-
Cisco IOS Security Command Reference, Release 12.3
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through crypto ca trustpoint
-
Security Commands: crypto dynamic-map through ctype
-
Security Commands: D through ip audit smtp spam
-
Security Commands: ip auth-proxy through ip tcp intercept
-
Security Commands: ip trigger-authentication through pool
-
Security Commands: ppp accounting through radius-server vsa send
-
Security Commands: reverse-route through show crypto isakmp sa
-
Security Commands: show crypto key mypubkey through wins
-
Table Of Contents
deadtime (server-group configuration)
dnis bypass (AAA preauthentication configuration)
dnsix-nat authorized-redirection
enrollment url (ca-trustpoint)
deadtime (server-group configuration)
To configure deadtime within the context of RADIUS server groups, use the deadtime command in server group configuration mode. To set deadtime to 0, use the no form of this command.
deadtime minutes
no deadtime
Syntax Description
minutes
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Deadtime is set to 0.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.
When the RADIUS Server Is Marked As Dead
For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a transaction is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.
For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server will be marked as dead if both of the following conditions are met:
1.
A valid response has not been received from the RADIUS server for any outstanding transaction for at least the timeout period that is used to determine whether to retransmit to that server, and
2.
Examples
The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:
aaa group server radius group1server 1.1.1.1 auth-port 1645 acct-port 1646server 2.2.2.2 auth-port 2000 acct-port 2001deadtime 1Related Commands
default (ca-trustpoint)
To reset the value of a ca-trustpoint configuration subcommand to its default, use the default command in ca-trustpoint configuration mode.
default command-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can configure this command, you must enable the crypto ca trustpoint command, which enters ca-trustpoint configuration mode.
Use this command to reset the value of a ca-trustpoint configuration mode subcommand to its default.
Examples
The following example shows how to remove the crl optional command from your configuration; the default of crl optional is off.
default crl optionalRelated Commands
dialer aaa
To allow a dialer to access the authentication, authorization, and accounting (AAA) server for dialing information, use the dialer aaa command in interface configuration mode. To disable this function, use the no form of this command.
dialer aaa [password string | suffix string]
no dialer aaa [password string | suffix string]
Syntax Description
Defaults
This feature is not enabled by default.
Command Modes
Interface configuration
Command History
12.0(3)T
This command was introduced.
12.1(5)T
The password and suffix keywords were added.
Usage Guidelines
This command is required for large scale dial-out and Layer 2 Tunneling Protocol (L2TP) dial-out functionality. With this command, you can specify a suffix, a password, or both. If you do not specify a password, the default password will be "cisco."
Note
Examples
This example shows a user sending out packets from interface Dialer1 with a destination IP address of 1.1.1.1. The username in the access-request message is "1.1.1.1@ciscoDoD" and the password is "cisco."
interface dialer1dialer aaadialer aaa suffix @ciscoDoD password ciscoRelated Commands
disconnect ssh
To terminate a Secure Shell (SSH) connection on your router, use the disconnect ssh command in privileged EXEC mode.
disconnect ssh [vty] session-id
Syntax Description
vty
(Optional) Virtual terminal for remote console access.
session-id
The session-id is the number of connection displayed in the show ip ssh command output.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.0(5)S
This command was introduced.
12.1(1)T
This command was integrated into Cisco IOS Release 12.1 T.
Usage Guidelines
The clear line vty n command, where n is the connection number displayed in the show ip ssh command output, may be used instead of the disconnect ssh command.
When the EXEC connection ends, whether normally or abnormally, the SSH connection also ends.
Examples
The following example terminates SSH connection number 1:
disconnect ssh 1Related Commands
clear line vty
Returns a terminal line to idle state using the privileged EXEC command.
dn
To associate the identity of a router with the distinguished name (DN) in the certificate of the router, use the dn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
dn name=string [, name=string]
no dn name=string [, name=string]
Syntax Description
name=string
Identity used to restrict access to peers with specific certificates. Optionally, you can associate more than one identity.
Command Default
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the dn command to associate the identity of the router, which is defined in the crypto identity command, with the DN that the peer used to authenticate itself.
