Table Of Contents
accounting (gatekeeper)
accounting (line)
accounting (server-group)
accounting acknowledge broadcast
acl (ISAKMP)
address
addressed-key
administrator authentication list
administrator authorization list
appfw policy-name
application (application firewall policy)
arap authentication
attribute (server-group)
attribute nas-port format
attribute type
audit-trail
authentication (IKE policy)
authentication command
authentication list (tti-registrar)
authentication terminal
authentication trustpoint
authentication url
authorization
authorization (server-group)
authorization (tti-registrar)
authorization list (global)
authorization list (tti-registrar)
authorization username
authorization username (tti-registrar)
auth-type
auto secure
auto-enroll
backup-gateway
bidirectional
block count
ca trust-point
cache clear age
cache disable
cache max
cache refresh
call admission limit
call guard-timer
cdp-url
certificate
clear aaa cache filterserver acl
clear aaa local user fail-attempts
clear aaa local user lockout
clear access-template
clear crypto call admission statistics
clear crypto engine accelerator counter
clear crypto ipsec client ezvpn
clear crypto isakmp
clear crypto sa
clear crypto session
clear dot1x
clear eou
clear ip admission cache
clear ip auth-proxy cache
clear ip ips configuration
clear ip ips statistics
accounting (gatekeeper)
To enable accounting services on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting services, use the no form of this command.
accounting [vsa]
no accounting [vsa]
Syntax Description
vsa
|
(Optional) Configures the vendor-specific attribute (VSA) method of accounting.
|
Defaults
Accounting is disabled.
Command Modes
Gatekeeper configuration
Command History
Release
|
Modification
|
11.3(2)NA
|
This command was introduced.
|
12.0(3)T
|
This command was integrated into Cisco IOS Release 12.0(3)T.
|
12.1(5)XM
|
The vsa keyword was added.
|
12.2(2)T
|
The vsa keyword was integrated into Cisco IOS Release 12.2(2)T.
|
12.2(2)XB1
|
This command was implemented on the Cisco AS5850 universal gateway.
|
Usage Guidelines
Specify a RADIUS server before using the accounting command.
There are three different methods of accounting. The H.323 method sends the call detail record (CDR) to the RADIUS server, the syslog method uses the system logging facility to record the CDRs, and the VSA method collects VSAs.
Examples
The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records:
aaa accounting connection start-stop group radius
The following example shows how to enable VSA accounting:
aaa accounting connection start-stop group radius
Related Commands
Command
|
Description
|
aaa accounting
|
Enables AAA accounting of requested services for billing or security purposes.
|
accounting (line)
To enable authentication, authorization, and accounting (AAA) accounting services to a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.
accounting {arap | commands level | connection | exec} [default | list-name]
no accounting {arap | commands level | connection | exec} [default | list-name]
Syntax Description
arap
|
Enables accounting on lines configured for AppleTalk Remote Access Protocol (ARAP).
|
commands level
|
Enables accounting on the selected lines for all commands at the specified privilege level. Valid privilege level entries are 0 through 15.
|
connection
|
Enables both CHAP and PAP, and performs PAP authentication before CHAP.
|
exec
|
Enables accounting for all system-level events not associated with users, such as reloads on the selected lines.
|
default
|
(Optional) The name of the default method list, created with the aaa accounting command.
|
list-name
|
(Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.
|
Defaults
Accounting is disabled.
Command Modes
Line configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.
Examples
The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10:
accounting commands 15 charlie
Related Commands
Command
|
Description
|
aaa accounting
|
Enables AAA accounting of requested services for billing or security purposes.
|
accounting (server-group)
To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode.
accounting [accept | reject] list-name
Syntax Description
accept
|
(Optional) All attributes will be rejected except for required attributes and the attributes specified in the listname.
|
reject
|
(Optional) All attributes will be accepted except for the attributes specified in the listname.
|
list-name
|
Given name for the accept or reject list.
|
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Server-group configuration
Command History
Release
|
Modification
|
12.2(1)DX
|
This command was introduced.
|
12.2(2)DD
|
This command was integrated into Cisco IOS Release 12.2(2)DD.
|
12.2(4)B
|
This command was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2(4)T.
|
12.2(13)T
|
Platform support was added for the Cisco 7401ASR.
|
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data.
Only one filter may be used for RADIUS accounting per server group.
Note
The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute (server-group configuration) command to add to an accept or reject list.
Examples
The following example shows how to specify accept list "usage-only" for RADIUS accounting:
aaa authentication ppp default group radius-sg
aaa authorization network default group radius-sg
aaa group server radius radius-sg
accounting accept usage-only
radius-server host 1.1.1.1 key mykey1
radius-server attribute list usage-only
Related Commands
Command
|
Description
|
aaa authentication ppp
|
Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
|
aaa authorization
|
Sets parameters that restrict network access to the user.
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
aaa new-model
|
Enables the AAA access control model.
|
attribute (server-group configuration)
|
Adds attributes to an accept or reject list.
|
authorization (server-group configuration)
|
Specifies an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server.
|
radius-server attribute list
|
Defines an accept or reject list name.
|
accounting acknowledge broadcast
To define a designated broadcast accounting server group, use the accounting acknowledge broadcast command in server group RADIUS configuration mode. To disable the broadcast functionality, use the no form of this command.
accounting acknowledge broadcast
no accounting acknowledge broadcast
Syntax Description
This command has no arguments or keywords.
Defaults
Accounting broadcast functionality is disabled for the RADIUS server group.
Command Modes
Server group RADIUS configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Examples
The following example enables accounting broadcast functionality on RADIUS server group abcgroup:
Router(config)# aaa group server radius abcgroup
Router(config-sg-radius)# accounting acknowledge broadcast
Related Commands
Command
|
Description
|
aaa accounting update
|
Enables periodic interim accounting records to be sent to the accounting server.
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
gw-accounting aaa
|
Enables VoIP gateway accounting through the AAA system.
|
acl (ISAKMP)
To configure split tunneling, use the acl command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.
acl number
no acl number
Syntax Description
number
|
Specifies a group of access control lists (ACLs) that represent protected subnets for split tunneling purposes.
|
Defaults
Split tunneling is not enabled; all data is sent via the Virtual Private Network (VPN) tunnel.
Command Modes
ISAKMP group configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the acl command.
