-
Cisco IOS Security Command Reference, Release 12.3
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through crypto ca trustpoint
-
Security Commands: crypto dynamic-map through ctype
-
Security Commands: D through ip audit smtp spam
-
Security Commands: ip auth-proxy through ip tcp intercept
-
Security Commands: ip trigger-authentication through pool
-
Security Commands: ppp accounting through radius-server vsa send
-
Security Commands: reverse-route through show crypto isakmp sa
-
Security Commands: show crypto key mypubkey through wins
-
Table Of Contents
clear aaa cache filterserver acl
clear crypto engine accelerator counter
clear crypto ipsec client ezvpn
clear ip trigger-authentication
crypto ca certificate query (ca-trustpoint)
crypto ca certificate query (global)
accounting (line)
To enable authentication, authorization, and accounting (AAA) accounting services to a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.
accounting {arap | commands level | connection | exec} [default | list-name]
no accounting {arap | commands level | connection | exec} [default | list-name]
Syntax Description
Defaults
Accounting is disabled.
Command Modes
Line configuration
Command History
Usage Guidelines
After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.
Examples
The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10:
line 10accounting commands 15 charlieRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
accounting (gatekeeper)
To enable accounting services on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting services, use the no form of this command.
accounting [vsa]
no accounting [vsa]
Syntax Description
Defaults
Accounting is disabled.
Command Modes
Gatekeeper configuration
Command History
Usage Guidelines
Specify a RADIUS server before using the accounting command.
There are three different methods of accounting. The H.323 method sends the call detail record (CDR) to the RADIUS server, the syslog method uses the system logging facility to record the CDRs, and the VSA method collects VSAs.
Examples
The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records:
aaa accounting connection start-stop group radiusgatekeeperaccountingThe following example shows how to enable VSA accounting:
aaa accounting connection start-stop group radiusgatekeeperaccounting exec vsaRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
accounting (server-group)
To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode.
accounting [accept | reject] list-name
Syntax Description
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Server-group configuration
Command History
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data.
Only one filter may be used for RADIUS accounting per server group.
Note
The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute (server-group configuration) command to add to an accept or reject list.
Examples
The following example shows how to specify accept list "usage-only" for RADIUS accounting:
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 1.1.1.1accounting accept usage-only!radius-server host 1.1.1.1 key mykey1radius-server attribute list usage-onlyattribute 1,40,42-43,46Related Commands
acl (ISAKMP)
To configure split tunneling, use the acl command in ISAKMP group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.
acl number
no acl number
Syntax Description
number
Specifies a group of access control lists (ACLs) that represent protected subnets for split tunneling purposes.
Defaults
Split tunneling is not enabled; all data is sent via the Virtual Private Network (VPN) tunnel.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
Examples
The following example shows how to correctly apply split tunneling for the group name "cisco." In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 will be sent via the VPN tunnel.
crypto isakmp client configuration group ciscokey ciscodns 2.2.2.2 2.3.2.3pool dogacl 199!access-list 199 permit ip 192.168.1.0 0.0.0.255 anyRelated Commands
crypto isakmp client configuration group
Specifies which group's policy profile will be defined.
address
To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.
address ip-address
no address ip-address
Syntax Description
Defaults
No default behavior or values
Command Modes
Rsa-pubkey configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.
Examples
The following example specifies the RSA public key of an IP Security (IPSec) peer:
Router(config)# crypto keyring vpnkeyringRouter(conf-keyring)# rsa-pubkey name host.vpn.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(conf-keyring)# exitRelated Commands
addressed-key
To specify which peer's RSA public key you will manually configure, use the addressed-key command in public key chain configuration mode.
addressed-key key-address [encryption | signature]
Syntax Description
Defaults
If neither the encryption nor signature keywords are used, general purpose keys will be specified.
Command Modes
Public key chain configuration. This command invokes public key configuration mode.
Command History
Usage Guidelines
Use this command or the named-key command to specify which IP Security peer's RSA public key you will manually configure next.
Follow this command with the key string command to specify the key.
If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keywords.
If the IPSec remote peer generated special-usage keys, you must manually specify both keys: use this command and the key-string command twice and use the encryption and signature keywords respectively.
Examples
The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys.
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# named-key otherpeer.example.comRouter(config-pubkey-key)# address 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 005C300D 06092A86 4886F70D 01010105Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2 encryptionRouter(config-pubkey-key)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2 signatureRouter(config-pubkey-key)# key-stringRouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCRouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882ERouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
arap authentication
To enable authentication, authorization, and accounting (AAA) authentication for AppleTalk Remote Access Protocol (ARAP) on a line, use the arap authentication command in line configuration mode. To disable authentication for an ARAP line, use the no form of this command.
arap authentication {default | list-name} [one-time]
no arap authentication {default | list-name}
Caution
Syntax Description
Defaults
ARAP authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.
