-
Cisco IOS Security Command Reference, Release 12.3
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through crypto ca trustpoint
-
Security Commands: crypto dynamic-map through ctype
-
Security Commands: D through ip audit smtp spam
-
Security Commands: ip auth-proxy through ip tcp intercept
-
Security Commands: ip trigger-authentication through pool
-
Security Commands: ppp accounting through radius-server vsa send
-
Security Commands: reverse-route through show crypto isakmp sa
-
Security Commands: show crypto key mypubkey through wins
-
Table Of Contents
radius-server attribute 8 include-in-access-req
radius-server attribute 11 direction default
radius-server attribute 32 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 44 include-in-access-req
radius-server attribute 44 sync-with-client
radius-server attribute 55 include-in-acct-req
radius-server attribute 69 clear
radius-server attribute 188 format non-standard
radius-server attribute nas-port extended
radius-server attribute nas-port format
radius-server authorization missing Service-Type
radius-server challenge-noecho
radius-server directed-request
radius-server domain-stripping
radius-server extended-portnames
radius-server host non-standard
radius-server optional-passwords
radius-server retry method reorder
radius-server source-ports extended
radius-server transaction max-tries
ppp accounting
To enable authentication, authorization, and accounting (AAA) accounting services on the selected interface, use the ppp accounting command in interface configuration mode. To disable AAA accounting services, use the no form of this command.
ppp accounting default
no ppp accounting
Syntax Description
Defaults
Accounting is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.
Examples
The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie:
interface async 4encapsulation pppppp accounting charlieRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
ppp authentication
To enable at least one PPP authentication protocol and to specify the order in which the protocols are selected on the interface, use the ppp authentication command in interface configuration mode. To disable this authentication, use the no form of this command.
ppp authentication {protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time] [optional]
no ppp authentication
Syntax Description
protocol1 [protocol2...]
At least one of the keywords described in Table 20.
if-needed
(Optional) Used with TACACS and extended TACACS. Does not perform Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) authentication if the user has already provided authentication. This option is available only on asynchronous interfaces.
list-name
(Optional) Used with authentication, authorization, and accounting (AAA). Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.
default
(Optional) Name of the method list is created with the aaa authentication ppp command.
callin
(Optional) Authentication on incoming (received) calls only.
one-time
(Optional) The username and password are accepted in the username field.
optional
(Optional) Accepts the connection even if the peer refuses to accept the authentication methods that the router has requested.
Defaults
PPP authentication is not enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
When you enable PAP, CHAP, or Extensible Authentication Protocol (EAP) authentication (or all three methods), the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and a password, which is checked against a matching entry in the local username database or in the remote security server database. CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a Response message. The local router attempts to match the name of the remote device with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match. EAP works much as CHAP does, except that identity request and response packets are exchanged when EAP starts.
You can enable CHAP, Microsoft CHAP (MS-CHAP), PAP, or EAP in any order. If you enable all four methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only one method. Base the order in which you specify methods on the ability of the remote device to correctly negotiate the appropriate method and on the level of data-line security you require. PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused.
CautionIf you use a list-name value that was not configured with the aaa authentication ppp command, you will disable PPP on this interface.
Table 20 lists the protocols used to negotiate PPP authentication.
Enabling or disabling PPP authentication does not affect the ability of the local router to authenticate itself to the remote device.
If you are using autoselect on a tty line, you can use the ppp authentication command to turn on PPP authentication for the corresponding interface.
MS-CHAP is the Microsoft version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; authentication occurs between a personal computer using Microsoft Windows NT or Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
Enabling or disabling PPP authentication does not affect the ability of the local router to authenticate itself to the remote device.
If you are using autoselect on a tty line, use the ppp authentication command to turn on PPP authentication for the corresponding interface.
Examples
The following example enables CHAP on asynchronous interface 4 and uses the authentication list MIS-access:
interface async 4encapsulation pppppp authentication chap MIS-accessThe following example enables EAP on dialer interface 1:
interface dialer 1encapsulation pppppp authentication eapRelated Commands
ppp authentication ms-chap-v2
To enable Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication on a network access server (NAS), use the ppp authentication ms-chap-v2 command in interface configuration mode. To disable MSCHAP V2 authentication, use the no form of this command.
ppp authentication ms-chap-v2
no ppp authentication ms-chap-v2
Syntax Description
This command has no arguments or keywords.
Defaults
MSCHAP V2 authentication is disabled.
Command Modes
Interface configuration
Command History
12.2(2)XB5
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
To enable MSCHAP V2 authentication, first configure PPP on the NAS. For the NAS to properly interpret authentication failure attributes and vendor-specific attributes, the ppp max-bad-auth command must be configured to allow at least two authentication retries and the radius-server vsa send command and authentication keyword must be enabled. The NAS must be able to interpret authentication failure attributes and vendor-specific attributes to support the ability to change an expired password.