Examples
The following example shows how to correctly apply split tunneling for the group name "cisco." In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 will be sent via the VPN tunnel.
crypto isakmp client configuration group cisco
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
Related Commands
Command
|
Description
|
crypto isakmp client configuration group
|
Specifies the policy profile of the group that will be defined.
|
address
To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.
address ip-address
no address ip-address
Syntax Description
ip-address
|
IP address of the remote peer.
|
Defaults
No default behavior or values
Command Modes
Rsa-pubkey configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.
Examples
The following example specifies the RSA public key of an IP Security (IPSec) peer:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
Command
|
Description
|
crypto keyring
|
Defines a crypto keyring to be used during IKE authentication.
|
key-string
|
Specifies the RSA public key of a remote peer.
|
rsa-pubkey
|
Defines the RSA manual key to be used for encryption or signatures during IKE authentication.
|
addressed-key
To specify which peer's RSA public key you will manually configure, use the addressed-key command in public key chain configuration mode.
addressed-key key-address [encryption | signature]
Syntax Description
key-address
|
Specifies the IP address of the remote peer's RSA keys.
|
encryption
|
(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.
|
signature
|
(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.
|
Defaults
If neither the encryption nor signature keywords are used, general purpose keys will be specified.
Command Modes
Public key chain configuration. This command invokes public key configuration mode.
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Use this command or the named-key command to specify which IP Security peer's RSA public key you will manually configure next.
Follow this command with the key string command to specify the key.
If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keywords.
If the IPSec remote peer generated special-usage keys, you must manually specify both keys: use this command and the key-string command twice and use the encryption and signature keywords respectively.
Examples
The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys.
Router(config)# crypto key pubkey-chain rsa
Router(config-pubkey-chain)# named-key otherpeer.example.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 005C300D 06092A86 4886F70D 01010105
Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22
Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4
Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# addressed-key 10.1.1.2 encryption
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# addressed-key 10.1.1.2 signature
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC
Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228
Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E
Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16
Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4
Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# exit
Related Commands
Command
|
Description
|
crypto key pubkey-chain rsa
|
Enters public key configuration mode (to allow you to manually specify the RSA public keys of other devices).
|
key-string (IKE)
|
Specifies the RSA public key of a remote peer.
|
named-key
|
Specifies which peer RSA public key you will manually configure.
|
show crypto key pubkey-chain rsa
|
Displays peer RSA public keys stored on your router.
|
administrator authentication list
To authenticate an administrative introducer for a Secure Device Provisioning (SDP) transaction, use the administrator authentication list command in tti-registrar configuration mode. To disable administrative introducer authentication, use the no form of this command.
administrator authentication list list-name
no administrator authentication list list-name
Syntax Description
Defaults
All introducers are authenticated as users; their username is used directly to build the device name.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
When you use the administrator authentication list command in SDP transactions, the RADIUS or TACACS+ authentication, authorization, and accounting (AAA) server checks for a valid account by looking at the username and password.
The authentication list and the authorization list usually both point to the same AAA list. It is possible that the lists can be on different databases, but it is generally not recommended.
Examples
The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:
Router(config)# crypto provisioning registrar
Router(tti-registrar)# pki-server mycs
Router(tti-registrar)# administrator authentication list authen-rad
Router(tti-registrar)# administrator authorization list author-rad
Router(tti-registrar)# authentication list authen-tac
Router(tti-registrar)# authorization list author-tac
Router(tti-registrar)# template username ftpuser password ftppwd
Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt
Router(tti-registrar)# end
Related Commands
Command
|
Description
|
administrator authorization list
|
Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for an administrative introducer in an SDP transaction.
|
authentication list (tti-registrar)
|
Authenticates an introducer in an SDP transaction.
|
authorization list (tti-registrar)
|
Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP transaction.
|
administrator authorization list
To specify the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS command-line interface (CLI) snippet that is sent back to the petitioner for an administrative introducer in a Secure Device Provisioning (SDP) transaction, use the administrator authorization list command in tti-registrar configuration mode. To disable the subject name and list of template variables, use the no form of this command.
administrator authorization list list-name
no administrator authorization list list-name
Syntax Description
Defaults
There is no authorization information requested from the authentication, authorization, and accounting (AAA) server for the administrator.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
When you use the administrator authorization list command in SDP transactions, the RADIUS or TACACS+ AAA server stores the subject name and template variables. The name and variables are sent back to the petitioner in the Cisco IOS CLI snippets. This list and the authorization list are usually on the same database, but they can be on different AAA databases. (Storing lists on different databases is not recommended.)
When a petitioner makes an introducer request, multiple queries are sent to the AAA list database on the RADIUS or TACACS+ server. The queries search for entries of the following form:
user Password <userpassword>
cisco-avpair="ttti:subjectname=<<DN subjectname>>"
cisco-avpair="tti:iosconfig#<<value>>"
cisco-avpair="tti:iosconfig#<<value>>"
cisco-avpair="tti:iosconfig#=<<value>>"
Note
The existence of a valid AAA username record is enough to pass the authentication check. The cisco-avpair=tti information is necessary only for the authorization check.
If a subject name were received in the authorization response, the registrar stores it in the enrollment database, and that subject name overrides the subject name that is supplied in the subsequent certificate request (PKCS10) from the petitioner device.
The numbered tti:iosconfig values are expanded into the Cisco IOS snippet that is sent to the petitioner. The configurations replace any numbered ($1 through $9) template variable. Because the default Cisco IOS snippet template does not include the variables $1 through $9, these variables are ignored unless you configure an external Cisco IOS snippet template. To specify an external configuration, use the template config command.
Note
The template configuration location may include a variable $n, which is expanded to the name that the administrator enters in the additional SDP dialog.