Note
This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
An encrypting peer matches this list if it contains the attributes listed in any one line defined within the name=string.
Examples
The following example shows how to configure an IPsec crypto map that can be used only by peers that have been authenticated by the DN and if the certificate belongs to "green":
crypto map map-to-green 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-green!crypto identity to-greendn ou=greenRelated Commands
dnis (authentication)
To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password string]
no dnis [if-avail | required] [accept-stop] [password string]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS:
aaa preauthgroup radiusdnis password Ascend-DNISRelated Commands
dnis (RADIUS)
To preauthenticate calls on the basis of the DNIS (Dialed Number Identification Service) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password password]
no dnis [if-avail | required] [accept-stop] [password password]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the authentication, authorization, and accounting (AAA) preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the DNIS number:
aaa preauthgroup radiusdnis requiredRelated Commands
dnis bypass (AAA preauthentication configuration)
To specify a group of DNIS (Dialed Number Identification Service) numbers that will be bypassed for preauthentication, use the dnis bypass command in AAA preauthentication configuration mode. To remove the dnis bypass command from your configuration, use the no form of this command.
dnis bypass {dnis-group-name}
no dnis bypass {dnis-group-name}
Syntax Description
Defaults
No DNIS numbers are bypassed for preauthentication.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
Before using this command, you must first create a DNIS group with the dialer dnis group command.
Examples
The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii:
aaa preauthgroup radiusdnis requireddnis bypass hawaiidialer dnis group hawaiinumber 12345number 12346Related Commands
dialer dnis group
Creates a DNIS group.
dnis (RADIUS)
Preauthenticates calls on the basis of the DNIS number.
dns
To specify the primary and secondary Domain Name Service (DNS) servers, use the dns command in (Internet Security Association Key Management Protocol) ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
dns primary-server secondary-server
no dns primary-server secondary-server
Syntax Description
Defaults
A DNS server is not specified.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Use the dns command to specify the primary and secondary DNS servers for the group.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the dns command.
Examples
The following example shows how to define a primary and secondary DNS server for the default group name:
crypto isakmp client configuration group defaultkey ciscodns 2.2.2.2 2.3.2.3pool dogacl 199Related Commands
crypto isakmp client configuration group
Specifies which group's policy profile will be defined.
domain (isakmp-group)
Specifies the DNS domain to which a group belongs.
dnsix-dmdp retries
To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries command in global configuration mode. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count
no dnsix-dmdp retries count
Syntax Description
count
Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.
Defaults
Retransmits messages up to 4 times, or until acknowledged.
Command Modes
Global configuration
Command History
Examples
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150Related Commands
dnsix-nat authorized-redirection
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection command in global configuration mode. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-address
Syntax Description
Defaults
An empty list of addresses.
Command Modes
Global configuration
Command History
Usage Guidelines
Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.
Examples
The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 192.168.1.1:
dnsix-nat authorization-redirection 192.168.1.1dnsix-nat primary
To specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat primary command in global configuration mode. To delete an entry, use the no form of this command.
dnsix-nat primary ip-address
no dnsix-nat primary ip-address
Syntax Description
Defaults
Messages are not sent.
Command Modes
Global configuration
Command History
Usage Guidelines
An IP address must be configured before audit messages can be sent.
Examples
The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:
dnsix-nat primary 172.1.1.1dnsix-nat secondary
To specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat secondary command in global configuration mode. To delete an entry, use the no form of this command.
dnsix-nat secondary ip-address
no dnsix-nat secondary ip-address
Syntax Description
Defaults
No alternate IP address is known.
Command Modes
Global configuration
Command History
Usage Guidelines
When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.
Examples
The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:
dnsix-nat secondary 192.168.1.1dnsix-nat source
To start the audit-writing module and to define the audit trail source address, use the dnsix-nat source command in global configuration mode. To disable the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit trail writing module, use the no form of this command.
dnsix-nat source ip-address
no dnsix-nat source ip-address
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.