Command Modes
Line configuration
Command History
Usage Guidelines
This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.
Examples
The following example specifies that the TACACS+ authentication list called MIS-access is used on ARAP line 7:
line 7arap authentication MIS-accessRelated Commands
aaa authentication arap
Enables an AAA authentication method for ARAP using TACACS+.
attribute (server-group)
To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command.
attribute value1 [value2 [value3]...]
no attribute value1 [value2 [value3]...]
Syntax Description
Defaults
If this command is not enabled, all attributes are sent to the network access server (NAS).
Command Modes
Server-group configuration
Command History
Usage Guidelines
Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the network access server (NAS) from receiving and processing unwanted attributes for authorization or accounting.
The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:
•
–
–
•
–
–
–
–
Note
Examples
The following example shows how to add attributes 12, 217, 6-10, 13, 64-69, and 218 to the list name "standard":
radius-server attribute list standardattribute 12,217,6-10,13attribute 64-69,218Related Commands
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the authentication method to the default value, use the no form of this command.
authentication {rsa-sig | rsa-encr | pre-share}
no authentication
Syntax Description
rsa-sig
Specifies RSA signatures as the authentication method.
rsa-encr
Specifies RSA encrypted nonces as the authentication method.
pre-share
Specifies preshared keys as the authentication method.
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the authentication method to be used in an IKE policy.
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and commands.)
If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.)
Examples
The following example configures an IKE policy with preshared keys as the authentication method (all other parameters are set to the defaults):
crypto isakmp policy 15authentication pre-shareexitRelated Commands
authorization
To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command.
authorization {arap | commands level | exec | reverse-access} [default | list-name]
no authorization {arap | commands level | exec | reverse-access} [default | list-name]
Syntax Description
Defaults
Authorization is not enabled.
Command Modes
Line configuration
Command History
Usage Guidelines
After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.
Examples
The following example enables command authorization (for level 15) using the method list named charlie on line 10:
line 10authorization commands 15 charlieRelated Commands
authorization (server-group)
To specify an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server, use the authorization command in server-group configuration mode.
authorization [accept | reject] list-name
Syntax Description
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Server-group configuration
Command History
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes.
Only one filter may be used for RADIUS authorization per server group.
Note
Examples
The following example shows how to configure accept list "min-author" in an Access-Accept packet from the RADIUS server:
aaa new-modelaaa authentication ppp default group radius-sgaaa authorization network default group radius-sgaaa group server radius radius-sgserver 1.1.1.1authorization accept min-author!radius-server host 1.1.1.1 key mykey1radius-server attribute list min-authorattribute 6-7Related Commands
authorization list
To specify the authentication, authorization, and accounting (AAA) authorization list, use the authorization list command in global configuration mode. To disable the authorization list, use the no form of this command.
authorization list list-name
no authorization list list-name
Syntax Description
Defaults
An authorization list is not configured.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the authorization list command to specify a AAA authorization list. For components that do not support specifying the application label, a default label of "any" from the AAA server will provide authorization. Likewise, a label of "none" from the AAA database indicates that the specified certificate is not valid. (The absence of any application label is equivalent to a label of "none," but "none" is included for completeness and clarity.)
Examples
The following example shows that the AAA authorization list "maxaa" is specified:
aaa authorization network maxaaa group tacac+aaa new-modelcrypto ca trustpoint mscaenrollment url http://caserver.mycompany.comauthorization list maxaaauthorization username subjectname serialnumberRelated Commands
authorization username
Specifies the parameters for the different certificate fields that are used to build the AAA username.
authorization username
To specify the parameters for the different certificate fields that are used to build the authentication, authorization and accounting (AAA) username, use the authorization username command in global configuration mode. To disable the parameters, use the no form of this command.
authorization username subject-name
no authorization username subject-name
Syntax Description
Defaults
Parameters for the certificate fields are not specified.
Command Modes
Global configuration
Command History
Examples
The following example shows that the serialnumber field is to be used as the authorization username:
aaa authorization network maxaaa group tacac+aaa new-modelcrypto ca trustpoint mscaenrollment url http://caserver.mycompany.comauthorization list maxaaauthorization username subjectname serialnumberRelated Commands
auto-enroll
To enable autoenrollment, use the auto-enroll command in ca-trustpoint configuration mode. To disable the autoenrollment feature, use the no form of this command.
auto-enroll [regenerate]
no auto-enroll [regenerate]
Syntax Description
regenerate
(Optional) A new key is generated for the certificate even if the named key already exists.
Defaults
Autoenrollment is not enabled.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the auto-enroll command to automatically request a router certificate from the certification authority (CA) that is using the parameters in the configuration. This command will generate a new RSA key only if a new key does not exist with the requested label.
A trustpoint that is configured for autoenroll will attempt to reenroll when the router certificate expires.
If the regenerate keyword is configured, a new key will be generated. Some CAs require a new key for reenrollment to work.