Examples
The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:
Router(config)# crypto provisioning registrar
Router(tti-registrar)# pki-server mycs
Router(tti-registrar)# administrator authentication list authen-rad
Router(tti-registrar)# administrator authorization list author-rad
Router(tti-registrar)# authentication list authen-tac
Router(tti-registrar)# authorization list author-tac
Router(tti-registrar)# template username ftpuser password ftppwd
Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt
Router(tti-registrar)# end
Related Commands
Command
|
Description
|
administrator authentication list
|
Authenticates an administrative introducer for an SDP transaction.
|
authentication list (tti-registrar)
|
Authenticates a user introducer for an SDP transaction.
|
authorization list (tti-registrar)
|
Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP operation.
|
appfw policy-name
To define an application firewall policy and put the router in application firewall policy configuration mode, use the appfw policy-name command in global configuration mode. To remove a policy from the router configuration, use the no form of this command.
appfw policy-name policy-name
no appfw policy-name policy-name
Syntax Description
policy-name
|
Name of application policy.
|
Defaults
If this command is not issued, an application firewall policy cannot be created.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
This command puts the router in application firewall policy (appfw-policy-protocol) configuration mode, which allows you to begin defining the application firewall policy that will later be applied to the Cisco IOS Firewall via the ip inspect name command.
What Is an Application Firewall Policy?
The application firewall uses static signatures to detect security violations. A static signature is a collection of parameters that specifies which protocol conditions must be met before an action is taken. (For example, a signature may specify that an HTTP data stream containing the POST method must reset the connection.) These protocol conditions and reactions are defined by the end user via a command-line interface (CLI) to form an application firewall policy (also known as a security policy).
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.
appfw policy-name mypolicy
strict-http action allow alarm
content-length maximum 1 action allow alarm
content-type-verification match-req-rsp action allow alarm
max-header-length request 1 response 1 action allow alarm
max-uri-length 1 action allow alarm
port-misuse default action allow alarm
request-method rfc default action allow alarm
request-method extension default action allow alarm
transfer-encoding type default action allow alarm
! Apply the policy to an inspection rule.
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
Related Commands
Command
|
Description
|
application
|
Puts the router in appfw-policy-protocol configuration mode and begin configuring inspection parameters for a given protocol.
|
ip inspect name
|
Defines a set of inspection rules.
|
application (application firewall policy)
To put the router in appfw-policy-protocol configuration mode and begin configuring inspection parameters for a given protocol, use the application command in application firewall policy configuration mode. To remove protocol-specific rules, use the no form of this command.
application protocol
no application protocol
Syntax Description
protocol
|
Protocol-specific traffic will be inspected. Currently, the only supported protocol is HTTP (specified via the http keyword), which defines the web policy.
|
Defaults
You cannot set up protocol-specific inspection parameters.
Command Modes
Application firewall policy configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
This command puts the router in appfw-policy-protocol configuration mode, where "protocol" is dependent upon the specified protocol. Because HTTP is currently the only available protocol, the configuration mode is "appfw-policy-http."
HTTP-Specific Inspection Commands
After you issue the application command and enter the appfw-policy-http configuration mode, begin configuring inspection parameters for HTTP traffic by issuing any of the following commands:
•
audit-trail
•
content-length
•
content-type-verification
•
max-header-length
•
max-uri-length
•
port-misuse
•
request-method
•
strict-http
•
timeout
•
transfer-encoding
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.
appfw policy-name mypolicy
strict-http action allow alarm
content-length maximum 1 action allow alarm
content-type-verification match-req-rsp action allow alarm
max-header-length request 1 response 1 action allow alarm
max-uri-length 1 action allow alarm
port-misuse default action allow alarm
request-method rfc default action allow alarm
request-method extension default action allow alarm
transfer-encoding type default action allow alarm
! Apply the policy to an inspection rule.
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
Related Commands
Command
|
Description
|
appfw policy-name
|
Defines an application firewall policy and puts the router in application firewall policy configuration mode.
|
arap authentication
To enable authentication, authorization, and accounting (AAA) authentication for AppleTalk Remote Access Protocol (ARAP) on a line, use the arap authentication command in line configuration mode. To disable authentication for an ARAP line, use the no form of this command.
arap authentication {default | list-name} [one-time]
no arap authentication {default | list-name}
Caution 
If you use a
list-name value that was not configured with the
aaa authentication arap command, ARAP will be disabled on this line.
Syntax Description
default
|
Default list created with the aaa authentication arap command.
|
list-name
|
Indicated list created with the aaa authentication arap command.
|
one-time
|
(Optional) Accepts the username and password in the username field.
|
Defaults
ARAP authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.
Command Modes
Line configuration
Command History
Release
|
Modification
|
10.3
|
This command was introduced.
|
11.0
|
The one-time keyword was added.
|
Usage Guidelines
This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.
Examples
The following example specifies that the TACACS+ authentication list called MIS-access is used on ARAP line 7:
arap authentication MIS-access
Related Commands
Command
|
Description
|
aaa authentication arap
|
Enables an AAA authentication method for ARAP using TACACS+.
|
attribute (server-group)
To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command.
attribute value1 [value2 [value3]...]
no attribute value1 [value2 [value3]...]
Syntax Description
value1 [value2 [value3]...]
|
Attributes to include in an accept or reject list. The value can be a single integer, such as 7, or a range of numbers, such as 56-59. At least one attribute value must be specified.
|
Defaults
If this command is not enabled, all attributes are sent to the network access server (NAS).
Command Modes
Server-group configuration
Command History
Release
|
Modification
|
12.2(1)DX
|
This command was introduced.
|
12.2(2)DD
|
This command was integrated into Cisco IOS Release 12.2(2)DD.
|
12.2(4)B
|
This command was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2(4)T.
|
12.2(13)T
|
Platform support was added for the Cisco 7401 ASR.
|
Usage Guidelines
Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the network access server (NAS) from receiving and processing unwanted attributes for authorization or accounting.
The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:
•
For authorization:
–
6 (Service-Type)
–
7 (Framed-Protocol)
•
For accounting:
–
4 (NAS-IP-Address)
–
40 (Acct-Status-Type)
–
41 (Acct-Delay-Time)
–
44 (Acct-Session-ID)
Note
The user will not receive an error at the point of configuring a reject list for required attributes because the list does not specify a purpose—authorization or accounting. The server will determine whether an attribute is required when it is known what the attribute is to be used for.
Examples
The following example shows how to add attributes 12, 217, 6-10, 13, 64-69, and 218 to the list name "standard":
radius-server attribute list standard
Related Commands
Command
|
Description
|
accounting (server-group configuration)
|
Specifies an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request.
|
authorization (server-group configuration)
|
Specifies an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server.
|
radius-server attribute list
|
Defines an accept or reject list name.
|
attribute nas-port format
To configure services to use specific named methods for different service types, which can be set to use their own respective RADIUS server groups, use the attribute nas-port format command in server-group configuration mode. To remove the override, which is to use specific named methods for different service types, use the no form of this command.
attribute nas-port format format-type [string]
no attribute nas-port format format-type [string]
Syntax Description
format-type
|
Type of format (see Table 12).
|
string
|
(Optional) Pattern of the data format (see Table 13).
|
Defaults
Default format type is used for all services.