Examples
The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0:
dnsix-nat source 192.168.2.5 interface ethernet 0 ip address 192.168.2.5 255.255.255.0dnsix-nat transmit-count
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count command in global configuration mode. To revert to the default audit message count, use the no form of this command.
dnsix-nat transmit-count count
no dnsix-nat transmit-count count
Syntax Description
count
Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200.
Defaults
One message is sent at a time.
Command Modes
Global configuration
Command History
Usage Guidelines
An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.
Examples
The following example configures the system to buffer five audit messages before transmitting them to a collection center:
dnsix-nat transmit-count 5domain (isakmp-group)
To specify the Domain Name Service (DNS) domain to which a group belongs, use the domain command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.
domain name
no domain name
Syntax Description
Defaults
A DNS domain is not specified.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Use the domain command to specify group domain membership.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the domain command.
Examples
The following example shows that members of the group "cisco" also belong to the domain "cisco.com":
crypto isakmp client configuration group ciscokey ciscodns 2.2.2.2 2.3.2.3pool dogacl 199domain cisco.comRelated Commands
crypto isakmp client configuration group
Specifies which group's policy profile will be defined.
dns
Specifies the primary and secondary DNS servers.
enable password
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
enable password [level level] {password | [encryption-type] encrypted-password}
no enable password [level level]
Syntax Description
Defaults
No password is defined. The default is level 15.
Command Modes
Global configuration
Command History
10.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
Caution
Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level configuration command to specify commands accessible at various levels.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.
Caution
If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a more nvram:startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
•
•
•
•
–
–
–
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example enables the password "pswd2" for privilege level 2:
enable password level 2 pswd2The following example sets the encrypted password "$1$i5Rkls3LoyxzS8t9", which has been copied from a router configuration file, for privilege level 2 using encryption type 7:
enable password level 2 5 $1$i5Rkls3LoyxzS8t9Related Commands
enable secret
To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command.
enable secret [level level] {password | [encryption-type] encrypted-password}
no enable secret [level level]
Syntax Description
Defaults
No password is defined. The default level is 15.
Command Modes
Global configuration
Command History
Usage Guidelines
Caution
Use this command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.
Caution
If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.
Note
If service password-encryption is set, the encrypted form of the password you create here is displayed when a more nvram:startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
•
•
•
•
–
–
–
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example specifies the enable secret password of "greentree":
enable secret greentreeAfter specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.
Password: greentreeThe following example enables the encrypted password "$1$FaD0$Xyti5Rkls3LoyxzS8", which has been copied from a router configuration file, for privilege level 2 using encryption type 5:
enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8Related Commands
enable
Enters privileged EXEC mode.
enable password
Sets a local password to control access to various privilege levels.
encryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des | aes | aes 192 | aes 256}
no encryption
Syntax Description
Defaults
The 56-bit DES-CBC encryption algorithm
Command Modes
ISAKMP policy configuration
Command History
11.3 T
This command was introduced.
12.0(2)T
The 3des option was added.
12.2(13)T
The following keywords were added: aes, aes 192, and aes 256.
Usage Guidelines
Use this command to specify the encryption algorithm to be used in an IKE policy.
If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed immediately after the encryption command is entered.
Examples
The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):
crypto isakmp policyencryption 3desexitThe following example is a sample warning message that is displayed when a user enters an IKE encryption method that the hardware does not support:
encryption aes 256WARNING:encryption hardware does not support the configuredencryption method for ISAKMP policy 1Related Commands
enrollment http-proxy
To access the certification authority (CA) by HTTP through the proxy server, use the enrollment http-proxy command in ca-trustpoint configuration mode.
enrollment http-proxy host-name port-num
Syntax Description
host-name
Defines the proxy server used to get the CA.
port-num
Specifies the port number used to access the CA.
Defaults
If this command is not enabled, the CA will not be accessed via HTTP.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
The enrollment http-proxy command must be used in conjunction with the enrollment command, which specifies the enrollment parameters for the CA.