Examples
The following example shows how to configure the router to autoenroll with the CA "frog" on startup. In this example, regenerate is issued, so a new key will be generated for the certificate.
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0auto-enroll regeneratepassword revokemersa-key frog 2048Related Commands
auto secure
To secure the management and forwarding planes of the router, use the auto secure command in privileged EXEC mode.
auto secure [management | forwarding] [no-interact]
Syntax Description
Defaults
Autosecure is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The auto secure command allows a user to disable common IP services that can be exploited for network attacks by using a single CLI. This command eliminates the complexity of securing a router both by automating the configuration of security features and by disabling certain features that are enabled by default and that could be exploited for security holes.
Caution
This command takes you through a semi-interactive session (also known as the AutoSecure dialogue) in which to secure the management and forwarding planes. This command gives you the option to secure just the management or forwarding plane; if neither option is selected, the dialogue will ask you to configure both planes.
Caution
This command also allows you to go through all noninteractive configuration portions of the dialogue before the interactive portions. The noninteractive portions of the dialogue can be enabled by selecting the optional no-interact keyword.
Note
Examples
The following example shows how to enable AutoSecure to secure only the management plane:
auto secure managementRelated Commands
ca trust-point
To identify the trustpoints that will be used to validate a certificate during Internet Key Exchange (IKE) authentication, use the ca trust-point command in ISAKMP profile configuration mode. To remove the trustpoint, use the no form of this command.
ca trust-point trustpoint-name
no ca trust-point trustpoint-name
Syntax Description
Defaults
If there is no trustpoint defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
The ca trust-point command can be used multiple times to define more than one trustpoint.
This command is useful when you want to restrict validation of certificates to a list of trustpoints. For example, the router global configuration has two trustpoints, A and B, which are trusted by VPN1 and VPN2, respectively. Each Virtual Private Network (VPN) wants to restrict validation only to its trustpoint.
Before you can use this command, you must enter the crypto isakmp profile command.
Note
Examples
The following example specifies two trustpoints, A and B. The ISAKMP profile configuration restricts each VPN to one trustpoint.
crypto ca trustpoint Aenrollment url http://kahului:80crypto ca trustpoint Benrollment url http://arjun:80!crypto isakmp profile vpn1trustpoint A!crypto isakmp profile vpn2ca trust-point BRelated Commands
cache clear age
To specify when, in minutes, cache entries expire and the cache is cleared, use the cache clear age command in AAA filter configuration mode. To return to the default value, use the no form of this command.
cache clear age minutes
no cache clear age
Syntax Description
Defaults
1440 minutes (1 day)
Command Modes
AAA filter configuration
Command History
Usage Guidelines
After enabling the aaa filterserver command, which allows you to configure cache filter parameters, you can use the cache clear age command to specify when cache entries should expire. If this command is not specified, the default value (1440 minutes) will be enabled.
Examples
The following example shows how to configure the cache entries to expire every 60 minutes:
aaa filterservercache clear age 60Related Commands
cache disable
To disable the cache, use the cache disable command in AAA filter configuration mode. To return to the default, use the no form of this command.
cache disable
no cache disable
Syntax Description
This command has no arguments or keywords.
Defaults
Caching is enabled.
Command Modes
AAA filter configuration
Command History
Usage Guidelines
After enabling the aaa filterserver command, which allows you to configure cache filter parameters, you can use the cache disable command to disable filter caching. This command can be used to verify that the access control lists (ACLs) are being downloaded.
Examples
The following example shows how to disable filter caching:
aaa filterservercache disableRelated Commands
cache max
To limit the absolute number of entries that a cache can maintain for a particular server, use the cache max command in AAA filter configuration mode. To return to the default value, use the no form of this command.
cache max number
no cache max
Syntax Description
number
Maximum number of entries the cache can maintain. Any value from 0 to 4294967295; the default value is 100 entries.
Defaults
100 entries
Command Modes
AAA filter configuration
Command History
Usage Guidelines
After enabling the aaa filterserver command, which allows you to configure cache filter parameters, you can use the cache max command to specify the maximum number of entries the cache can have at any given time. If this command is not specified, the default value (100 entries) will be enabled.
Examples
The following example shows how to configure the cache to maintain a maximum of 150 entries:
aaa filterserverpassword myciscocache max 150Related Commands
cache refresh
To refresh a cache entry after a new session begins, use the cache refresh command in AAA filter configuration mode. To disable this functionality, use the no form of this command.
cache refresh
no cache refresh
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
AAA filter configuration
Command History
Usage Guidelines
The cache refresh command is used in an attempt to keep cache entries from the filter server, that are being referred to by new sessions, within the cache. This command resets the idle timer for these entries when they are referenced by new calls.