Command Modes
Server-group configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
The following format types may be configured.
Table 12 Format Types
a
|
Format is type, channel, or port.
|
b
|
Either interface(16), isdn(16), or async(16).
|
c
|
Data format (bits): shelf(2), slot(4), port(5), or channel(5).
|
d
|
Data format (bits): slot(4), module(1), port(3), vpi(8), or vci(16).
|
e
|
Configurable data format (see Table 13).
|
The following characters may be used in the string pattern of the data format.
Table 13 Characters Supported by Format-Type e
0
|
Zero
|
1
|
One
|
f
|
DS0 shelf
|
s
|
DS0 slot
|
a
|
DS0 adapter
|
P
|
DS0 port
|
i
|
DS0 subinterface
|
c
|
DS0 channel
|
F
|
Async shelf
|
S
|
Async slot
|
P
|
Async port
|
L
|
Async line
|
S
|
PPPoX slot (includes PPP over ATM [PPPoA], PPP over Ethernet over ATM [PPPoEoA], PPP over Ethernet over Ethernet [PPPoEoE], PPP over Ethernet over VLAN [PPPoEoVLAN], and PPP over Ethernet over Queue in Queue [PPPoEoQinQ]).
|
A
|
PPPoX adapter
|
P
|
PPPoX port
|
V
|
PPPoX VLAN ID
|
I
|
PPPoX virtual path identifier (VPI)
|
C
|
PPPoX virtual channel indicator (VCI)
|
U
|
Session ID
|
Examples
The following example shows that a leased-line PPP client has chosen to send no RADIUS Attribute 5 while the default is set for format d:
ppp accounting SerialAccounting
aaa accounting network default start-stop group radius
aaa accounting network SerialAccounting start-stop group group1
aaa group server radius group1
server 64.101.159.172 auth-port 1645 acct-port 1646
radius-server host 64.101.159.172 auth-port 1645 acct-port 1646
radius-server attribute nas-port format d
Related Commands
Command
|
Description
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
ip radius source-interface
|
Forces RADIUS to use the IP adressing of a specified interface for all outgoing RADIUS packets.
|
radius-server host
|
Specifies a RADIUS server host.
|
attribute type
To define an attribute type that is to be added to an attribute list locally on a router, use the attribute type command in global configuration mode. To remove the attribute type from the list, use the no form of this command.
attribute type {name}{value} [service service] [protocol protocol] [tag]
no attribute type {name}{value} [service service] [protocol protocol] [tag]
Syntax Description
name
|
Defines the Cisco IOS authentication, authorization, and accounting (AAA) internal name of the Internet Engineering Task Force (IETF) RADIUS attribute to be added to the attribute list.
|
value
|
Defines a string, binary, or IPv4 address value. This is the RADIUS attribute that is being defined in Cisco IOS AAA format. When a string is added to the attribute value, the string should be inside quotation marks. For example, if the value is "interface-config" and the string is "ip unnumbered FastEthernet0," you would write interface-config "ip unnumbered FastEthernet0".
|
service service
|
(Optional) Access method, which is typically PPP.
|
protocol protocol
|
(Optional) Type of protocol, which can be ATM, IP, or virtual private dial-up network (VPDN).
|
tag
|
(Optional) Provides a means of grouping attributes that refer to the same VPDN tunnel.
|
Defaults
An attribute type is not added to the attribute list.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
Attributes are added to the attribute list each time a new attribute type is defined.
When using the no form of this command, the entire line must be provided to avoid ambiguity.
Attributes are not validated at configuration. The AAA subsystem "knows" only the format that is expected by the services when the service defines a given attribute inside a definition file. However, it cannot validate the attribute information itself. This validation is done by a service when it first uses the attribute. This validation applies whether the AAA server is RADIUS or TACACS+. Thus, if you are not familiar with configuring a AAA server, it is advisable that you test your attribute list on a test device with the service that will be using the list before configuring and using it in a production environment.
Examples
The following example shows that the attribute list named "TEST" is to be added to the subscriber profile "cisco.com." The attribute TEST includes the attribute types interface-config "ip unnumbered FastEthernet0" and interface-config "ip vrf forwarding blue."
aaa authentication ppp template1 local
aaa authorization network template1 local
attribute type interface-config "ip unnumbered FastEthernet0" service ppp protocol lcp
attribute type interface-config "ip vrf forwarding blue" service ppp protocol lcp
description vrf blue template1
subscriber authorization enable
subscriber profile cisco.com
service profile cisco.com
interface Virtual-Template1
no peer default ip address
ppp authentication pap template1
ppp authorization template1
!
Related Commands
Command
|
Description
|
aaa attribute list
|
Defines a AAA attribute list locally on a router.
|
audit-trail
To turn audit trail messages on or off, use the audit-trail command in appfw-policy-http configuration mode. To return to the default value, use the no form of this command.
audit-trail {on | off}
no audit-trail {on | off}
Syntax Description
on
|
Audit trail messages are generated.
|
off
|
Audit trail messages are not generated.
|
Defaults
If this command is not issued, the default value specified via the ip inspect audit-trail command will be used.
Command Modes
appfw-policy-http configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
The audit-trail command will override the ip inspect audit-trail global command.
Examples
The following example, which shows how to define the HTTP application firewall policy "mypolicy," enables audit trail messages for the given policy. This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.
appfw policy-name mypolicy
strict-http action allow alarm
content-length maximum 1 action allow alarm
content-type-verification match-req-rsp action allow alarm
max-header-length request 1 response 1 action allow alarm
max-uri-length 1 action allow alarm
port-misuse default action allow alarm
request-method rfc default action allow alarm
request-method extension default action allow alarm
transfer-encoding type default action allow alarm
! Apply the policy to an inspection rule.