Examples
The following example shows how to access the CA named "ka" by HTTP through the bomborra proxy server:
crypto ca trustpoint kaenrollment url http://kahuluienrollment http-proxy bomborra 8080crl optionalRelated Commands
crypto ca trustpoint
Declares the CA that your router should use.
enrollment
Specifies the enrollment parameters of your CA.
enrollment mode ra
The enrollment mode ra command is replaced by the enrollment command. See the enrollment command for more information.
enrollment retry count
The enrollment retry count command is replaced by the enrollment command. See the enrollment command for more information.
enrollment retry period
The enrollment retry period command is replaced by the enrollment command. See the enrollment command for more information.
enrollment terminal
To specify manual cut-and-paste certificate enrollment, use the enrollment terminal command in ca-trustpoint configuration mode. To delete a current enrollment request, use the no form of this command.
enrollment terminal
no enrollment terminal
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
A user may wish to manually cut-and-paste certificate requests and certificates when he or she does not have a network connection between the router and certification authority (CA). When this command is enabled, the certificate request is printed on the console terminal so that it can be manually copied (cut) by the user.
Examples
The following example shows how to specify manually certificate enrollment via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto ca trustpoint MSenrollment terminalcrypto ca authenticate MS!crypto ca enroll MScrypto ca import MS certificateRelated Commands
crypto ca import
Imports a certificate manually via TFTP or cut-and-paste at the terminal.
crypto ca trustpoint
Declares the CA that your router should use.
enrollment url (ca-identity)
The enrollment url (ca-identity) command is replaced by the enrollment url (ca-trustpoint) command. See the enrollment url (ca-trustpoint) command for more information.
enrollment url (ca-trustpoint)
To specify the enrollment parameters of a certification authority (CA), use the enrollment command in ca-trustpoint configuration mode. To remove any of the configured parameters, use the no form of this command.
enrollment [mode] [retry period minutes] [retry count number] url url [pem]
no enrollment [mode] [retry period minutes] [retry count number] url url [pem]
Syntax Description
mode
(Optional) Registration authority (RA) mode, if your CA system provides an RA. By default, RA mode is disabled.
retry period minutes
(Optional) Specifies the period in which the router will wait before sending the CA another certificate request. The default is 1 minute between retries. (Specify from 1 through 60 minutes.)
retry count number
(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. The default is 10 retries. (Specify from 1 through 100 retries.)
url url
URL of the file system where your router should send certificate requests. For enrollment method options, see Table 15.
pem
(Optional) Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
Defaults
Your router does not know the CA URL until you specify it using url url.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the mode keyword to specify the mode supported by the CA. This keyword is required if your CA system provides an RA.
Use the retry period minutes option to change the retry period from the default of 1 minute between retries. After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. By default, the router will send a maximum of 10 requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (specified via the retry count number option) is exceeded.
Use the pem keyword to issue certificate requests (using the crypto pki enroll command) or receive issued certificates (using the crypto pki import certificate command) in PEM-formatted files.
Note
Use the url url option to specify or change the URL of the CA. Table 15 lists the available enrollment methods.
Table 15 Certificate Enrollment Methods
bootflash
Enroll via bootflash: file system
cns
Enroll via Cisco Networking Services (CNS): file system
flash
Enroll via flash: file system
ftp
Enroll via FTP: file system
SCEP1
Enroll via Simple Certificate Enrollment Protocol (SCEP) (an HTTP URL)
null
Enroll via null: file system
nvram
Enroll via NVRAM: file system
rcp
Enroll via remote copy protocol (rcp): file system
scp
Enroll via secure copy protocol (scp): file system
system
Enroll via system: file system
TFTP2
Enroll via TFTP: file system
1 If you are using SCEP for enrollment, the URL must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA.
2 If you are using TFTP for enrollment, the URL must be in the form tftp://certserver/file_specification. (The file_specification is optional. See the section "TFTP Certificate Enrollment" for additional information.)
TFTP Certificate Enrollment
TFTP enrollment is used to send the enrollment request and retrieve the certificate of the CA and the certificate of the router. If the file_specification is included in the URL, the router will append an extension onto the file specification. When the crypto pki authenticate command is entered, the router will retrieve the certificate of the CA from the specified TFTP server. As appropriate, the router will append the extension ".ca" to the filename or the fully qualified domain name (FQDN). (If the url url option does not include a file specification, the FQDN of the router will be used.)
