Cisco IOS Security Command Reference, Release 12.3
Security Commands: D through ip audit smtp spam

Table Of Contents

deadtime (server-group configuration)

default (ca-trustpoint)

dialer aaa

disconnect ssh

dn

dnis (authentication)

dnis (RADIUS)

dnis bypass (AAA preauthentication configuration)

dns

dnsix-dmdp retries

dnsix-nat authorized-redirection

dnsix-nat primary

dnsix-nat secondary

dnsix-nat source

dnsix-nat transmit-count

domain (isakmp-group)

enable password

enable secret

encryption (IKE policy)

enrollment http-proxy

enrollment mode ra

enrollment retry count

enrollment retry period

enrollment terminal

enrollment url (ca-identity)

enrollment url (ca-trustpoint)

evaluate

fqdn (ca-trustpoint)

fqdn (crypto identity)

group (authentication)

group (IKE policy)

group (RADIUS)

group-lock

hash (IKE policy)

identity

initiate-mode

ip-address (ca-trustpoint)

ip audit

ip audit attack

ip audit info

ip audit name

ip audit notify

ip audit po local

ip audit po max-events

ip audit po protected

ip audit po remote

ip audit signature

ip audit smtp


deadtime (server-group configuration)

To configure deadtime within the context of RADIUS server groups, use the deadtime command in server group configuration mode. To set deadtime to 0, use the no form of this command.

deadtime minutes

no deadtime

Syntax Description

minutes

Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).


Defaults

Deadtime is set to 0.

Command Modes

Server-group configuration

Command History

Release
Modification

12.1(1)T

This command was introduced.


Usage Guidelines

Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.

When the RADIUS Server Is Marked As Dead

For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a transaction is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.

For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server will be marked as dead if both of the following conditions are met:

1. A valid response has not been received from the RADIUS server for any outstanding transaction for at least the timeout period that is used to determine whether to retransmit to that server, and

2. Across all transactions being sent to the RADIUS server, at least the requisite number of retransmits +1 (for the initial transmission) have been sent consecutively without receiving a valid response from the server with the requisite timeout.

Examples

The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:

aaa group server radius group1
 server 1.1.1.1 auth-port 1645 acct-port 1646
 server 2.2.2.2 auth-port 2000 acct-port 2001
 deadtime 1

Related Commands

Command
Description

radius-server deadtime

Sets the deadtime value globally.


default (ca-trustpoint)

To reset the value of a ca-trustpoint configuration subcommand to its default, use the default command in ca-trustpoint configuration mode.

default command-name

Syntax Description

command-name

Ca-trustpoint configuration subcommand.


Defaults

No default behavior or values.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Before you can configure this command, you must enable the crypto ca trustpoint command, which enters ca-trustpoint configuration mode.

Use this command to reset the value of a ca-trustpoint configuration mode subcommand to its default.

Examples

The following example shows how to remove the crl optional command from your configuration; the default of crl optional is off.

default crl optional

Related Commands

Command
Description

crypto ca trustpoint

Declares the CA that your router should use.


dialer aaa

To allow a dialer to access the authentication, authorization, and accounting (AAA) server for dialing information, use the dialer aaa command in interface configuration mode. To disable this function, use the no form of this command.

dialer aaa [password string | suffix string]

no dialer aaa [password string | suffix string]

Syntax Description

password string

(Optional) Defines a nondefault password for authentication. The password string can be a maximum of 128 characters.

suffix string

(Optional) Defines a suffix for authentication. The suffix string can be a maximum of 64 characters.


Defaults

This feature is not enabled by default.

Command Modes

Interface configuration

Command History

Release
Modification

12.0(3)T

This command was introduced.

12.1(5)T

The password and suffix keywords were added.


Usage Guidelines

This command is required for large scale dial-out and Layer 2 Tunneling Protocol (L2TP) dial-out functionality. With this command, you can specify a suffix, a password, or both. If you do not specify a password, the default password will be "cisco."


Note Only IP addresses can be specified as usernames for the dialer aaa suffix command.


