-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
aaa accounting connection h323
aaa accounting resource start-stop group
aaa accounting resource stop-failure group
aaa accounting send stop-record authentication failure
aaa accounting session-duration ntp-adjusted
aaa accounting suppress null-username
aaa authentication attempts login
aaa authentication enable default
aaa authentication eou default enable group radius
aaa authentication fail-message
aaa authentication password-prompt
aaa authentication username-prompt
aaa authorization cache filterserver
aaa authorization config-commands
aaa authorization reverse-access
aaa dnis map accounting network
aaa dnis map authentication group
aaa dnis map authorization network group
aaa local authentication attempts max-fail
access-group (identity policy)
Security Commands
This book presents the commands to configure and maintain Cisco IOS security features. The commands are presented in alphabetical order. Some commands required for configuring security features may be found in other Cisco IOS command references. Use the command reference master index or search online to find these commands.
aaa accounting
To enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command.
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
no aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] [broadcast] group groupname
Syntax Description
auth-proxy
Provides information about all authenticated-proxy user events.
system
Performs accounting for all system-level events not associated with users, such as reloads.
network
Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
exec
Runs accounting for EXEC shell session. This keyword might return user profile information such as what is generated by the autocommand command.
connection
Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin.
commands level
Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15.
default
Uses the listed accounting methods that follow this argument as the default list of methods for accounting services.
list-name
Character string used to name the list of at least one of the accounting methods described in Table 2.
vrf vrf-name
(Optional) Specifies a virtual route forwarding (VRF) configuration.
Note
VRF is used only with system accounting.
start-stop
Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice was received by the accounting server.
stop-only
Sends a "stop" accounting notice at the end of the requested user process.
none
Disables accounting services on this line or interface.
broadcast
(Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, fail over occurs using the backup servers defined within that group.
group group-name
At least one of the keywords described in Table 3.
Defaults
AAA accounting is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis.
Table 2 contains descriptions of keywords for aaa accounting methods.
In Table 2, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers.
Cisco IOS software supports the following two methods of accounting:
•
•
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the methods to be tried in sequence as given.
If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Named accounting method lists are specific to the indicated type of accounting. Method list keywords are described in Table 3.
Note
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified.
When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes Overview" in the Cisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the appendix "TACACS+ Attribute-Value Pairs" in the Cisco IOS Security Configuration Guide.
Note
Cisco Service Selection Gateway Broadcast Accounting
To configure Cisco Service Selection Gateway (SSG) broadcast accounting, the list-name argument must be ssg_broadcast_accounting. For more information about configuring SSG, see the chapter "Configuring Accounting for SSG" in the Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4.
Examples
The following example defines a default commands accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only group tacacs+The following example defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.
aaa new-modelaaa authentication login default group tacacs+aaa authorization auth-proxy default group tacacs+aaa accounting auth-proxy default start-stop group tacacs+The following example defines a default system accounting method list, where accounting services are provided by RADIUS security server "sg_water" with a start-stop restriction. The aaa accounting command specifies accounting for vrf "water."
aaa accounting system default vrf water start-stop group sg_waterThe following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.)
aaa accounting network tunnel start-stop group radiusaaa accounting network session start-stop group radiusRelated Commands
aaa accounting connection h323
To define the accounting method list H.323with RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command.
aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname
no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname
Syntax Description
Defaults
No accounting method list
Command Modes
Global configuration
Command History
Usage Guidelines
This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.
Examples
The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.
aaa new modelgw-accounting h323aaa accounting connection h323 start-stop radiusaaa accounting delay-start
To delay generation of accounting "start" records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command.
aaa accounting delay-start [all] [vrf vrf-name]
no aaa accounting delay-start [all] [vrf vrf-name]
Syntax Description
Defaults
Accounting records are not delayed.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting delay-start command to delay generation of accounting "start" records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting "start" records for individual Virtual Private Network (VPN) routing and forwarding (VRF) users or use the all keyword for all VRF and non-VRF users.