Note
Examples
The following example shows how to declare a CA named "ka" and specify the URL of the CA as "http://kahului:80":
crypto pki trustpoint kaenrollment url http://kahului:80Related Commands
evaluate
To nest a reflexive access list within an access list, use the evaluate command in access-list configuration mode. To remove a nested reflexive access list from the access list, use the no form of this command.
evaluate name
no evaluate name
Syntax Description
name
The name of the reflexive access list that you want evaluated for IP traffic entering your internal network. This is the name defined in the permit (reflexive) command.
Defaults
Reflexive access lists are not evaluated.
Command Modes
Access-list configuration
Command History
Usage Guidelines
This command is used to achieve reflexive filtering, a form of session filtering.
Before this command will work, you must define the reflexive access list using the permit (reflexive) command.
This command nests a reflexive access list within an extended named IP access list.
If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to inbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to outbound traffic. (In other words, use the access list opposite of the one used to define the reflexive access list.)
This command allows IP traffic entering your internal network to be evaluated against the reflexive access list. Use this command as an entry (condition statement) in the IP access list; the entry "points" to the reflexive access list to be evaluated.
As with all access list entries, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a reflexive access list nested in an extended access list, the extended access list entries are evaluated sequentially up to the nested entry, then the reflexive access list entries are evaluated sequentially, and then the remaining entries in the extended access list are evaluated sequentially. As usual, after a packet matches any of these entries, no more entries will be evaluated.
Examples
The following example shows reflexive filtering at an external interface. This example defines an extended named IP access list inboundfilters, and applies it to inbound traffic at the interface. The access list definition permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic, denies all Internet Control Message Protocol traffic, and causes all Transmission Control Protocol traffic to be evaluated against the reflexive access list tcptraffic.
If the reflexive access list tcptraffic has an entry that matches an inbound packet, the packet will be permitted into the network. tcptraffic only has entries that permit inbound traffic for existing TCP sessions.
interface Serial 1description Access to the Internet via this interfaceip access-group inboundfilters in!ip access-list extended inboundfilterspermit 190 any anypermit eigrp any anydeny icmp any anyevaluate tcptrafficRelated Commands
fqdn (ca-trustpoint)
To specify a fully qualified domain name (FQDN) that will be included as "unstructuredName" in the certificate request, use the fqdn command in ca-trustpoint configuration mode. To remove the FQDN, use the no form of this command.
fqdn {name | none}
no fqdn {name | none}
Syntax Description
name
FQDN that will be included as "unstructuredName" in the certificate request.
none
Router FQDN will not be included in the certificate request.
Defaults
The FQDN is not configured. The router FQDN will be included as "unstructuredName" in the certificate request.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue this command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode. The fqdn command is a subcommand that allows you to specify a certificate enrollment parameter. Use the fqdn command to include a different FQDN from that of the router in the certificate request or to specify that a FQDN should not be included in the certificate request.
Examples
The following example shows that the FQDN "jack.cisco.com" will be included in the certificate request instead of the router FQDN:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn nonesubject-name CN=jack, OU=PKI, O=Cisco Systems, C=UScrypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn jack.cisco.comRelated Commands
fqdn (crypto identity)
To associate the identity of the router with the host name that the peer used to authenticate itself, use the fqdn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
fqdn name
no fqdn name
Syntax Description
Defaults
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the fqdn command to associate the identity of the router, which is defined in the crypto identity command, with the distinguished name (DN) in the certificate of the router. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
Examples
The following example shows how to configure a crypto map that can be used only by peers that have been authenticated by hostname and if the certificate belongs to "little.com":
crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.comRelated Commands
group (authentication)
To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group {tacacs+ server-group}
no group {tacacs+ server-group}
Syntax Description
tacacs+
Uses a TACACS+ server for authentication.
server-group
Name of the server group to use for authentication.