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
Related Commands
Command
|
Description
|
ip inspect audit-trail
|
Turns on audit trail messages.
|
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the authentication method to the default value, use the no form of this command.
authentication {rsa-sig | rsa-encr | pre-share}
no authentication
Syntax Description
rsa-sig
|
Specifies RSA signatures as the authentication method.
|
rsa-encr
|
Specifies RSA encrypted nonces as the authentication method.
|
pre-share
|
Specifies preshared keys as the authentication method.
|
Defaults
RSA signatures
Command Modes
ISAKMP policy configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Use this command to specify the authentication method to be used in an IKE policy.
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and commands.)
If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.)
Examples
The following example configures an IKE policy with preshared keys as the authentication method (all other parameters are set to the defaults):
Related Commands
Command
|
Description
|
crypto isakmp key
|
Configures a preshared authentication key.
|
crypto isakmp policy
|
Defines an IKE policy.
|
crypto key generate rsa (IKE)
|
Generates RSA key pairs.
|
encryption (IKE policy)
|
Specifies the encryption algorithm within an IKE policy.
|
group (IKE policy)
|
Specifies the Diffie-Hellman group identifier within an IKE policy.
|
hash (IKE policy)
|
Specifies the hash algorithm within an IKE policy.
|
lifetime (IKE policy)
|
Specifies the lifetime of an IKE SA.
|
show crypto isakmp policy
|
Displays the parameters for each IKE policy.
|
authentication command
To specify the HTTP command that is sent to the certification authority (CA) for authentication, use the authentication command in ca-profile-enroll configuration mode.
authentication command {http-command}
Syntax Description
http-command
|
Defines the HTTP command.
Note The http-command argument is not the HTTP URL.
|
Defaults
No default behavior or values
Command Modes
Ca-profile-enroll configuration
Command History
Release
|
Modification
|
12.2(13)ZH
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
Use the authentication command to send the HTTP request to the CA server for certificate authentication. Before enabling this command, you must use the authentication url command.
After enabling this command, you can use the parameter command to specify enrollment parameters for your enrollment profile.
Examples
The following example shows how to configure certificate authentication via HTTP for the enrollment profile named "E":
crypto ca trustpoint Entrust
crypto ca profile enrollment E
authentication url http://entrust:81
authentication command GET /certs/cacert.der
enrollment url http://entrust:81/cda-cgi/clientcgi.exe
enrollment command POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
parameter 1 value aaaa-bbbb-cccc
Related Commands
Command
|
Description
|
authentication url
|
Specifies the URL of the CA server to which to send authentication requests.
|
crypto ca profile enrollment
|
Defines an enrollment profile.
|
parameter
|
Specifies parameters for an enrollment profile.
|
authentication list (tti-registrar)
To authenticate the introducer in an Easy Secure Device Deployment (EzSDD) transaction, use the authentication list command in tti-registrar configuration mode. To disable the authentication, use the no form of this command.
authentication list list-name
no authentication list list-name
Syntax Description
list-name
|
Name of the list.
|
Defaults
An introducer is not authenticated.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
This command is used in EzSDD transactions. When the command is configured, the RADIUS or TACACS+ AAA server checks for a valid account by looking at the username and password.
The authentication list and the authorization list will usually both point to the same AAA list, but it is possible that the lists can be on different databases. This latter scenario is not recommended.
Examples
The following example shows that an authentication list named "authen-tac" has been configured. In this example, the authentication list is on a TACACS+ AAA server and the authorization list is on a RADIUS AAA server.
Router(config)# crypto wui tti registrar
Router(tti-registrar)# pki-server mycs
Router(tti-registrar)# authentication list authen-tac
Router(tti-registrar)# authorization list author-rad
Router(tti-registrar)# template username ftpuser password ftppwd
Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt
Router(tti-registrar)# end
Related Commands
Command
|
Description
|
authorization list (tti-registrar)
|
Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner in an EzSDD operation.
|
debug crypto wui
|
Displays information about an EzSDD operation.
|
template config
|
Specifies a remote URL for a Cisco IOS CLI configuration template.
|
template username
|
Establishes a template username and password to access the configuration template on the file system.
|
authentication terminal
To manually cut-and-paste certificate authentication requests, use the authentication terminal command in ca-profile-enroll configuration mode. To delete a current authentication request, use the no form of this command.
authentication terminal
no authentication terminal
Syntax Description
This command has no arguments or keywords.
Defaults
An authentication request is not specified.
Command Modes
Ca-profile-enroll configuration
Command History
Release
|
Modification
|
12.2(13)ZH
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
A user may manually cut-and-paste certificate authentication requests when a network connection between the router and certification authority (CA) is not available. After this command is enabled, the authentication request is printed on the console terminal so that it can be manually copied (cut) by the user.
Examples
The following example shows how to specify manual certificate authentication and certificate enrollment via HTTP:
crypto ca profile enrollment E
enrollment url http://entrust:81/cda-cgi/clientcgi.exe
enrollment command POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
parameter 1 value aaaa-bbbb-cccc
Related Commands
Command
|
Description
|
crypto ca profile enrollment
|
Defines an enrollment profile.
|
authentication trustpoint
To specify the trustpoint used to authenticate the Secure Device Provisioning (SDP) petitioner device's existing certificate, use the authentication trustpoint command in tti-registrar configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
authentication trustpoint {trustpoint-label | use-any}
no authentication trustpoint {trustpoint-label | use-any}
Syntax Description
trustpoint-label
|
Name of trustpoint.
|
use-any
|
Use any configured trustpoint.
|
Defaults
If this command is not specified, the petitioner-signing certificate is not verified.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
Issue the authentication trustpoint command in tti-registrar configuration mode to validate the signing certificate that the petitioner used.
Examples
The following example shows how to specify the trustpoint mytrust for the petitioner-signing certificate:
crypto provisioning registrar
authentication trustpoint mytrust
After the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:
crypto pki trustpoint tti
enrollment url http://pki1-36a.cisco.com:80
Related Commands
Command
|
Description
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
crypto provisioning petitioner
|
Configures a device to become an SDP petitioner and enters tti-petitioner configuration mode.
|
trustpoint signing
|
Specifies the trustpoint associated with the SDP exchange between the petitioner and the registrar for signing the SDP data including the certificate.
|
authentication url
To specify the URL of the certification authority (CA) server to which to send authentication requests, use the authentication url command in ca-profile-enroll configuration mode. To delete the authentication URL from your enrollment profile, use the no form of this command.
authentication url url
no authentication url url
Syntax Description
url
|
URL of the CA server to which your router should send authentication requests.