Examples
The following example shows how to disable the cache refresh command:
aaa filterserverpassword myciscono cache refreshcache max 100Related Commands
call guard-timer
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer command in controller configuration mode. To remove the call guard-timer command from your configuration file, use the no form of this command.
call guard-timer milliseconds [on-expiry {accept | reject}]
no call guard-timer milliseconds [on-expiry {accept | reject}]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Controller configuration
Command History
Examples
The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.
controller T1 0framing esfclock source line primarylinecode b8zsds0-group 0 timeslots 1-24 type e&m-fgb dtmf dniscas-custom 0call guard-timer 20000 on-expiry acceptaaa preauthgroup radiusdnis requiredRelated Commands
certificate
To manually add certificates, use the certificate command in certificate chain configuration mode. To delete your router's certificate or any registration authority certificates stored on your router, use the no form of this command.
certificate certificate-serial-number
no certificate certificate-serial-number
Syntax Description
Defaults
No default behavior or values.
Command Modes
Certificate chain configuration
Command History
Usage Guidelines
You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually used only to add or delete certificates.
Examples
The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted.
myrouter# show crypto ca certificatesCertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 0123456789ABCDEF0123456789ABCDEFKey Usage: General PurposeCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not Setmyrouter# configure terminalmyrouter(config)# crypto ca certificate chain mycamyrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF% Are you sure you want to remove the certificate [yes/no]? yes% Be sure to ask the CA administrator to revoke this certificate.myrouter(config-cert-chain)# exitRelated Commands
clear aaa cache filterserver acl
To clear the cache status for a particular filter or all filters, use the clear aaa cache filterserver acl command in EXEC mode.
clear aaa cache filterserver acl [filter-name]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
After you clear the cache status for a particular filter or all filters, it is recommended that you enable the show aaa cache filterserver command to verify that the cache status.
Examples
The following example shows how to clear the cache for all filters:
clear aaa cache filterserver aclRelated Commands
clear access-template
To manually clear a temporary access list entry from a dynamic access list, use the clear access-template command in EXEC mode.
clear access-template [access-list-number | name] [dynamic-name] [source] [destination]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
This command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.
Examples
The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:
clear access-template vendor 172.20.1.12Related Commands
clear crypto engine accelerator counter
To reset the statistical and error counters of the hardware accelerator of the router to zero, use the clear crypto engine accelerator counter command in privileged EXEC mode.
clear crypto engine accelerator counter
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows the statistical and error counters of the router being cleared to zero:
clear crypto engine accelerator counter
Related Commands
clear crypto ipsec client ezvpn
To reset the Cisco Easy VPN Remote state machine and bring down the Cisco Easy VPN Remote connection on all interfaces or on a given interface (tunnel), use the clear crypto ipsec client ezvpn command in privileged EXEC mode.
clear crypto ipsec client ezvpn [name]
Syntax Description
Defaults
If no tunnel name is specified, all active tunnels on the machine are cleared.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear crypto ipsec client ezvpn command resets the Cisco Easy VPN Remote state machine, bringing down the current Cisco Easy VPN Remote connection and bringing it back up on the interface. If you specify a tunnel name, only that tunnel is cleared. If no tunnel name is specified, all active tunnels on the machine are cleared.
If the Cisco Easy VPN Remote connection for a particular interface is configured for autoconnect, this command also initiates a new Cisco Easy VPN Remote connection.
Examples
The following example shows the Cisco Easy VPN Remote state machine being reset:
clear crypto ipsec client ezvpnRelated Commands
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in EXEC mode .
clear crypto isakmp [connection-id]
Syntax Description
connection-id
(Optional) Specifies which connection to clear. If this argument is not used, all existing connections will be cleared.
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to clear active IKE connections.
Caution
Examples
The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
Router# show crypto isakmp sadst src state conn-id slot172.21.114.123 172.21.114.67 QM_IDLE 1 0209.165.201.1 209.165.201.2 QM_IDLE 8 0Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# clear crypto isakmp 1Router(config)# exitRouter# show crypto isakmp sadst src state conn-id slot209.165.201.1 209.165.201.2 QM_IDLE 8 0Router#Related Commands
clear crypto sa
To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in EXEC mode.
clear crypto sa
Virtual Routing and Forwarding (VRF) Syntax
clear crypto sa peer [vrf fvrf-name] address
clear crypto sa [vrf ivrf-name]
Crypto Map Syntax
clear crypto sa map map-name
IP Address, Security Protocol Standard, and SPI Syntax
clear crypto sa entry destination-address protocol spi
Traffic Counters Syntax
clear crypto sa counters
Syntax Description
Defaults
If the peer, map, entry, or counters keywords are not used, all IPSec SAs are deleted.
Command Modes
EXEC
Command History
Usage Guidelines
This command clears (deletes) IPSec SAs.
If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)
If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)
If the peer, map, entry, or counters keywords are not used, all IPSec SAs will be deleted.
•
•
•
If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.