Defaults
No method list is configured.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:
aaa preauthgroup abc123dnis password aaa-DNISRelated Commands
aaa preauth
Enters AAA preauthentication mode.
dnis (authentication)
Enables AAA preauthentication using DNIS.
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2}
no group
Syntax Description
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
crypto isakmp policy 15group 2exitRelated Commands
group (RADIUS)
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group server-group
no group server-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called "maestro" and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestroserver 1.1.1.1server 2.2.2.2server 3.3.3.3aaa preauthgroup maestrodnis requiredRelated Commands
group-lock
To allow you to enter your extended authentication (Xauth) username, including the group name, when preshared key authentication is used with Internet Key Exchange (IKE), use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
When the group-lock command is enabled, you may enter your Xauth username as name/group, name\group, name@group, or name%group. The group specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
Examples
The following example shows that group lock is configured:
crypto isakmp client configuration group ciscogroup-lockRelated Commands
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Defaults
The SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
crypto isakmp policy 15hash md5exitRelated Commands
identity
To set the identity to the crypto map, use the identity command in crypto map configuration mode.
identity name
Syntax Description
Defaults
If this command is not enabled, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use the identity command to set the identity to the configured crypto maps. When this command is applied, only the hosts that match a configuration listed within the name argument can use that crypto map.
Examples
The following example shows how to configure two IP Security (IPSec) crypto maps and apply the identity to each crypto map. That is, the identity is set to "to-bigbiz" for the first crypto map and "to-little-com" for the second crypto map.
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBiz!!! This crypto map can be used only by peers that have been authenticated by hostname! and if the certificate belongs to little.com.crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.com!Related Commands
initiate-mode
To configure the Phase 1 mode of an Internet Key Exchange (IKE), use the initiate-mode command in ISAKMP profile configuration mode. To remove the mode that was configured, use the no form of this command.
initiate-mode aggressive
no initiate-mode aggressive
Syntax Description
Defaults
IKE initiates main mode.
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
Use this command if you want to initiate an IKE aggressive mode exchange instead of a main mode exchange.
Examples
The following example shows that aggressive mode has been configured:
crypto isakmp profile vpnprofileinitiate-mode aggressiveip-address (ca-trustpoint)
To specify a dotted IP address or an interface that will be included as "unstructuredAddress" in the certificate request, use the ip-address command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.
ip-address {ip-address | interface | none]
no ip-address
Syntax Description
Defaults
An IP address is not configured. You will be prompted for the IP address during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue this command, you must enable the crypto ca | pki trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode. The ip-address command is a subcommand that allows you to specify a certificate enrollment parameter.
Use the ip-address command to include the IP address of the specified interface in the certificate request or to specify that an IP address should not be included in the certificate request.
If this command is enabled, you will not be prompted for an IP address during certificate enrollment.
Examples
The following example shows how to include the IP address of the Ethernet-0 interface in the certificate request for the trustpoint "frog":
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0The following example shows that an IP address is not to be included in the certificate request:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn noneip-address nonesubject-name CN=subject1, OU=PKI, O=Cisco Systems, C=USRelated Commands
ip audit
To apply an audit specification created with the ip audit command to a specific interface and for a specific direction, use the ip audit command in interface configuration mode. To disable auditing of the interface for the specified direction, use the no version of this command.
ip audit audit-name {in | out}
no ip audit audit-name {in | out}
Syntax Description
Defaults
No audit specifications are applied to an interface or direction.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the ip audit interface configuration command to apply an audit specification created with the
ip audit command to a specific interface and for a specific direction.Examples
In the following example, the audit specification MARCUS is applied to an interface and direction:
interface e0ip audit MARCUS inIn the following example, the audit specification MARCUS is removed from the interface on which it was previously added:
interface e0no ip audit MARCUS inip audit attack
To specify the default actions for attack signatures, use the ip audit attack command in global configuration mode. To set the default action for attack signatures, use the no form of this command.
ip audit attack {action [alarm] [drop] [reset]}
no ip audit attack
Syntax Description
Defaults
The default action is alarm.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip audit attack global configuration command to specify the default actions for attack signatures.