Examples

This example shows a user sending out packets from interface Dialer1 with a destination IP address of 1.1.1.1. The username in the access-request message is "1.1.1.1@ciscoDoD" and the password is "cisco."

interface dialer1
 dialer aaa
 dialer aaa suffix @ciscoDoD password cisco

Related Commands

Command
Description

accept dialout

Accepts requests to tunnel L2TP dial-out calls and creates an accept-dialout VPDN subgroup.

dialer congestion-threshold

Specifies congestion threshold in connected links.

dialer vpdn

Enables a Dialer Profile or DDR dialer to use L2TP dial-out.


disconnect ssh

To terminate a Secure Shell (SSH) connection on your router, use the disconnect ssh command in privileged EXEC mode.

disconnect ssh [vty] session-id

Syntax Description

vty

(Optional) Virtual terminal for remote console access.

session-id

The session-id is the number of connection displayed in the show ip ssh command output.


Defaults

No default behavior or values.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.0(5)S

This command was introduced.

12.1(1)T

This command was integrated into Cisco IOS Release 12.1 T.


Usage Guidelines

The clear line vty n command, where n is the connection number displayed in the show ip ssh command output, may be used instead of the disconnect ssh command.

When the EXEC connection ends, whether normally or abnormally, the SSH connection also ends.

Examples

The following example terminates SSH connection number 1:

disconnect ssh 1

Related Commands

Command
Description

clear line vty

Returns a terminal line to idle state using the privileged EXEC command.


dn

To associate the identity of a router with the distinguished name (DN) in the certificate of the router, use the dn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.

dn name=string [, name=string]

no dn name=string [, name=string]

Syntax Description

name=string

Identity used to restrict access to peers with specific certificates. Optionally, you can associate more than one identity.


Command Default

If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.

Command Modes

Crypto identity configuration

Command History

Release
Modification

12.2(4)T

This command was introduced.


Usage Guidelines

Use the dn command to associate the identity of the router, which is defined in the crypto identity command, with the DN that the peer used to authenticate itself.


Note The name defined in the crypto identity command must match the string defined in the dn command. That is, the identity of the peer must be the same as the identity in the exchanged certificate.


This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.

An encrypting peer matches this list if it contains the attributes listed in any one line defined within the name=string.

Examples

The following example shows how to configure an IPsec crypto map that can be used only by peers that have been authenticated by the DN and if the certificate belongs to "green":

crypto map map-to-green 10 ipsec-isakmp
 set peer 172.21.114.196
 set transform-set my-transformset 
 match address 124
 identity to-green
!
crypto identity to-green
 dn ou=green

Related Commands

Command
Description

crypto identity

Configures the identity of the router with a given list of DNs in the certificate of the router.

fqdn

Associates the identity of the router with the hostname that the peer used to authenticate itself.


dnis (authentication)

To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.

dnis [if-avail | required] [accept-stop] [password string]

no dnis [if-avail | required] [accept-stop] [password string]

Syntax Description

if-avail

(Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.

required

(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.

accept-stop

(Optional) Prevents subsequent preauthentication elements from being tried once preauthentication has succeeded for a call element.

password string

(Optional) Password to use in the Access-Request packet. The default is cisco.


Defaults

The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.

The default password string is cisco.

Command Modes

AAA preauthentication configuration

Command History

Release
Modification

12.1(2)T

This command was introduced.


Usage Guidelines

You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process.

In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.

Examples

The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS:

aaa preauth
 group radius
 dnis password Ascend-DNIS

Related Commands

Command
Description

aaa preauth

Enters AAA preauthentication mode.

group (authentication)

Selects the security server to use for AAA preauthentication.

isdn guard-timer

Sets a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request.


dnis (RADIUS)

To preauthenticate calls on the basis of the DNIS (Dialed Number Identification Service) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.

dnis [if-avail | required] [accept-stop] [password password]

no dnis [if-avail | required] [accept-stop] [password password]

Syntax Description

if-avail

(Optional) Implies that if the switch provides the data, RADIUS must be reachable and must accept the string in order for preauthentication to pass. If the switch does not provide the data, preauthentication passes.

required

(Optional) Implies that the switch must provide the associated data, that RADIUS must be reachable, and that RADIUS must accept the string in order for preauthentication to pass. If these three conditions are not met, preauthentication fails.

accept-stop

(Optional) Prevents subsequent preauthentication elements such as clid or ctype from being tried once preauthentication has succeeded for a call element.

password password

(Optional) Defines the password for the preauthentication element.