If you are using Simple Certificate Enrollment Protocol (SCEP) for enrollment, the url argument must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA.
If you are using TFTP for enrollment, the url argument must be in the form tftp://certserver/file_specification. (If the URL does not include a file specification, the fully qualified domain name [FQDN] of the router will be used.)
|
Defaults
Your router does not recognize the CA URL until you declare one using this command.
Command Modes
Ca-profile-enroll configuration
Command History
Release
|
Modification
|
12.2(13)ZH
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
If you do not specify the authentication command after you enable the authentication url command, the authentication url command functions the same as the enrollment url url command in trustpoint configuration mode. That is, the authentication url command will then be used only for certificate enrollment—not authentication.
This command allows the user to specify a different URL or a different method for authenticating a certificate and enrolling a certificate; for example, manual authentication and TFTP enrollment.
Examples
The following example shows how to configure an enrollment profile for direct HTTP enrollment with a CA server. In this example, the authentication command is also present.
crypto ca trustpoint Entrust
crypto ca profile enrollment E
authentication url http://entrust:81
authentication command GET /certs/cacert.der
enrollment url http://entrust:81/cda-cgi/clientcgi.exe
enrollment command POST reference_number=$P2&authcode=$P1
&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ
parameter 1 value aaaa-bbbb-cccc
The following example shows how to configure the enrollment profile named "E" to perform certificate authentication via HTTP and manual certificate enrollment:
crypto ca profile enrollment E
authentication url http://entrust:81
authentication command GET /certs/cacert.der
parameter 1 value aaaa-bbbb-cccc
Related Commands
Command
|
Description
|
authentication command
|
Specifies the HTTP command that is sent to the CA for authentication.
|
crypto ca profile enrollment
|
Defines an enrollment profile.
|
enrollment
|
Specifies the enrollment parameters of your CA.
|
authorization
To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command.
authorization {arap | commands level | exec | reverse-access} [default | list-name]
no authorization {arap | commands level | exec | reverse-access} [default | list-name]
Syntax Description
arap
|
Enables authorization for lines configured for AppleTalk Remote Access (ARA) protocol.
|
commands
|
Enables authorization on the selected lines for all commands at the specified privilege level.
|
level
|
Specific command level to be authorized. Valid entries are 0 through 15.
|
exec
|
Enables authorization to determine if the user is allowed to run an EXEC shell on the selected lines.
|
reverse-access
|
Enables authorization to determine if the user is allowed reverse access privileges.
|
default
|
(Optional) The name of the default method list, created with the aaa authorization command.
|
list-name
|
(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.
|
Defaults
Authorization is not enabled.
Command Modes
Line configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.
Examples
The following example enables command authorization (for level 15) using the method list named charlie on line 10:
authorization commands 15 charlie
Related Commands
Command
|
Description
|
aaa authorization
|
Sets parameters that restrict user access to a network.
|
authorization (server-group)
To filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization, use the authorization command in server-group configuration mode. To remove the filter on the authorization request or reply, use the no form of the command.
authorization [request | reply] [accept | reject] list-name
Syntax Description
request
|
(Optional) Defines filters for outgoing authorization Access Requests.
|
reply
|
(Optional) Defines filters for incoming authorization Accept or Reject packets and for outgoing accounting requests.
|
accept
|
(Optional) Indicates that the required attributes and the attributes specified in the list-name argument will be accepted. All other attributes will be rejected.
|
reject
|
(Optional) Indicates that the attributes specified in the list-name will be rejected. All other attributes will be accepted.
|
list-name
|
Defines the given name for the accept or reject list.
|
Defaults
If specific attributes are not accepted or rejected, all attributes will be accepted.
Command Modes
Server-group configuration
Command History
Release
|
Modification
|
12.2(1)DX
|
This command was introduced.
|
12.2(2)DD
|
This command was integrated into Cisco IOS Release 12.2(2)DD.
|
12.2(4)B
|
This command was integrated into Cisco IOS Release 12.2(4)B.
|
12.2(4)T
|
This command was integrated into Cisco IOS Release 12.2(4)T.
|
12.2(13)T
|
Platform support was added for the Cisco 7401ASR.
|
12.3(3)B
|
The request and reply keywords were added.
|
12.3(7)T
|
The request and reply keywords were integrated into Cisco IOS Release 12.3(7)T.
|
Usage Guidelines
An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes.
Only one filter may be used for RADIUS authorization per server group.
Note
The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute (server-group configuration) command to add to an accept or reject list.
Examples
The following example shows how to configure accept list "min-author" in an Access-Accept packet from the RADIUS server:
aaa authentication ppp default group radius-sg
aaa authorization network default group radius-sg
aaa group server radius radius-sg
authorization accept min-author
radius-server host 1.1.1.1 key mykey1
radius-server attribute list min-author
The following example shows that the attribute "all-attr" will be rejected in all outbound authorization Access Request messages:
aaa group server radius ras
server 272.19.192.238 auth-port 1745 acct-port 1746
authorization request reject all-attr
Related Commands
Command
|
Description
|
aaa authentication ppp
|
Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
|
aaa authorization
|
Sets parameters that restrict network access to the user.
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
aaa new-model
|
Enables the AAA access control model.
|
accounting (server-group configuration)
|
Specifies an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request.
|
attribute (server-group configuration)
|
Adds attributes to an accept or reject list.
|
radius-server attribute list
|
Defines an accept or reject list name.
|
authorization (tti-registrar)
To enable authentication, authorization, and accounting (AAA) authorization for an introducer or a certificate, use the authorization command in tti-registrar configuration mode. To disable authorization, use the no form of this command.
authorization {login} | {certificate} | {login certificate}
no authorization {login} | {certificate} | {login certificate}
Syntax Description
login
|
Use the username of the introducer for AAA authorization.
|
certificate
|
Use the certificate of the petitioner for AAA authorization.
|
login certificate
|
Use the username of the introducer and the certificate of the petitioner for AAA authorization.
|
Defaults
If an authorization list is configured, then authorization is enabled by default.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
This command controls the authorization of the introduction. Authorization can be based on the following:
•
The login of the petitioner (username and password) to the registrar
•
The current certificate of the petitioner
•
Both the login of the introducer and the current certificate of the petitioner
If you issue the authorization login command, the introducer logs in with a username and password such as ttiuser and mypassword, which are used against the configured authorization list to contact the AAA server and determine the appropriate authorization.