Examples
In the following example, the default action for attack signatures is set to all three actions:
ip audit attack action alarm drop resetip audit info
To specify the default actions for info signatures, use the ip audit info command in global configuration mode. To set the default action for info signatures, use the no form of this command.
ip audit info {action [alarm] [drop] [reset]}
no ip audit info
Syntax Description
Defaults
The default action is alarm.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip audit info global configuration command to specify the default actions for info signatures.
Examples
In the following example, the default action for info signatures is set to all three actions:
ip audit info action alarm drop resetip audit name
To create audit rules for info and attack signature types, use the ip audit name command in global configuration mode. To delete an audit rule, use the no form of this command.
ip audit name audit-name {info | attack} [list standard-acl] [action [alarm] [drop] [reset]]
no ip audit name audit-name {info | attack}
Syntax Description
Defaults
If an action is not specified, the default action is alarm.
Command Modes
Global configuration
Command History
Usage Guidelines
Any signatures disabled with the ip audit signature command do not become a part of the audit rule created with the ip audit name command.
Examples
In the following example, an audit rule called INFO.2 is created, and configured with all three actions:
ip audit name INFO.2 info action alarm drop resetIn the following example, an info signature is disabled and an audit rule called INFO.3 is created:
ip audit signature 1000 disableip audit name INFO.3 info action alarm drop resetIn the following example, an audit rule called ATTACK.2 is created with an attached ACL 91, and the ACL is created:
ip audit name ATTACK.2 list 91access-list 91 deny 10.1.0.0 0.0.255.255access-list 91 permit anyip audit notify
To specify the method of event notification, use the ip audit notify command in global configuration mode. To disable event notifications, use the no form of this command.
ip audit notify {nr-director | log}
no ip audit notify {nr-director | log}
Syntax Description
nr-director
Send messages in NetRanger format to the NetRanger Director or Sensor.
log
Send messages in syslog format.
Defaults
The default is to send messages in syslog format.
Command Modes
Global configuration
Command History
Usage Guidelines
If messages are sent to the NetRanger Director, then you must also configure the NetRanger Director's Post Office transport parameters using the ip audit po remote command.
Examples
In the following example, event notifications are specified to be sent in NetRanger format:
ip audit notify nr-directorRelated Commands
ip audit po local
To specify the local Post Office parameters used when sending event notifications to the NetRanger Director, use the ip audit po local command in global configuration mode. To set the local Post Office parameters to their default settings, use the no form of this command.
ip audit po local hostid id-number orgid id-number
no ip audit po local [hostid id-number orgid id-number]
Syntax Description
Defaults
The default organization ID is 1. The default host ID is 1.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip audit po local global configuration command to specify the local Post Office parameters used when sending event notifications to the NetRanger Director.
Examples
In the following example, the local host is assigned a host ID of 10 and an organization ID of 500:
ip audit po local hostid 10 orgid 500ip audit po max-events
To specify the maximum number of event notifications that are placed in the router's event queue, use the ip audit po max-events command in global configuration mode. To set the number of recipients to the default setting, use the no version of this command.
ip audit po max-events number-of-events
no ip audit po max-events
Syntax Description
number-of-events
Integer in the range from 1 to 65535 that designates the maximum number of events allowable in the event queue. The default is 100 events.
Defaults
The default number of events is 100.
Command Modes
Global configuration
Command History
Usage Guidelines
Raising the number of events past 100 may cause memory and performance impacts because each event in the event queue requires 32 KB of memory.
Examples
In the following example, the number of events in the event queue is set to 250:
ip audit po max-events 250ip audit po protected
To specify whether an address is on a protected network, use the ip audit po protected command in global configuration mode. To remove network addresses from the protected network list, use the no form of this command.
ip audit po protected ip-addr [to ip-addr]
no ip audit po protected [ip-addr]
Syntax Description
Defaults
If no addresses are defined as protected, then all addresses are considered outside the protected network.
Command Modes
Global configuration
Command History
Usage Guidelines
You can enter a single address at a time or a range of addresses at a time. You can also make as many entries to the protected networks list as you want. When an attack is detected, the corresponding event contains a flag that denotes whether the source or destination of the packet belongs to a protected network or not.