Defaults

The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.

The default password string is cisco.

Command Modes

AAA preauthentication configuration

Command History

Release
Modification

12.1(2)T

This command was introduced.


Usage Guidelines

You may configure more than one of the authentication, authorization, and accounting (AAA) preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.

In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.

Examples

The following example specifies that incoming calls be preauthenticated on the basis of the DNIS number:

aaa preauth
 group radius
 dnis required

Related Commands

Command
Description

clid

Preauthenticates calls on the basis of the CLID number.

ctype

Preauthenticates calls on the basis of the call type.

dnis bypass (AAA preauthentication configuration)

Specifies a group of DNIS numbers that will be bypassed for preauthentication.

group (RADIUS)

Specifies the AAA RADIUS server group to use for preauthentication.


dnis bypass (AAA preauthentication configuration)

To specify a group of DNIS (Dialed Number Identification Service) numbers that will be bypassed for preauthentication, use the dnis bypass command in AAA preauthentication configuration mode. To remove the dnis bypass command from your configuration, use the no form of this command.

dnis bypass {dnis-group-name}

no dnis bypass {dnis-group-name}

Syntax Description

dnis-group-name

Name of the defined DNIS group.


Defaults

No DNIS numbers are bypassed for preauthentication.

Command Modes

AAA preauthentication configuration

Command History

Release
Modification

12.1(2)T

This command was introduced.


Usage Guidelines

Before using this command, you must first create a DNIS group with the dialer dnis group command.

Examples

The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii:

aaa preauth
 group radius
 dnis required
 dnis bypass hawaii

dialer dnis group hawaii
 number 12345
 number 12346

Related Commands

Command
Description

dialer dnis group

Creates a DNIS group.

dnis (RADIUS)

Preauthenticates calls on the basis of the DNIS number.


dns

To specify the primary and secondary Domain Name Service (DNS) servers, use the dns command in (Internet Security Association Key Management Protocol) ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.

dns primary-server secondary-server

no dns primary-server secondary-server

Syntax Description

primary-server

Name of the primary DNS server.

secondary-server

Name of the secondary DNS server.


Defaults

A DNS server is not specified.

Command Modes

ISAKMP group configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Use the dns command to specify the primary and secondary DNS servers for the group.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the dns command.

Examples

The following example shows how to define a primary and secondary DNS server for the default group name:

crypto isakmp client configuration group default
 key cisco
 dns 2.2.2.2 2.3.2.3
 pool dog
 acl 199

Related Commands

Command
Description

crypto isakmp client configuration group

Specifies which group's policy profile will be defined.

domain (isakmp-group)

Specifies the DNS domain to which a group belongs.


dnsix-dmdp retries

To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries command in global configuration mode. To restore the default number of retries, use the no form of this command.

dnsix-dmdp retries count

no dnsix-dmdp retries count

Syntax Description

count

Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.


Defaults

Retransmits messages up to 4 times, or until acknowledged.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following example sets the number of times DMDP will attempt to retransmit a message to 150:

dnsix-dmdp retries 150

Related Commands

Command
Description

dnsix-nat authorized-redirection

Specifies the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages.

dnsix-nat primary

Specifies the IP address of the host to which DNSIX audit messages are sent.

dnsix-nat secondary

Specifies an alternate IP address for the host to which DNSIX audit messages are sent.

dnsix-nat source

Starts the audit-writing module and defines audit trail source address.

dnsix-nat transmit-count

Causes the audit-writing module to collect multiple audit messages in the buffer before sending the messages to a collection center.


dnsix-nat authorized-redirection

To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection command in global configuration mode. To delete an address, use the no form of this command.

dnsix-nat authorized-redirection ip-address

no dnsix-nat authorized-redirection ip-address

Syntax Description

ip-address

IP address of the host from which redirection requests are permitted.


Defaults

An empty list of addresses.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.