If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you only clear the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command only clears IPSec SAs; to clear IKE state, use the clear crypto isakmp command.
Examples
The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:
clear crypto saThe following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256The following example clears all the SAs for VRF VPN1:
clear crypto sa vrf vpn1Related Commands
clear ip audit configuration
To disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip audit configuration command in EXEC mode.
clear ip audit configuration
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
Use the clear ip audit configuration EXEC command to disable Cisco IOS Firewall IDS, remove all intrusion detection configuration entries, and release dynamic resources.
Examples
The following example clears the existing IP audit configuration:
clear ip audit configurationclear ip audit statistics
To reset statistics on packets analyzed and alarms sent, use the clear ip audit statistics command in EXEC mode.
clear ip audit statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Usage Guidelines
Use the clear ip audit statistics EXEC command to reset statistics on packets analyzed and alarms sent.
Examples
The following example clears all IP audit statistics:
clear ip audit statisticsclear ip auth-proxy cache
To clear authentication proxy entries from the router, use the clear ip auth-proxy cache command in EXEC mode.
clear ip auth-proxy cache {* | host-ip-address}
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Use this command to clear entries from the translation table before they time out.
Examples
The following example deletes all authentication proxy entries:
clear ip auth-proxy cache *The following example deletes the authentication proxy entry for the host with IP address 192.168.4.5:
clear ip auth-proxy cache 192.168.4.5Related Commands
show ip auth-proxy
Displays the authentication proxy entries or the running authentication proxy configuration.
clear ip trigger-authentication
To clear the list of remote hosts for which automated double authentication has been attempted, use the clear ip trigger-authentication command in privileged EXEC mode.
clear ip trigger-authentication
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command when troubleshooting automated double authentication. This command clears the entries in the list of remote hosts displayed by the show ip trigger-authentication command.
Examples
The following example clears the remote host table:
Router# show ip trigger-authenticationTrigger-authentication Host Table:Remote Host Time Stamp172.21.127.114 2940514234Router# clear ip trigger-authenticationRouter# show ip trigger-authenticationRelated Commands
show ip trigger-authentication
Displays the list of remote hosts for which automated double authentication has been attempted.
clear ip urlfilter cache
To clear the cache table, use the clear ip urlfilter cache command in EXEC mode.
clear ip urlfilter cache {ip-address | all}
Syntax Description
ip-address
Clears the cache table of a specified server IP address.
all
Clears the cache table completely.
Command Modes
EXEC
Command History
12.2(11)YU
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
Usage Guidelines
The cache table consists of the most recently requested IP addresses and the respective authorization status for each IP address.
Examples
The following example shows how to clear the cache table of IP address 172.18.139.21:
clear ip urlfilter cache 172.18.139.21The following example shows how to clear the cache table of all IP addresses:
clear ip urlfilter cache allRelated Commands
ip urlfilter cache
Configures cache parameters.
show ip urlfilter cache
Displays the destination IP addresses that are cached into the cache table.
clear kerberos creds
To delete the contents of the credentials cache, use the clear kerberos creds command in privileged EXEC mode.
clear kerberos creds
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Credentials are deleted when this command is issued.
Cisco supports Kerberos 5.
Examples
The following example illustrates the clear kerberos creds command:
Router# show kerberos credsDefault Principal: chet@cisco.comValid Starting Expires Service Principal18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COMRouter# clear kerberos credsRouter# show kerberos credsNo Kerberos credentials.Related Commands
clid
To preauthenticate calls on the basis of the Calling Line Identification (CLID) number, use the clid command in AAA preauthentication configuration mode. To remove the clid command from your configuration, use the no form of this command.
clid [if-avail | required] [accept-stop] [password password]
no clid [if-avail | required] [accept-stop] [password password]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the authentication, authorization and accounting (AAA) preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the CLID number:
aaa preauthgroup radiusclid requiredRelated Commands
client authentication list
To configure Internet Key Exchange (IKE) extended authentication (Xauth) in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client authentication list command in ISAKMP profile configuration mode. To restore the default behavior, which is that Xauth is not enabled, use the no form of this command.
client authentication list list-name
no client authentication list list-name
Syntax Description
Defaults
No default behaviors or values
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
Before configuring Xauth, you must set up an authentication list using AAA commands.
Xauth can be enabled on a profile basis if it has been disabled globally.