Note
Examples
The following example shows how to delay accounting "start" records until the IP address of the user is established:
aaa new-modelaaa authentication ppp default radiusaaa accounting network default start-stop group radiusaaa accounting delay-startradius-server host 172.16.0.0 non-standardradius-server key rad123The following example shows that accounting "start" records are to be delayed to all VRF and non-VRF users:
aaa new-modelaaa authentication ppp default radiusaaa accounting network default start-stop group radiusaaa accounting delay-start allradius-server host 172.16.0.0 non-standardradius-server key rad123Related Commands
aaa accounting gigawords
To enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.)
aaa accounting gigawords
no aaa accounting gigawords
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady state.
If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command, it takes a reload of the router to actually disable the use of the 64-bit counters.
Note
Examples
The following example shows that the AAA 64-bit counters have been disabled:
no aaa accounting gigawordsaaa accounting nested
To specify that NETWORK records be generated, or nested, within EXEC "start" and "stop" records for PPP users who start EXEC terminal sessions, use the aaa accounting nested command in global configuration mode. To allow the sending of records for users with a NULL username, use the no form of this command.
aaa accounting nested
no aaa accounting nested
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command when you want to specify that NETWORK records be nested within EXEC "start" and "stop" records, such as for PPP users who start EXEC terminal sessions. In some cases, such as billing customers for specific services, is can be desirable to keep NETWORK "start" and "stop" records together, essentially nesting them within the framework of the EXEC "start" and "stop" messages. For example, a user dialing in using PPP can create the following records: EXEC-start, NETWORK-start, EXEC-stop, NETWORK-stop. By nesting the accounting records, NETWORK-stop records follow NETWORK-start messages: EXEC-start, NETWORK-start, NETWORK-stop, EXEC-stop.
Examples
The following example enables nesting of NETWORK accounting records for user sessions:
aaa accounting nestedaaa accounting resource start-stop group
To enable full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination, use the aaa accounting resource start-stop group command in global configuration mode. To disable full resource accounting, use the no form of this command.
aaa accounting resource method-list start-stop [broadcast] group groupname
no aaa accounting resource method-list start-stop [broadcast] group groupname
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting resource start-stop group command to send a "start" record at each call setup followed with a corresponding "stop" record at the call disconnect. There is a separate "call setup-call disconnect "start-stop" accounting record tracking the progress of the resource connection to the device, and a separate "user authentication start-stop accounting" record tracking the user management progress. These two sets of accounting records are interlinked by using a unique session ID for the call.
You may want to use this command to manage and monitor wholesale customers from one source of data reporting, such as accounting records.
Note
All existing AAA accounting method list and server group options are made available to this command.
Examples
The following example shows how to configure resource accounting for "start-stop" records:
aaa new-modelaaa authentication login AOL group radius localaaa authentication ppp default group radius localaaa authorization exec AOL group radius if-authenticatedaaa authorization network default group radius if-authenticatedaaa accounting exec default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting resource default start-stop group radiusRelated Commands
aaa accounting resource stop-failure group
To enable resource failure stop accounting support, which will generate a "stop" record at any point prior to user authentication only if a call is terminated, use the aaa accounting resource stop-failure group command in global configuration mode. To disable resource failure stop accounting, use the no form of this command.
aaa accounting resource method-list stop-failure [broadcast] group groupname
no aaa accounting resource method-list stop-failure [broadcast] group groupname
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the aaa accounting resource stop-failure group command to generate a "stop" record for any calls that do not reach user authentication; this function creates "stop" accounting records for the moment of call setup. All calls that pass user authentication will behave as before; that is, no additional accounting records will be seen.
All existing authentication, authorization, and accounting (AAA) accounting method list and server group options are made available to this command.