Examples

The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 192.168.1.1:

dnsix-nat authorization-redirection 192.168.1.1

dnsix-nat primary

To specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat primary command in global configuration mode. To delete an entry, use the no form of this command.

dnsix-nat primary ip-address

no dnsix-nat primary ip-address

Syntax Description

ip-address

IP address for the primary collection center.


Defaults

Messages are not sent.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

An IP address must be configured before audit messages can be sent.

Examples

The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:

dnsix-nat primary 172.1.1.1

dnsix-nat secondary

To specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat secondary command in global configuration mode. To delete an entry, use the no form of this command.

dnsix-nat secondary ip-address

no dnsix-nat secondary ip-address

Syntax Description

ip-address

IP address for the secondary collection center.


Defaults

No alternate IP address is known.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.

Examples

The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:

dnsix-nat secondary 192.168.1.1

dnsix-nat source

To start the audit-writing module and to define the audit trail source address, use the dnsix-nat source command in global configuration mode. To disable the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit trail writing module, use the no form of this command.

dnsix-nat source ip-address

no dnsix-nat source ip-address

Syntax Description

ip-address

Source IP address for DNSIX audit messages.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.

Examples

The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0:

dnsix-nat source 192.168.2.5 
interface ethernet 0 
 ip address 192.168.2.5 255.255.255.0

dnsix-nat transmit-count

To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count command in global configuration mode. To revert to the default audit message count, use the no form of this command.

dnsix-nat transmit-count count

no dnsix-nat transmit-count count

Syntax Description

count

Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200.


Defaults

One message is sent at a time.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.

Examples

The following example configures the system to buffer five audit messages before transmitting them to a collection center:

dnsix-nat transmit-count 5

domain (isakmp-group)

To specify the Domain Name Service (DNS) domain to which a group belongs, use the domain command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.

domain name

no domain name

Syntax Description

name

Name of the DNS domain.


Defaults

A DNS domain is not specified.

Command Modes

ISAKMP group configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Use the domain command to specify group domain membership.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the domain command.

Examples

The following example shows that members of the group "cisco" also belong to the domain "cisco.com":

crypto isakmp client configuration group cisco
 key cisco
 dns 2.2.2.2 2.3.2.3
 pool dog
 acl 199
 domain cisco.com

Related Commands

Command
Description

crypto isakmp client configuration group

Specifies which group's policy profile will be defined.

dns

Specifies the primary and secondary DNS servers.


enable password

To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.

enable password [level level] {password | [encryption-type] encrypted-password}

no enable password [level level]

Syntax Description

level level

(Optional) Level for which the password applies. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or the no form of the command, the privilege level defaults to 15 (traditional enable privileges).

password

Password users type to enter enable mode.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router).

encrypted-password

Encrypted password you enter, copied from another router configuration.


Defaults

No password is defined. The default is level 15.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.


Usage Guidelines


Caution If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password will serve as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions.

Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level configuration command to specify commands accessible at various levels.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.


Caution If you specify an encryption type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a more nvram:startup-config command is entered.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.

Must not have a number as the first character.

Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.

Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-v when you create the password; for example, to create the password abc?123, do the following:

Enter abc.

Type Crtl-v.

Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.

Examples

The following example enables the password "pswd2" for privilege level 2:

enable password level 2 pswd2

The following example sets the encrypted password "$1$i5Rkls3LoyxzS8t9", which has been copied from a router configuration file, for privilege level 2 using encryption type 7:

enable password level 2 5 $1$i5Rkls3LoyxzS8t9

Related Commands

Command
Description

disable

Exits privileged EXEC mode and returns to user EXEC mode.

enable

Enters privileged EXEC mode.

enable secret

Specifies an additional layer of security over the enable password command.

privilege

Configures a new privilege level for users and associate commands with that privilege level.

service password-encryption

Encrypts passwords.

show privilege

Displays your current level of privilege.


enable secret

To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command.

enable secret [level level] {password | [encryption-type] encrypted-password}

no enable secret [level level]

Syntax Description

level level

(Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified in the command or in the no form of the command, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command.

password

Password for users to enter enable mode. This password should be different from the password created with the enable password command.

encryption-type

(Optional) Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available for this command is 5. If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router).

encrypted-password

Encrypted password you enter, copied from another router configuration.