If you specify an IP address for removal, that address is removed from the list. If you do not specify an address, then all IP addresses are removed from the list.
Examples
In the following example, a range of addresses is added to the protected network list:
ip audit po protected 10.1.1.0 to 10.1.1.255In the following example, three individual addresses are added to the protected network list:
ip audit po protected 10.4.1.1ip audit po protected 10.4.1.8ip audit po protected 10.4.1.25In the following example, an address is removed from the protected network list:
no ip audit po protected 10.4.1.1ip audit po remote
To specify one or more set of Post Office parameters for NetRanger Directors receiving event notifications from the router, use the ip audit po remote command in global configuration mode. To remove a NetRanger Director's Post Office parameters as defined by host ID, organization ID, and IP address, use the no form of this command.
ip audit po remote hostid host-id orgid org-id rmtaddress ip-address localaddress ip-address [port port-number] [preference preference-number] [timeout seconds] [application {director | logger}]
no ip audit po remote hostid host-id orgid org-id rmtaddress ip-address
Syntax Description
Defaults
The default organization ID is 1.
The default host ID is 1.
The default UDP port number is 45000.
The default preference is 1.
The default heartbeat timeout is 5 seconds.
The default application is director.
Command Modes
Global configuration
Command History
Usage Guidelines
A router can report to more than one NetRanger Director. In this case, use the ip audit po remote command to add each NetRanger Director to which the router sends notifications.
More than one route can be established to the same NetRanger Director. In this case, you must give each route a preference number that establishes the relative priority of routes. The router always attempts to use the lowest numbered route, switching automatically to the next higher number when a route fails, and then switching back when the route begins functioning again.
A router can also report to a NetRanger Sensor. In this case, use the ip audit po remote command and specify logger as the application.
Examples
In the following example, two communication routes for the same dual-homed NetRanger Director are defined:
ip audit po remote hostid 30 orgid 500 rmtaddress 10.1.99.100 localaddress 10.1.99.1 preference 1ip audit po remote hostid 30 orgid 500 rmtaddress 10.1.4.30 localaddress 10.1.4.1 preference 2The router uses the first entry to establish communication with the NetRanger Director defined with host ID 30 and organization ID 500. If this route fails, then the router will switch to the secondary communications route. As soon as the first route begins functioning again, the router switches back to the primary route and closes the secondary route.
In the following example, a different Director is assigned a longer heartbeat timeout value because of network congestion, and is designated as a logger application:
ip audit po remote hostid 70 orgid 500 rmtaddress 10.1.8.1 localaddress 10.1.8.100 timeout 10 application directorip audit signature
To attach a policy to a signature, use the ip audit signature command in global configuration mode. To remove the policy, use the no form of this command. If the policy disabled a signature, then the no form of this command reenables the signature. If the policy attached an access list to the signature, the no form of this command removes the access list.
ip audit signature signature-id {disable | list acl-list}
no ip audit signature signature-id
Syntax Description
Defaults
No policy is attached to a signature.
Command Modes
Global configuration
Command History
Usage Guidelines
This command allow you to set two policies: disable the audit of a signature or qualify the audit of a signature with an access list.
If you are attaching an access control list to a signature, then you also need to create an audit rule with the ip audit name command and apply it to an interface with the ip audit command.
Examples
In the following example, a signature is disabled, another signature has ACL 99 attached to it, and ACL 99 is defined:
ip audit signature 6150 disableip audit signature 1000 list 99access-list 99 deny 10.1.10.0 0.0.0.255access-list 99 permit anyip audit smtp
To specify the number of recipients in a mail message over which a spam attack is suspected, use the ip audit smtp command in global configuration mode. To set the number of recipients to the default setting, use the no form of this command.
ip audit smtp spam number-of-recipients
no ip audit smtp spam
Syntax Description
Defaults
The default number of recipients is 250.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ip audit smtp global configuration command to specify the number of recipients in a mail message over which a spam attack is suspected.
Examples
In the following example, the number of recipients is set to 300:
ip audit smtp spam 300