Examples
The following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication locally:
interface Async65ip address 10.0.0.2 255.0.0.0encapsulation pppasync mode dedicatedno peer default ip addressppp max-bad-auth 3ppp authentication ms-chap-v2username client password secretThe following example configures PPP on an asynchronous interface and enables MSCHAP V2 authentication via RADIUS:
interface Async65ip address 10.0.0.2 255.0.0.0encapsulation pppasync mode dedicatedno peer default ip addressppp max-bad-auth 3ppp authentication ms-chap-v2exitaaa authentication ppp default group radiusradius-server host 10.0.0.2 255.0.0.0radius-server key secretradius-server vsa send authenticationRelated Commands
ppp authorization
To enable authentication, authorization, and accounting (AAA) authorization on the selected interface, use the ppp authorization command in interface configuration mode. To disable authorization, use the no form of this command.
ppp authorization [default | list-name]
no ppp authorization
Syntax Description
Defaults
Authorization is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
After you enable the aaa authorization command and define a named authorization method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for authorization to take place. Use the ppp authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.
Examples
The following example enables authorization on asynchronous interface 4 and uses the method list named charlie:
interface async 4encapsulation pppppp authorization charlieRelated Commands
ppp chap hostname
To create a pool of dialup routers that all appear to be the same host when authenticating with Challenge Handshake Authentication Protocol (CHAP), use the ppp chap hostname command in interface configuration mode. To disable this function, use the no form of this command.
ppp chap hostname hostname
no ppp chap hostname hostname
Syntax Description
Defaults
Disabled. The router name is sent in any CHAP challenges.
Command Modes
Interface configuration
Command History
Usage Guidelines
The ppp chap hostname command allows you to specify a common alias for all routers in a rotary group to use so that only one username must be configured on the dialing routers.
This command is normally used with local CHAP authentication (when the router authenticates to the peer), but it can also be used for remote CHAP authentication.
Examples
The following example identifies dialer interface 0 as the dialer rotary group leader and specifies "ppp" as the encapsulation method used by all member interfaces. This example shows that CHAP authentication is used on received calls only and the username ISPCorp will be sent in all CHAP challenges and responses.
interface dialer 0encapsulation pppppp authentication chap callinppp chap hostname ISPCorpRelated Commands
ppp chap password
To enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common Challenge Handshake Authentication Protocol (CHAP) secret password to use in response to challenges from an unknown peer, use the ppp chap password command in interface configuration mode. To disable the PPP CHAP password, use the no form of this command.
ppp chap password secret
no ppp chap password secret
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface.
This command is used for remote CHAP authentication only (when routers authenticate to the peer) and does not affect local CHAP authentication.
Examples
The commands in the following example specify ISDN BRI number 0. The method of encapsulation on the interface is PPP. If a CHAP challenge is received from a peer whose name is not found in the global list of usernames, the encrypted secret 7 1267234591 is decrypted and used to create a CHAP response value.
interface bri 0encapsulation pppppp chap password 7 1234567891Related Commands
ppp chap refuse
To refuse Challenge Handshake Authentication Protocol (CHAP) authentication from peers requesting it, use the ppp chap refuse command in interface configuration mode. To allow CHAP authentication, use the no form of this command.
ppp chap refuse [callin]
no ppp chap refuse [callin]
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This command specifies that CHAP authentication is disabled for all calls, meaning that all attempts by the peer to force the user to authenticate using CHAP will be refused. If the callin keyword is used, CHAP authentication is disabled for incoming calls from the peer, but will still be performed on outgoing calls to the peer.
If outbound Password Authentication Protocol (PAP) has been enabled (using the ppp pap sent-username command), PAP will be suggested as the authentication method in the refusal packet.
Examples
The following example specifies ISDN BRI number 0. The method of encapsulation on the interface is PPP. This example disables CHAP authentication from occurring if a peer calls in requesting CHAP authentication.
interface bri 0encapsulation pppppp chap refuseRelated Commands
ppp chap wait
To specify that the router will not authenticate to a peer requesting Challenge Handshake Authentication Protocol (CHAP) authentication until after the peer has authenticated itself to the router, use the ppp chap wait command in interface configuration mode. To allow the router to respond immediately to an authentication challenge, use the no form of this command.
ppp chap wait secret
no ppp chap wait secret
Syntax Description
Defaults
Enabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This command (which is enabled by default) specifies that the router will not authenticate to a peer requesting CHAP authentication until the peer has authenticated itself to the router. The no form of this command specifies that the router will respond immediately to an authentication challenge.