Defaults

No password is defined. The default level is 15.

Command Modes

Global configuration

Command History

Release
Modification

11.0

This command was introduced.


Usage Guidelines


Caution If neither the enable password command nor the enable secret command is configured, and if there is a line password configured for the console, the console line password will serve as the enable password for all VTY (Telnet and Secure Shell [SSH]) sessions.

Use this command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.

You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.


Caution If you specify an encryption type and then enter a clear text password, you will not be able to reenter enable mode. You cannot recover a lost password that has been encrypted by any method.

If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.


Note After you set a password using the enable secret command, a password set using the enable password command works only if the enable secret is disabled or an older version of Cisco IOS software is being used, such as when running an older rxboot image. Additionally, you cannot recover a lost password that has been encrypted by any method.


If service password-encryption is set, the encrypted form of the password you create here is displayed when a more nvram:startup-config command is entered.

You can enable or disable password encryption with the service password-encryption command.

An enable password is defined as follows:

Must contain from 1 to 25 uppercase and lowercase alphanumeric characters

Must not have a number as the first character

Can have leading spaces, but they are ignored. However, intermediate and trailing spaces are recognized.

Can contain the question mark (?) character if you precede the question mark with the key combination Crtl-v when you create the password; for example, to create the password abc?123, do the following:

Enter abc.

Type Crtl-v.

Enter ?123.

When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.

Examples

The following example specifies the enable secret password of "greentree":

enable secret greentree

After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.

Password: greentree

The following example enables the encrypted password "$1$FaD0$Xyti5Rkls3LoyxzS8", which has been copied from a router configuration file, for privilege level 2 using encryption type 5:

enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8

Related Commands

Command
Description

enable

Enters privileged EXEC mode.

enable password

Sets a local password to control access to various privilege levels.


encryption (IKE policy)

To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command.

encryption {des | 3des | aes | aes 192 | aes 256}

no encryption

Syntax Description

des

56-bit Data Encryption Standard (DES)-CBC as the encryption algorithm.

3des

168-bit DES (3DES) as the encryption algorithm.

aes

128-bit Advanced Encryption Standard (AES) as the encryption algorithim.

aes 192

192-bit AES as the encryption algorithim.

aes 256

256-bit AES as the encryption algorithim.


Defaults

The 56-bit DES-CBC encryption algorithm

Command Modes

ISAKMP policy configuration

Command History

Release
Modification

11.3 T

This command was introduced.

12.0(2)T

The 3des option was added.

12.2(13)T

The following keywords were added: aes, aes 192, and aes 256.


Usage Guidelines

Use this command to specify the encryption algorithm to be used in an IKE policy.

If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed immediately after the encryption command is entered.

Examples

The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):

crypto isakmp policy
 encryption 3des
 exit

The following example is a sample warning message that is displayed when a user enters an IKE encryption method that the hardware does not support:

encryption aes 256
WARNING:encryption hardware does not support the configured
encryption method for ISAKMP policy 1

Related Commands

Command
Description

authentication (IKE policy)

Specifies the authentication method within an IKE policy.

crypto isakmp policy

Defines an IKE policy.

group (IKE policy)

Specifies the DH group identifier within an IKE policy.

hash (IKE policy)

Specifies the hash algorithm within an IKE policy.

lifetime (IKE policy)

Specifies the lifetime of an IKE SA.

show crypto isakmp policy

Displays the parameters for each IKE policy.


enrollment http-proxy

To access the certification authority (CA) by HTTP through the proxy server, use the enrollment http-proxy command in ca-trustpoint configuration mode.

enrollment http-proxy host-name port-num

Syntax Description

host-name

Defines the proxy server used to get the CA.

port-num

Specifies the port number used to access the CA.


Defaults

If this command is not enabled, the CA will not be accessed via HTTP.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

The enrollment http-proxy command must be used in conjunction with the enrollment command, which specifies the enrollment parameters for the CA.

Examples

The following example shows how to access the CA named "ka" by HTTP through the bomborra proxy server:

crypto ca trustpoint ka
 enrollment url http://kahului
<