Examples
The following example shows that user authentication is configured. User authentication is a list of authentication methods called "xauthlist" in an ISAKMP profile called "vpnprofile."
crypto isakmp profile vpnprofileclient authentication list xauthlistThe following example shows that Xauth has been disabled globally and enabled for the profiles "vpn-login" and "isakmpauth":
no crypto xauth FastEthernet0/0!crypto isakmp policy 1encr 3desgroup 2!crypto isakmp policy 10encr 3desauthentication pre-sharegroup 2crypto isakmp client configuration group HRZcrypto isakmp client configuration group vpngroupkey cisco123pool vpnpoolcrypto isakmp profile cert_sigmatch identity group HRZisakmp authorization list isakmpauthclient configuration address respondclient configuration group HRZcrypto isakmp profile nocertsmatch identity group vpngroupclient authentication list vpn-loginisakmp authorization list isakmpauthclient configuration address respondRelated Commands
client configuration address
To configure Internet Key Exchange (IKE) configuration mode in the Internet Security Association and Key Management Protocol (ISAKMP) profile, use the client configuration address command in ISAKMP profile configuration mode. To disable IKE configuraton mode, use the no form of this command.
client configuration address {initiate | respond}
no client configuration address {initiate | respond}
Syntax Description
initiate
Router will attempt to set IP addresses for each peer.
respond
Router will accept requests for IP addresses from any requesting peer.
Defaults
IKE configuration is not enabled.
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
Before you can use this command, you must enter the crypto isakmp profile command.
Examples
The following example shows that IKE mode is configured to either initiate or respond in an ISAKMP profile called "vpnprofile":
crypto isakmp profile vpnprofileclient configuration address initiateclient configuration address respondRelated Commands
crl best-effort
Note
To download the certificate revocation list (CRL) but accept certificates if the CRL is not available, use the crl best-effort command in ca-identity configuration mode. To return to the default behavior in which CRL checking is mandatory before your router can accept a certificate, use the no form of this command.
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, CRL checking is mandatory before your router can accept a certificate. That is, if CRL downloading is attempted and it fails, the certificate will be considered invalid and will be rejected.
Command Modes
Ca-identity configuration
Command History
12.2(8)T
This command was introduced.
12.3(2)T
This command was replaced by the revocation-check command.
Usage Guidelines
When your router receives a certificate from a peer, it will search its memory for the appropriate CRL. If the appropriate CRL is in the router memory, the CRL will be used. Otherwise, the router will download the CRL from either the certificate authority (CA) or from a CRL distribution point (CDP) as designated in the certificate of the peer. Your router will then check the CRL to ensure that the certificate that the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.)
When a CA system uses multiple CRLs, the certificate of the peer will indicate which CRL applies in its CDP extension and should be downloaded by your router.
If your router does not have the applicable CRL in memory and is unable to obtain one, your router will reject the certificate of the peer—unless you include the crl best-effort command in your configuration. When the crl best-effort command is configured, your router will try to obtain a CRL, but if it cannot obtain a CRL, it will treat the certificate of the peer as not revoked.
When your router receives additional certificates from peers, the router will continue to attempt to download the appropriate CRL if it was previously unsuccessful. The crl best-effort command specifies only that when the router cannot obtain the CRL, the router will not be forced to reject the certificate of a peer.
Examples
The following configuration example declares a CA and permits your router to accept certificates when CRLs are not obtainable:
crypto ca identity myidenrollment url http://mycaservercrl best-effortRelated Commands
crl optional
Note
To allow the certificates of other peers to be accepted without trying to obtain the appropriate CRL, use the crl optional command in ca-identity configuration mode. To return to the default behavior in which CRL checking is mandatory before your router can accept a certificate, use the no form of this command.
crl optional
no crl optional
Syntax Description
This command has no arguments or keywords.
Defaults
The router must have and check the appropriate CRL before accepting the certificate of another IP Security peer.
Command Modes
Ca-identity configuration
Command History
11.3 T
This command was introduced.
12.3(2)T
This command was replaced by the revocation-check command.
Usage Guidelines
When your router receives a certificate from a peer, it will search its memory for the appropriate CRL. If the router finds the appropriate CRL, that CRL will be used. Otherwise, the router will download the CRL from either the certificate authority (CA) or from a CRL distribution point (CDP) as designated in the certificate of the peer. Your router will then check the CRL to ensure that the certificate that the peer sent has not been revoked. (If the certificate appears on the CRL, your router will not accept the certificate and will not authenticate the peer.) To instruct the router not to download the CRL and treat the certificate as not revoked, use the crl optional command.
Note
Examples
The following example declares a CA and permits your router to accept certificates without trying to obtain a CRL. This example also specifies a nonstandard retry period and retry count.
crypto ca identity mycaenrollment url http://ca_serverenrollment retry-period 20enrollment retry-count 100crl optionalRelated Commands
crl query
If you have to query the certificate revocation list (CRL) to ensure that the certificate of the peer has not been revoked and you have to provide the Lightweight Directory Access Protocol (LDAP) server information, use the crl query command in ca-trustpoint configuration mode. To return to the default behavior, assuming that the CRL distribution point (CDP) has a complete LDAP URL, use no form of this command.
crl query ldap://hostname:[port]
no crl query ldap://hostname:[port]
Syntax Description
Defaults
Not enabled. If crl query ldap://hostname:[port] is not enabled, the router assumes that the CDP that is embedded in the certificate is a complete URL (for example, ldap:myldap.cisco.com/CN=myCA,O=Cisco) and uses it to download the CRL.
