-key [encryption-type] string
no aaa pod server
Syntax Description
Defaults
The POD server function is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To disconnect a session, the values in one or more of the key fields in the POD request must match the values for a session on one of the network access server ports. Which values must match depends on the auth-type attribute defined in the command. If no auth-type attribute is specified, all three values must match. If no match is found, all connections remain intact and an error response is returned. The key fields are as follows:
•
•
•
Examples
The following example enables POD and sets the secret key to "xyz123":
aaa pod server server-key xyz123Related Commands
aaa preauth
To enter authentication, authorization, and accounting (AAA) preauthentication configuration mode, use the aaa preauth command in global configuration mode. To disable preauthentication, use the no form of this command.
aaa preauth
no aaa preauth
Syntax Description
This command has no arguments or keywords.
Defaults
Preauthentication is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
To enter AAA preauthentication configuration mode, use the aaa preauth command. To configure preauthentication, use a combination of the aaa preauth commands: group, clid, ctype, dnis, and dnis bypass. You must configure the group command. You must also configure one or more of the clid, ctype, dnis, or dnis bypass commands.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
You can use the clid, ctype, or dnis commands to define the list of the preauthentication elements. For each preauthentication element, you can also define options such as password (for all the elements, the default password is cisco). If you specify multiple elements, the preauthentication process will be performed on each element according to the order of the elements that you configure with the preauthentication commands. In this case, more than one RADIUS preauthentication profile is returned, but only the last preauthentication profile will be applied to the authentication and authorization later on, if applicable.
Examples
The following example enables dialed number identification service (DNIS) preauthentication using a RADIUS server and the password Ascend-DNIS:
aaa preauthdnis password Ascend-DNISRelated Commands
aaa processes
To allocate a specific number of background processes to be used to process authentication, authorization, and accounting (AAA) authentication and authorization requests for PPP, use the aaa processes command in global configuration mode. To restore the default value for this command, use the no form of this command.
aaa processes number
no aaa processes number
Syntax Description
number
Specifies the number of background processes allocated for AAA requests for PPP. Valid entries are 1 to 2147483647.
Defaults
The default for this command is one allocated background process.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa processes command to allocate a specific number of background processes to simultaneously handle multiple AAA authentication and authorization requests for PPP. Previously, only one background process handled all AAA requests for PPP, so only one new user could be authenticated or authorized at a time. This command configures the number of processes used to handle AAA requests for PPP, increasing the number of users that can be simultaneously authenticated or authorized.
The argument number defines the number of background processes earmarked to process AAA authentication and authorization requests for PPP. This argument also defines the number of new users that can be simultaneously authenticated and can be increased or decreased at any time.
Examples
The following examples shows the aaa processes command within a standard AAA configuration. The authentication method list "dialins" specifies RADIUS as the method of authentication, then (if the RADIUS server does not respond) local authentication will be used on serial lines using PPP. Ten background processes have been allocated to handle AAA requests for PPP.
aaa new-modelaaa authentication ppp dialins group radius localaaa processes 10interface 5encap pppppp authentication pap dialinsRelated Commands
show ppp queues
Monitors the number of requests processed by each AAA background process.
aaa session-id
To specify whether the same session ID will be used for each authentication, authorization, and accounting (AAA) accounting service type within a call or whether a different session ID will be assigned to each accounting service type, use the aaa session-id command in global configuration mode. To restore the default behavior after the unique keyword is enabled, use the no form of this command.
aaa session-id [common | unique]
no aaa session-id [unique]
Syntax Description
Defaults
The common keyword is enabled.
Command Modes
Global configuration
Command History
12.2(4)B
This command was introduced.
12.2(8)T
This command was integrated into Cisco IOS Release 12.2(8)T.
Usage Guidelines
The common keyword behavior allows the first session ID request of the call to be stored in a common database; all proceeding session ID requests will retrieve the value of the first session ID. Because a common session ID is the default behavior, this functionality is written to the system configuration after the aaa new-model command is configured.
Note
The unique keyword behavior assigns a different session ID for each accounting type (Auth-Proxy, Exec, Network, Command, System, Connection, and Resource) during a call. To specify this behavior, the unique keyword must be specified. The session ID may be included in RADIUS access requests by configuring the radius-server attribute 44 include-in-access-req command. The session ID in the access-request will be the same as the session ID in the accounting request for the same service; all other services will provide unique session IDs for the same call.