Examples
The following example specifies ISDN BRI number 0. The method of encapsulation on the interface is PPP. This example disables the default, meaning that users do not have to wait for peers to complete CHAP authentication before authenticating themselves.
interface bri 0encapsulation pppno ppp chap waitRelated Commands
ppp eap identity
To specify the Extensible Authentication Protocol (EAP) identity, use the ppp eap identity command in interface configuration mode. To remove the EAP identity from your configuration, use the no form of this command.
ppp eap identity string
no ppp eap identity string
Syntax Description
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
12.2(2)XB5
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the ppp eap identity command to configure the client to use a different identity when requested by the peer.
Examples
The following example shows how to enable EAP on dialer interface 1 and set the identity to "cat":
interface dialer 1encapsulation pppppp eap identity catppp eap local
To authenticate locally instead of using the RADIUS back-end server, use the ppp eap local command in interface configuration mode. To reenable proxy mode (which is the default), use the no form of this command.
ppp eap local
no ppp eap local
Syntax Description
This command has no arguments or keywords.
Defaults
Authentication is performed via proxy mode.
Command Modes
Interface configuration
Command History
12.2(2)XB5
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
By default, Extensible Authentication Protocol (EAP) runs in proxy mode. This means that EAP allows the entire authentication process to be negotiated by the network access server (NAS) to a back-end server that may reside on or be accessed via a RADIUS server. To disable proxy mode (and thus to authenticate locally instead of via RADIUS), use the ppp eap local command.
In local mode, the EAP session is authenticated using the MD5 algorithm and obeys the same authentication rules as does Challenge Handshake Authentication Protocol (CHAP).
Examples
The following example shows how to configure EAP to authenticate locally:
interface dialer 1encapsulation pppppp authentication eapppp eap localRelated Commands
ppp authentication
Enables at least one PPP authentication protocol and specifies the order in which the protocols are selected on the interface.
ppp eap password
To set the Enhanced Authentication Protocol (EAP) password for peer authentication, use the ppp eap password command in interface configuration mode. To disable the password, use the no form of this command.
ppp eap password [number] string
no ppp eap password [number] string
Syntax Description
number
(Optional) Encryption type, including values 0 through 7; 0 means no encryption.
string
Character string that specifies the EAP password.
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
12.2(2)XB5
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
For remote EAP authentication only, you can configure your router to create a common EAP password to use in response to challenges from an unknown peer; for example, if your router calls a rotary of routers (either from another vendor or from an older running version of the Cisco IOS software) to which a new (that is, unknown) router has been added, the common password will be used to respond to the new router. The ppp eap password command allows you to replace several username and password configuration commands with a single copy of this command on any dialer interface or asynchronous group interface.
Examples
The following example shows how to set the EAP password "7 141B1309" on the client:
ppp eap identity userppp eap password 7 141B1309ppp eap refuse
To refuse Enhanced Authentication Protocol (EAP) from peers requesting it, use the ppp eap refuse command in interface configuration mode. To return to the default, use the no form of this command.
ppp eap refuse [callin]
no ppp eap refuse [callin]
Syntax Description
Defaults
The server will not refuse EAP authentication challenges received from the peer.
Command Modes
Interface configuration
Command History
12.2(2)XB5
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the ppp eap refuse command to disable EAP authentication for all calls. If the callin keyword is used, the server will refuse to answer EAP authentication challenges received from the peer but will still require the peer to answer any EAP challenges the server sends.
Examples
The following example shows how to refuse EAP authentication on incoming calls from the peer:
ppp authentication eapppp eap localppp eap refuse callinRelated Commands
ppp authentication
Enables at least one PPP authentication protocol and specifies the order in which the protocols are selected on the interface.
ppp eap wait
To configure the server to delay the Enhanced Authentication Protocol (EAP) authentication until after the peer has authenticated itself to the server, use the ppp eap wait command in interface configuration mode. To disable this functionality, use the no form of this command.
ppp eap wait
no ppp eap wait
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Interface configuration
Command History
12.2(2)XB5
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
Usage Guidelines
Use the ppp eap wait command to specify that the server will not authenticate to a peer requesting EAP authentication until after the peer has authenticated itself to the server.
Examples
The following example shows how to configure the server to wait for the peer to authenticate itself first:
ppp authentication eapppp eap localppp eap waitRelated Commands
ppp authentication
Enables at least one PPP authentication protocol and specifies the order in which the protocols are selected on the interface.
ppp pap refuse
To refuse a peer request to authenticate remotely with PPP using Password Authentication Protocol (PAP), use the ppp pap refuse command in interface configuration mode. To disable the refusal, use the no form of this command.
ppp pap refuse
no ppp pap refuse
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to refuse remote PAP support; for example, to respond to the peer request to authenticate with PAP.
This is a per-interface command.