Examples
The following example shows how to configure "stop" accounting records from the moment of call setup:
aaa new-modelaaa authentication login AOL group radius localaaa authentication ppp default group radius localaaa authorization exec AOL group radius if-authenticatedaaa authorization network default group radius if-authenticatedaaa accounting exec default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting resource default stop-failure group radiusRelated Commands
aaa accounting resource start-stop group
Enables full resource accounting, which will generate both a "start" record at call setup and a "stop" record at call termination.
aaa accounting send stop-record authentication failure
To generate accounting "stop" records for users who fail to authenticate at login or during session negotiation, use the aaa accounting send stop-record authentication failure command in global configuration mode. To stop generating records for users who fail to authenticate at login or during session negotiation, use the no form of this command.
aaa accounting send stop-record authentication failure [vrf vrf-name]
no aaa accounting send stop-record authentication failure
Syntax Description
Defaults
The "stop" records are not generated.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to generate accounting "stop" records for users who fail to authenticate at login or during session negotiation. When the aaa accounting command is activated, by default the Cisco IOS software does not generate accounting records for system users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason.
Use the vrf vrf-name keyword and argument to generate accounting "stop" records per Virtual Private Network (VPN) routing and forwarding (VRF) configuration.
Examples
The following example shows how to generate "stop" records for users who fail to authenticate at login or during session negotiation:
aaa accounting send stop-record authentication failureaaa accounting session-duration ntp-adjusted
To calculate RADIUS attribute 46, Acct-Sess-Time, on the basis of the Network Time Protocol (NTP) clock time, use the aaa accounting session-duration ntp-adjusted command in global configuration mode. To disable the calculation that was configured on the basis of the NTP clock time, use the no form of this command.
aaa accounting session-duration ntp-adjusted
no aaa accounting session-duration ntp-adjusted
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, RADIUS attribute 46 is calculated on the basis of the 64-bit monotonically increasing counter, which is not NTP adjusted.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is not configured, RADIUS attribute 46 can skew the session time by as much as 5 to 7 seconds for calls that have a duration of more than 24 hours. However, you may not want to configure the command for short-lived calls or if your device is up for only a short time because of the convergence time required if the session time is configured on the basis of the NTP clock time.
For RADIUS attribute 46 to reflect the NTP-adjusted time, you must configure the ntp server command as well as the aaa accounting session-duration ntp-adjusted command.
Examples
The following example shows that the attribute 46 session time is to be calculated on the basis of the NTP clock time:
aaa new-modelaaa authentication ppp default group radiusaaa accounting session-time ntp-adjustedaaa accounting network default start-stop group radiusRelated Commands
aaa accounting suppress null-username
To prevent the Cisco IOS software from sending accounting records for users whose username string is NULL, use the aaa accounting suppress null-username command in global configuration mode. To allow sending records for users with a NULL username, use the no form of this command.
aaa accounting suppress null-username
no aaa accounting suppress null-username
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
When aaa accounting is activated, the Cisco IOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. This command prevents accounting records from being generated for those users who do not have usernames associated with them.
Examples
The following example supresses accounting records for users who do not have usernames associated with them:
aaa accounting suppress null-usernameRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa accounting update
To enable periodic interim accounting records to be sent to the accounting server, use the aaa accounting update command in global configuration mode. To disable interim accounting updates, use the no form of this command.
aaa accounting update [newinfo] [periodic number [jitter {maximum max-value}]]
no aaa accounting update
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
•
•
•
•
•
•
Caution
Examples
The following example sends PPP accounting records to a remote RADIUS server. When IPCP completes negotiation, this command sends an interim accounting record to the RADIUS server that includes the negotiated IP address for this user; it also sends periodic interim accounting records to the RADIUS server at 30-minute intervals.
aaa accounting network default start-stop group radiusaaa accounting update newinfo periodic 30The following example sends periodic interim accounting records to the RADIUS server at 30-minute intervals and disables jitter:
aaa accounting update newinfo periodic 30 jitter maximum 0Related Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
gw-accounting aaa
Enables VoIP gateway accounting through the AAA system.