If you issue the authorization certificate command, the certificate of the petitioner is used to build an AAA username, which is used to obtain authorization information.
If you issue the authorization login certificate command, authorization for the introducer combines with authorization for the petitioner's current certificate. This means that two AAA authorization lookups occur. In the first lookup, the introducer username is used to retrieve any AAA attributes associated with the introducer. The second lookup is done using the configured certificate name field. If an AAA attribute appears in both lookups, the second one prevails.
Examples
The following example shows how to specify authorization for both the introducer and the current certificate of the petitioner:
crypto provisioning registrar
authorization login certificate
Related Commands
Command
|
Description
|
authorization list (tti-registrar)
|
Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP transaction.
|
authorization list (global)
To specify the authentication, authorization, and accounting (AAA) authorization list, use the authorization list command in global configuration mode. To disable the authorization list, use the no form of this command.
authorization list list-name
no authorization list list-name
Syntax Description
list-name
|
Name of the AAA authorization list.
|
Defaults
An authorization list is not configured.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced.
|
Usage Guidelines
Use the authorization list command to specify a AAA authorization list. For components that do not support specifying the application label, a default label of "any" from the AAA server will provide authorization. Likewise, a label of "none" from the AAA database indicates that the specified certificate is not valid. (The absence of any application label is equivalent to a label of "none," but "none" is included for completeness and clarity.)
Examples
The following example shows that the AAA authorization list "maxaa" is specified:
aaa authorization network maxaaa group tacac+
crypto ca trustpoint msca
enrollment url http://caserver.mycompany.com
authorization username subjectname serialnumber
Related Commands
Command
|
Description
|
authorization username
|
Specifies the parameters for the different certificate fields that are used to build the AAA username.
|
authorization list (tti-registrar)
To specify the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS command-line interface (CLI) snippet that is sent back to the petitioner in an Easy Secure Device Deployment (EzSDD) operation, use the authorization list command in tti-registrar configuration mode. To disable the subject name and list of template variables, use the no form of this command.
authorization list list-name
no authorization list list-name
Syntax Description
list-name
|
Name of the list.
|
Defaults
There is no authorization list on the AAA server.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
This command is used in EzSDD operations. When the command is used, the RADIUS or TACACS+ AAA server stores the subject name and template variables. The name and variables are sent back to the petitioner in the Cisco IOS CLI snippets. This list and the authorization list are usually on the same database, but they can be on different AAA databases. (Storing lists on different databases is not recommended.)
When a petitioner makes an introducer request, multiple queries are sent to the AAA list database on the RADIUS or TACACS+ server. The queries search for entries of the following form:
user Password <userpassword>
cisco-avpair="ttti:subjectname=<<DN subjectname>>"
cisco-avpair="tti:iosconfig#<<value>>"
cisco-avpair="tti:iosconfig#<<value>>"
cisco-avpair="tti:iosconfig#=<<value>>"
Note
The existence of a valid AAA username record is enough to pass the authentication check. The "cisco-avpair=tti" information is necessary only for the authorization check.
If a subject name was received in the authorization response, the TTI registrar stores it in the enrollment database, and that "subjectname" overrides the subject name that is supplied in the subsequent certificate request (PKCS10) from the petitioner device.
The numbered "tti:iosconfig" values are expanded into the TTI Cisco IOS snippet that is sent to the petitioner. The configurations replace any numbered ($1 through $9) template variable. Because the default Cisco IOS snippet template does not include the variables $1 through $9, these variables are ignored unless you configure an external Cisco IOS snippet template. To specify an external configuration, use the template config command.
Note
The template configuration location may include a variable "$n," which is expanded to the name with which the user is logged in.
Examples
The following example shows that the authorization list name is "author-rad." In this example, the authentication list is on a TACACS+ AAA server and the authorization list is on a RADIUS AAA server.
Router(config)# crypto wui tti registrar
Router(tti-registrar)# pki-server mycs
Router(tti-registrar)# authentication list authen-tac
Router(tti-registrar)# authorization list author-rad
Router(tti-registrar)# template username ftpuser password ftppwd
Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt
Router(tti-registrar)# end
Related Commands
Command
|
Description
|
authentication list (tti-registrar)
|
Authenticates the introducer in an EzSDD operation.
|
debug crypto wui
|
Displays information about an EzSDD operation.
|
template config
|
Specifies a remote URL for a Cisco IOS CLI configuration template.
|
template username
|
Establishes a template username and password to access the configuration template on the file system.
|
authorization username
To specify the parameters for the different certificate fields that are used to build the authentication, authorization and accounting (AAA) username, use the authorization username command in global configuration mode. To disable the parameters, use the no form of this command.
authorization username {subjectname subjectname}
no authorization username {subjectname subjectname}
Syntax Description
subjectname
|
AAA username that is generated from the certificate subject name.
|
subjectname
|
Builds the username. The following are options that may be used as the AAA username:
• all—Entire distinguished name (subject name) of the certificate.
• commonname—Certificate common name.
• country—Certificate country.
• email—Certificate email.
• ipaddress—Certificate ipaddress.
• locality—Certificate locality.
• organization—Certificate organization.
• organizationalunit—Certificate organizational unit.
• postalcode—Certificate postal code.
• serialnumber—Certificate serial number.
• state—Certificate state field.
• streetaddress—Certificate street address.
• title—Certificate title.