Examples
The following example shows how to configure unique session IDs:
aaa new-modelaaa authentication ppp default group radiusradius-server host 10.100.1.34radius-server attribute 44 include-in-access-reqaaa session-id uniqueRelated Commands
aaa session-mib
To enable disconnect by using Simple Network Management Protocol (SNMP), use the aaa session-mib command in global configuration mode. To disable this function, use the no form of this command.
aaa session-mib disconnect
no aaa session-mib disconnect
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa session-mib command to terminate authenticated client connections using SNMP.
You must enable the disconnect keyword with this command. Otherwise, the network management station cannot perform set operations and disconnect users; it can only poll the table.
Examples
The following example shows how to enable a AAA session MIB to disconnect authenticated clients using SNMP:
aaa session-mib disconnect
aaa user profile
To create an authentication, authorization, and accounting (AAA) named user profile, use the aaa user profile command in global configuration mode. To remove a user profile from the configuration, use the no form of this command.
aaa user profile profile-name
no aaa user profile profile-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa user profile command to create a AAA user profile. Used in conjunction with the aaa attribute command, which adds calling line identification (CLID) and dialed number identification service (DNIS) attribute values, the user profile can be associated with the record that is sent to the RADIUS server (via the test aaa group command), which provides the RADIUS server with access to CLID or DNIS attribute information when the server receives a RADIUS record.
Examples
The following example shows how to configure a dnis = dnisvalue user profile named "prfl1":
aaa user profile prfl1aaa attribute dnisaaa attribute dnis dnisvalueno aaa attribute clid! Attribute not found.aaa attribute clid clidvalueno aaa attribute clidRelated Commands
aaa attribute
Adds DNIS or CLID attribute values to a user profile.
test aaa group
Associates a DNIS or CLID user profile with the record that is sent to the RADIUS server.
access-enable
To enable the router to create a temporary access list entry in a dynamic access list, use the access-enable command in EXEC mode.
access-enable [host] [timeout minutes]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Usage Guidelines
This command enables the lock-and-key access feature.
You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the temporary access list entry will remain, even after the user terminates the session.
Use the autocommand command with the access-enable command to cause the access-enable command to execute when a user opens a Telnet session into the router.
Examples
The following example causes the software to create a temporary access list entry and tells the software to enable access only for the host from which the Telnet session originated. If the access list entry is not accessed within 2 minutes, it is deleted.
autocommand access-enable host timeout 2Related Commands
access-list dynamic-extend
To allow the absolute timer of the dynamic access control list (ACL) to be extended an additional six minutes, use the access-list dynamic-extend command in global configuration mode. To disable this functionality, use the no form of this command.
access-list dynamic-extend
no access-list dynamic-extend
Syntax Description
This command has no arguments or keywords.
Defaults
6 minutes
Command Modes
Global configuration
Command History
Usage Guidelines
When you try to create a Telnet session to the router to re-authenticate yourself by using the lock-and-key function, use the access-list dynamic-extend command to extend the absolute timer of the dynamic ACL by six minutes.
The router must already be configured with the lock-and-key feature, and you must configure the extension before the ACL expires.
Examples
The following example shows how to extend the absolute timer of the dynamic ACL:
! The router is configured with the lock-and-key feature as followsaccess-list 132 dynamic tactik timeout 6 permit ip any any! The absolute timer will extended another six minutes.access-list dynamic-extendaccess-profile
To apply your per-user authorization attributes to an interface during a PPP session, use the access-profile command in privileged EXEC mode.
access-profile [merge | replace] [ignore-sanity-checks]
Syntax Description
Defaults
Use the default form of the command (no keywords) to cause existing ACLs to be removed and ACLs defined in your per-user configuration to be installed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Remote users can use this command to activate double authentication for a PPP session. Double authentication must be correctly configured for this command to have the desired effect.
You should use this command when remote users establish a PPP link to gain local network access.