aaa attribute
To add calling line identification (CLID) and dialed number identification service (DNIS) attribute values to a user profile, use the aaa attribute command in AAA-user configuration mode. To remove this command from your configuration, use the no form of this command.
aaa attribute {clid | dnis} attribute-value
no aaa attribute {clid | dnis} attribute-value
Syntax Description
clid
Adds CLID attribute values to the user profile.
dnis
Adds DNIS attribute values to the user profile.
attribute-value
Specifies a name for CLID or DNIS attribute values.
Defaults
If this command is not enabled, you will have an empty user profile.
Command Modes
AAA-user configuration
Command History
Usage Guidelines
Use the aaa attribute command to add CLID or DNIS attribute values to a named user profile, which is created by using the aaa user profile command. The CLID or DNIS attribute values can be associated with the record that is going out with the user profile (via the test aaa group command), thereby providing the RADIUS server with access to CLID or DNIS information when the server receives a RADIUS record.
Examples
The following example shows how to add CLID and DNIS attribute values to the user profile "cat":
aaa user profile cataaa attribute clid clidvalaaa attribute dnis dnisvalRelated Commands
aaa user profile
Creates a AAA user profile.
test aaa group
Associates a DNIS or CLID user profile with the record that is sent to the RADIUS server.
aaa attribute list
To define an authentication, authorization, and accounting (AAA) attribute list locally on a router, use the aaa attribute list command in global configuration mode. To remove the AAA attribute list, use the no form of this command.
aaa attribute list list-name
no aaa attribute list list-name
Syntax Description
Defaults
A local attribute list is not defined.
Command Modes
Global configuration
Command History
12.3(7)XI1
This command was introduced.
12.3(14)T
This command was integrated into Cisco IOS Release 12.3(14)T.
Usage Guidelines
There is no limit to the number of lists that can be defined (except for NVRAM storage limits).
Examples
The following example shows that the attribute list named "TEST" is to be added to the subscriber profile "cisco.com":
aaa authentication ppp template1 localaaa authorization network template1 local!aaa attribute list TESTattribute type interface-config "ip unnumbered FastEthernet0" service ppp protocol lcpattribute type interface-config "ip vrf forwarding blue" service ppp protocol lcp!ip vrf bluedescription vrf blue template1rd 1:1route-target export 1:1route-target import 1:1!subscriber authorization enable!subscriber profile cisco.comservice localaaa attribute list TEST!bba-group pppoe grp1virtual-template 1service profile cisco.com!interface Virtual-Template1no ip addressno snmp trap link-statusno peer default ip addressno keepaliveppp authentication pap template1ppp authorization template1!Related Commands
attribute type
Defines an attribute type that is to be added to an attribute list locally on a router.
aaa authentication arap
To enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To disable this authentication, use the no form of this command.
aaa authentication arap {default | list-name} method1 [method2...]
no aaa authentication arap {default | list-name} method1 [method2...]
Syntax Description
default
Uses the listed methods that follow this argument as the default list of methods when a user logs in.
list-name
Character string used to name the following list of authentication methods tried when a user logs in.
method1 [method2...]
At least one of the keywords described in Table 4.
Defaults
If the default list is not set, only the local user database is checked. This has the same effect as the following command:
aaa authentication arap default localCommand Modes
Global configuration
Command History
10.3
This command was introduced.
12.0(5)T
Group server and local-case support were added as method keywords for this command.
Usage Guidelines
The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. Note that ARAP guest logins are disabled by default when you enable AAA. To allow guest logins, you must use either the guest or auth-guest method listed in Table 4. You can only use one of these methods; they are mutually exclusive.
Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries in the given sequence. See Table 4 for descriptions of method keywords.
To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Use the more system:running-config command to view currently configured lists of authentication methods.
Note