Examples
The following example shows how to enable the ppp pap command to refuse a peer request for remote authentication:
interface dialer 0encapsulation pppppp pap refuseRelated Commands
ppp pap sent-username
To reenable remote Password Authentication Protocol (PAP) support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username command in interface configuration mode. To disable remote PAP support, use the no form of this command.
ppp pap sent-username username password password
no ppp pap sent-username
Syntax Description
username
Username sent in the PAP authentication request.
password
Password sent in the PAP authentication request.
password
Must contain from 1 to 25 uppercase and lowercase alphanumeric characters.
Defaults
Remote PAP support disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to reenable remote PAP support (for example, to respond to the peer's request to authenticate with PAP) and to specify the parameters to be used when sending the PAP authentication request.
This is a per-interface command. You must configure this command for each interface.
Examples
The following example identifies dialer interface 0 as the dialer rotary group leader and specify PPP as the method of encapsulation used by the interface. Authentication is by CHAP or PAP on received calls only. ISPCorp is the username sent to the peer if the peer requires the router to authenticate with PAP.
interface dialer0encapsulation pppppp authentication chap pap callinppp chap hostname ISPCorpppp pap sent username ISPCorp password 7 fjhfeuRelated Commands
pre-shared-key
To define a preshared key to be used for Internet Key Exchange (IKE) authentication, use the pre-shared-key command in keyring configuration mode. To disable the preshared key, use the no form of this command.
pre-shared-key {address address [mask] | hostname hostname} key key
no pre-shared-key {address address [mask] | hostname hostname} key key
Syntax Description
Defaults
No default behaviors or values
Command Modes
Keyring configuration
Command History
Usage Guidelines
Before configuring preshared keys, you must configure an Internet Security Association and Key Management Protocol (ISAKMP) profile.
Examples
The following example shows how to configure a preshared key using an IP address and host name:
crypto keyring vpnkeyringpre-shared-key address 10.72.23.11 key vpnkeypre-shared-key hostname www.vpn.com key vpnkeyprimary
To assign a specified trustpoint as the primary trustpoint of the router, use the primary command in ca-trustpoint configuration mode.
primary name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the primary command to specify a given trustpoint as primary.
Before you can configure this command, you must enable the crypto ca trustpoint command, which defines the trustpoint and enters ca-trustpoint configuration mode.
Examples
The following example shows how to configure the trustpoint "ka" as the primary trustpoint:
crypto ca trustpoint kaenrollment url http://xxxprimarycrl optionalRelated Commands
privilege
To configure a new privilege level for users and associate commands with that privilege level, use the privilege command in global configuration mode. To reset the privilege level of the specified command or commands to the default and remove the privilege level configuration from the running configuration file, use the no form of this command.
Note
privilege mode [all] {level level | reset} command-string
no privilege mode [all] {level level | reset} command-string
Syntax Description
mode
Configuration mode for the specified command. See Table 21 in the "Usage Guidelines" section for a list of options for this argument.
all
(Optional) Changes the privilege level for all the suboptions to the same level.
level level
Specifies the privilege level you are configuring for the specified command or commands. The level argument must be a number from 0 to 15.
reset
Resets the privilege level of the specified command or commands to the default and removes the privilege level configuration from the running configuration file.
Note
command-string
Command associated with the specified privilege level. If the all keyword is used, specifies the command and subcommands associated with the privilege level.
Defaults
User EXEC mode commands are privilege level 1.
Privileged EXEC mode and configuration mode commands are privilege level 15.
Command Modes
Global configuration
Command History
10.3
This command was introduced.
12.0(22)S, 12.2(13)T
The all keyword was added.
12.3(6), 12.3(6)T
The no form of the command performs the same function as the reset keyword.
Usage Guidelines
The password for a privilege level defined using the privilege global configuration command is configured using the enable secret command.
Level 0 can be used to specify a more-limited subset of commands for specific users or lines. For example, you can allow user "guest" to use only the show users and exit commands.
Note
When you set the privilege level for a command with multiple words, note that the commands starting with the first word will also have the specified access level. For example, if you set the show ip route command to level 15, the show commands and show ip commands are automatically set to privilege level 15—unless you set them individually to different levels. This is necessary because you can't execute, for example, the show ip command unless you have access to show commands.
To change the privilege level of a group of commands, use the all keyword. When you set a group of commands to a privilege level using the all keyword, all commands which match the beginning string are enabled for that level, and all commands which are available in submodes of that command are enabled for that level. For example, if you set the show ip keywords to level 5, show and ip will be changed to level 5 and all the options that follow the show ip string (such as show ip accounting, show ip aliases, show ip bgp, and so on) will be available at privilege level 5.
Table 21 shows some of the keyword options for the mode argument in the privilege command. The available mode keywords will vary depending on your hardware and software version. To see a list of available mode options on your system, use the privilege ? command.
.