After you have been authenticated with CHAP (Challenge Handshake Authentication Protocol) or PAP (Password Authentication Protocol), you will have limited authorization. To activate double authentication and gain your appropriate user network authorization, you must open a Telnet session to the network access server and execute the access-profile command. (This command could also be set up as an autocommand, which would eliminate the need to enter the command manually.)
This command causes all subsequent network authorizations to be made in your username instead of in the remote host's username.
Any changes to the interface caused by this command will stay in effect for as long as the interface stays up. These changes will be removed when the interface goes down. This command does not affect the normal operation of the router or the interface.
The default form of the command, access-profile, causes existing ACLs to be unconfigured (removed), and new ACLs to be installed. The new ACLs come from your per-user configuration on an AAA server (such as a TACACS+ server). The ACL replacement constitutes a reauthorization of your network privileges.
The default form of the command can fail if your per-user configuration contains statements other than ACL AV pairs. Any protocols with non-ACL statements will be deconfigured, and no traffic for that protocol can pass over the PPP link.
The access-profile merge form of the command causes existing ACLs to be unconfigured (removed) and new authorization information (including new ACLs) to be added to the interface. This new authorization information consists of your complete per-user configuration on an AAA server. If any of the new authorization statements conflict with existing statements, the new statements could "override" the old statements or be ignored, depending on the statement and applicable parser rules. The resulting interface configuration is a combination of the original configuration and the newly installed per-user configuration.
Caution
The access-profile replace form of the command causes the entire existing authorization configuration to be removed from the interface, and the complete per-user authorization configuration to be added. This per-user authorization consists of your complete per-user configuration on an AAA server.
Caution
Invalid AV Pair Types
•
•
•
•
•
•
•
•
Note
Examples
The following example activates double authentication for a remote user. This example assumes that the access-profile command was not configured as an autocommand.
The remote user connects to the corporate headquarters network as shown in Figure 1.
Figure 1 Network Topology for Activating Double Authentication (Example)
The remote user runs a terminal emulation application to Telnet to the corporate network access server, a Cisco AS5200 universal access server local host named "hqnas." The remote user, named Bob, has the username "BobUser."
The following example replaces ACLs on the local host PPP interface. The ACLs previously applied to the interface during PPP authorization are replaced with ACLs defined in the per-user configuration AV pairs.
The remote user establishes a Telnet session to the local host and logs in:
login: BobUserPassword: <welcome>hqnas> access-profileBob is reauthenticated when he logs in to hqnas, because hqnas is configured for login AAA authentication using the corporate RADIUS server. When Bob enters the access-profile command, he is reauthorized with his per-user configuration privileges. This causes the access lists and filters in his per-user configuration to be applied to the network access server interface.
After the reauthorization is complete, Bob is automatically logged out of the Cisco AS5200 local host.
Related Commands
connect
Logs in to a host that supports Telnet, rlogin, or LAT.
telnet
Logs in to a host that supports Telnet.
access-restrict
To tie a particular Virtual Private Network (VPN) to a specific interface for access to the Cisco IOS gateway and the services it protects, use the access-restrict command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the VPN, use the no form of this command.
access-restrict {interface-name}
no access-restrict {interface-name}
Syntax Description
Defaults
The VPN is not tied to a specific interface.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
It may be a requirement that particular customers or groups connect to the VPN gateway via a specific interface that uses a particular policy (as applied by the crypto map on that interface). If this is required, using the access-restrict command will result in validation that a VPN connection is connecting only via that interface (and hence, crypto map) to which it is allowed. If a violation is detected, the connection is terminated.
Multiple restricted interfaces may be defined per group.
Examples
The following example shows that the VPN is tied to ethernet 0.
crypto isakmp client configuration group ciscoaccess-restrict ethernet 0Related Commands
access-template
To manually place a temporary access list entry on a router to which you are connected, use the access-template EXEC command.
access-template [access-list-number | name] [dynamic-name] [source] [destination] [timeout minutes]
Syntax Description
Defaults
No default behavior or values.
Command Modes
EXEC
Command History
Usage Guidelines
This command provides a way to enable the lock-and-key access feature.
You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after the user has terminated the session.
Examples
The following example enables IP access on incoming packets in which the source address is 172.29.1.129 and the destination address is 192.168.52.12. All other source and destination pairs are discarded.
access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2Related Commands