If the port number is not configured, the default LDAP server port 389 will be used.
Command Modes
Ca-trustpoint configuration
Command History
12.1(1)T
This command was introduced.
12.2(8)T
This command replaced the query url command.
Usage Guidelines
When Cisco IOS software tries to verify a peer certificate (for example, during Internet Key Exchange [IKE] or Secure Sockets Layer [SSL] handshake), it queries the CRL to ensure that the certificate has not been revoked. To locate the CRL, it first looks for the CDP extension in the certificate. If the extension exists, it is used to download the CRL. Otherwise, the Simple Certificate Enrollment Protocol (SCEP) GetCRL mechanism is used to query the CRL from the CA server directly (some CA servers do not support this method).
Cisco IOS software supports three types of CDP:
•
•
•
To locate the CRL, a complete URL needs to be formed. As a result, Example 3 and Example 4 still require the hostname and the port number. The ldap://hostname:[port} keywords and arguments are used to provide this information.
Note
Examples
The following example shows how to configure your router to query the CRL with the LDAP URL that is published by the CA named "bar":
crypto ca trustpoint mytpenrollment url http://bar.cisco.comcrl query ldap://bar.cisco.com:3899Related Commands
crypto ca trustpoint
Declares the CA that your router should use.
revocation-check
Checks the revocation status of a certificate.
crypto ca authenticate
To authenticate the certification authority (by getting the certificate of the CA), use the crypto ca authenticate command in global configuration mode.
crypto ca authenticate name
Syntax Description
name
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto ca authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
Note
error retrieving certificate :incomplete chain
If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.Examples
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)# crypto ca authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123Do you accept this certificate? [yes/no] y#Related Commands
crypto ca certificate chain
To enter the certificate chain configuration mode, use the crypto ca certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.)
crypto ca certificate chain name
Syntax Description
name
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
Examples
The following example deletes the router's certificate. In this example, the router had a general-purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.
Router# show crypto ca certificatesCertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 0123456789ABCDEF0123456789ABCDEFKey Usage: General PurposeCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetRouter# configure terminalRrouter(config)# crypto ca certificate chain mycaRouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF% Are you sure you want to remove the certificate [yes/no]? yes% Be sure to ask the CA administrator to revoke this certificate.Router(config-cert-chain)# exitRouter(config)#Related Commands
crypto ca certificate map
To define certificate-based access control lists (ACLs), use the crypto ca certificate map command in ca-certificate-map configuration mode. To remove the certificate-based ACLs, use the no form of this command.
crypto ca certificate map label sequence-number
no crypto ca certificate map label sequence-number
Syntax Description
Defaults
No default behavior or value.
Command Modes
Ca-certificate-map configuration
Command History
Usage Guidelines
Issuing this command places the router in CA certificate map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:
field-name match-criteria match-value
The field-name in the above example is one of the certificate fields. Field names are similar to the names used in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 standard. The name field is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name, and unstructured-subject-name fields.
•
•
•
•
•
•
•
Note
The match-criteria in the example is one of the following logical operators:
•
•
•
•
•
•
The match-value is a case-insensitive string or a date.
Examples
The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Cisco Systems to an entity within the cisco.com domain. The label is Cisco, and the sequence is 10.
crypto ca certificate map Cisco 10issuer-name co Cisco Systemsunstructured-subject-name co cisco.comThe following example accepts any certificate issued by Cisco Systems for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string "DIAL" can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.
crypto ca certificate map Group 10issuer-name co Cisco Systemssubject-name co DIALcrypto ca certificate map Group 20issuer-name co Cisco Systemssubject-name co ou=WANCase is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)
If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, "ou=WAN,o=Cisco Systems" will not match a certificate with the string "ou=WAN,ou=Engineering,o=Cisco Systems" because the "ou=Engineering" string separates the two desired component identifiers.
To match both "ou=WAN" and "o=Cisco Systems" in a certificate while ignoring other component identifiers, you could use this certificate map:
crypto ca certificate map Group 10subject-name co ou=WANsubject-name co o=CiscoAny space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore "o=Cisco" in the proceeding example will match "o = Cisco," "o= Cisco," "o =Cisco," and so on.
Related Commands
crypto ca certificate query (ca-trustpoint)
To specify that certificates should not be stored locally but retrieved from a certification authority (CA) trustpoint, use the crypto ca certificate query command in ca-trustpoint configuration mode. To cause certificates to be stored locally per trustpoint, use the no form of this command.
crypto ca certificate query
no crypto ca certificate query
Syntax Description
This command has no arguments or keywords.
Defaults
CA trustpoints are stored locally in the router's NVRAM.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Normally, certain certificates are stored locally in the router's NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact.
The crypto ca certificate query command is a subcommand for each trustpoint; thus, this command can be disabled on a per-trustpoint basis.
Before you can configure this command, you must enable the crypto ca trustpoint command, which puts you in ca-trustpoint configuration mode.
Note
Examples
The following example shows how to prevent certificates and certificate revocation lists (CRLs) from being stored locally on the router; instead, they are retrieved from the "ka" trustpoint when needed.
crypto ca trustpoint ka...crypto ca certificate queryRelated Commands
crypto ca certificate query (global)
The crypto ca certificate query command in global configuration mode is replaced by the crypto ca certificate query command in ca-trustpoint configuration mode. See the crypto ca certificate query command for more information.
crypto ca crl request
Note
To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto ca crl request command in global configuration mode.
crypto ca crl request name
Syntax Description
name
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto pki trustpoint command.
Defaults
Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.
Command Modes
Global configuration
Command History
11.3 T
This command was introduced.
12.3(7)T
This command was replaced by the crypto pki crl request command.
Usage Guidelines
A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.
The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto ca crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
Note
Examples
The following example immediately downloads the latest CRL to your router:
crypto ca crl requestcrypto ca enroll
To obtain the certificate(s) of your router from the certification authority, use the crypto ca enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.
crypto ca enroll name
no crypto ca enroll name
Syntax Description
name
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto ca identity command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto ca enroll command is not saved in the router configuration.
Note
Responding to Prompts
When you issue the crypto ca enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
Router(config)# crypto ca enroll myca%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: <mypassword>Re-enter password: <mypassword>% The subject name in the certificate will be: myrouter.example.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 03433678% Include an IP address in the subject name [yes/no]? yesInterface: ethernet0/0Request certificate from CA [yes/no]? yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Some time later, the router receives the certificate from the CA and displays the following confirmation message:
Router(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRouter(config)#If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate AuthorityThe subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRelated Commands
crypto ca export pkcs12
To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto ca export pkcs12 command in global configuration mode.
crypto ca export trustpointname pkcs12 destination url passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto ca export pkcs12 command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.
Security Measures
Keep the PKCS12 file stored in a secure place with restricted access.
An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.
To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.
Examples
The following example exports an RSA key pair with a trustpoint name "mytp" to a Flash file:
Router(config)# crypto ca export mytp pkcs12 flash:myexport mycompanyRelated Commands
crypto ca identity
The crypto ca identity command is replaced by the crypto ca trustpoint command. See the crypto ca trustpoint command for more information.
crypto ca import pkcs12
To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto ca import pkcs12 command in global configuration mode.
crypto ca import trustpointname pkcs12 source url passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
When you enter the cyrpto ca import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto ca trustpoint command to remove the trustpoint.
Note
Examples
In the following example, an RSA key pair that has been associated with the trustpoint "forward" is to be imported:
Router(config)# crypto ca import forward pkcs12 flash:myexport mycompanyRelated Commands
crypto ca export pkcs12
Exports RSA keys.
crypto ca trustpoint
Declares the CA that your router should use.
crypto key zeroize rsa
Deletes all RSA keys from your router.
crypto ca import
To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto ca import command in global configuration mode.
crypto ca import name certificate
Syntax Description
name certificate
Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto ca trustpoint command.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
You must enter the crypto ca import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)
Examples
The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto ca trustpoint MSenroll terminalcrypto ca authenticate MS!crypto ca enroll MScrypto ca import MS certificateRelated Commands
crypto ca trusted-root
The crypto ca trusted-root command is replaced by the crypto ca trustpoint command. See the crypto ca trustpoint command for more information.
crypto ca trustpoint
Note
To declare the certification authority (CA) that your router should use, use the crypto ca trustpoint command in global configuration mode. To delete all identity information and certificates associated with the CA, use the no form of this command.
crypto ca trustpoint name
no crypto ca trustpoint name
Syntax Description
name
Creates a name for the CA. (If you previously declared the CA and just want to update its characteristics, specify the name you previously created.)
Defaults
Your router does not recognize any CAs until you declare a CA using this command.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto ca trustpoint command to declare a CA, which can be a self-signed root CA or a subordinate CA. Issuing the crypto ca trustpoint command puts you in ca-trustpoint configuration mode.
You can specify characteristics for the trustpoint CA using the following subcommands:
•
•
•
•
•
•
•
Note
The following example shows how to declare the CA named "ka" and specify enrollment and CRL parameters:
crypto ca trustpoint kaenrollment url http://kahului:80The following example shows a certificate-based access control list (ACL) with the label "Group" defined in a crypto ca certificate map command and included in the match certificate subcommand of the crypto ca | pki trustpoint command:
crypto ca certificate map Group 10subject-name co ou=WANsubject-name co o=Cisco!crypto ca trustpoint pkimatch certificate GroupRelated Commands