• unstructuredname—Certificate unstructured name.
|
Defaults
Parameters for the certificate fields are not specified.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced.
|
12.3(11)T
|
The all option for the subjectname argument was added.
|
12.2(18)SXE
|
This command was integrated into Cisco IOS Release 12.2(18)SXE.
|
Examples
The following example shows that the serialnumber option is to be used as the authorization username:
aaa authorization network maxaaa group tacac+
crypto ca trustpoint msca
enrollment url http://caserver.mycompany.com
authorization list maxaaa
authorization username subjectname serialnumber
Related Commands
Command
|
Description
|
authorization list
|
Specifies the AAA authorization list.
|
authorization username (tti-registrar)
To specify the parameters for the different certificate fields that are used to build the authentication, authorization, and accounting (AAA) username, use the authorization username command in tti-registrar configuration mode. To disable the parameters, use the no form of this command.
authorization username {subjectname subjectname}
no authorization username {subjectname subjectname}
Syntax Description
subjectname
|
AAA username that is generated from the certificate subject name.
|
subjectname
|
Builds the username. The following options can be used as the AAA username:
• all—Entire distinguished name (subject name) of the certificate
• commonname—Certificate common name
• country—Certificate country
• email—Certificate e-mail
• ipaddress—Certificate IP address
• locality—Certificate locality
• organization—Certificate organization
• organizationalunit—Certificate organizational unit
• postalcode—Certificate postal code
• serialnumber—Certificate serial number
• state—Certificate state field
• streetaddress—Certificate street address
• title—Certificate title
• unstructuredname—Certificate unstructured name
|
Defaults
Parameters for the certificate fields are not specified.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Examples
The following example shows that the serialnumber option is used as the authorization username:
aaa authorization network maxaaa group tacac+
crypto ca trustpoint msca
enrollment url http://caserver.mycompany.com
authorization list maxaaa
authorization username subjectname serialnumber
Related Commands
Command
|
Description
|
authorization list
|
Specifies the AAA authorization list.
|
auth-type
To set policy for devices that are dynamically authenticated or unauthenticated, use the auth-type command in identity profile configuration mode. To remove the policy that was specified, use the no form of this command.
auth-type {authorize | not-authorize} policy policy-name
no auth-type {authorize | not-authorize} policy policy-name
Syntax Description
authorize
|
Policy is specified for all authorized devices.
|
not-authorize
|
Policy is specified for all unauthorized devices.
|
policy policy-name
|
Specifies the name of the identity policy to apply for the associated authentication result.
|
Defaults
A policy is not set for authorized or unauthorized devices.
Command Modes
Identity profile configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
This command is used when a device is dynamically authenticated or unauthenticated by the network access device, and the device requires the name of the policy that should be applied for that authentication result.
Examples
The following example shows that 802.1x authentication applies to the identity policy "grant" for all dynamically authenticated hosts:
Router (config)# ip access-list extended allow-acl
Router (config-ext-nacl)# permit ip any any
Router (config-ext-nacl)# exit
Router (config)# identity policy grant
Router (config-identity-policy)# access-group allow-acl
Router (config-identity-policy)# exit
Router (config)# identity profile dot1x
Router (config-identity-prof)# auth-type authorize policy grant
Related Commands
Command
|
Description
|
identity policy
|
Creates an identity policy.
|
identity profile dot1x
|
Creates an 802.1x identity profile.
|
auto secure
To secure the management and forwarding planes of the router, use the auto secure command in privileged EXEC mode.
auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall |
tcp-intercept]
Syntax Description
management
|
(Optional) Only the management plane will be secured.
|
forwarding
|
(Optional) Only the forwarding plane will be secured.
|
no-interact
|
(Optional) The user will not be prompted for any interactive configurations. If this keyword is not enabled, the command will show the user the noninteractive configuration and the interactive configurations thereafter.
|
full
|
(Optional) The user will be prompted for all interactive questions. This is the default.
|
ntp
|
(Optional) Specifies the configuration of the Network Time Protocol (NTP) feature in the AutoSecure command line-interface (CLI).
|
login
|
(Optional) Specifies the configuration of the Login feature in the AutoSecure CLI.
|
ssh
|
(Optional) Specifies the configuration of the Secure Shell (SSH) feature in the AutoSecure CLI.
|
firewall
|
(Optional) Specifies the configuration of the firewall feature in the AutoSecure CLI.
|
tcp-intercept
|
(Optional) Specifies the configuration of the TCP-Intercept feature in the AutoSecure CLI.
|
Defaults
Autosecure is not enabled.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(1)
|
This command was introduced.
|
12.2(18)S
|
This command was integrated into Cisco IOS Release 12.2(18)T.
|
12.3(4)T
|
The following keywords were added in Cisco IOS Release 12.3(4)T: full, ntp, login, ssh, firewall, and tcp-intercept.
|
12.3(8)T
|
Support for the roll-back functionality and system logging messages were added to Cisco IOS Release 12.3(8)T.
|
Usage Guidelines
The auto secure command allows a user to disable common IP services that can be exploited for network attacks by using a single CLI. This command eliminates the complexity of securing a router both by automating the configuration of security features and by disabling certain features that are enabled by default and that could be exploited for security holes.
Caution 
If you are using
Security Device Manager (SDM), you must manually enable the HTTP server via the
ip http server command.
This command takes you through a semi-interactive session (also known as the AutoSecure dialogue) in which to secure the management and forwarding planes. This command gives you the option to secure just the management or forwarding plane; if neither option is selected, the dialogue will ask you to configure both planes.
Caution 
If your device is managed by a network management (NM) application, securing the management plane could turn off vital services and disrupt the NM application support.
This command also allows you to go through all noninteractive configuration portions of the dialogue before the interactive portions. The noninteractive portions of the dialogue can be enabled by selecting the optional no-interact keyword.
Roll-back and System Logging Message Support
In Cisco IOS Release 12.3(8)T, support for roll-back of the AutoSecure configuration is introduced. Roll-back enables a router to revert back to its preautosecure configuration state if the AutoSecure configuration fails.
System Logging Messages capture any changes or tampering of the AutoSecure configuration that were applied on the running configuration.
Note
Prior to Cisco IOS Release 12.3(8)T, roll-back of the AutoSecure configuration is unavailable; thus, you should always save the running configuration before configuring AutoSecure.
Examples
The following example shows how to enable AutoSecure to secure only the management plane:
Router# auto secure management
Related Commands
Command
|
Description
|
ip http server
|
Enables the HTTP server on your system, including the Cisco web browser user interface.
|
show auto secure config
|
Displays AutoSecure configurations.
|
auto-enroll
To enable certificate autoenrollment, use the auto-enroll command in ca-trustpoint configuration mode. To disable certificate autoenrollment, use the no form of this command.
auto-enroll [percent] [regenerate]
no auto-enroll [percent] [regenerate]
Syntax Description
percent
|
(Optional) The renewal percentage parameter causes the router to request a new certificate after the specified percent lifetime of the current certificate is reached. If not specified, the request for a new certificate is made when the old certificate expires. The specified percent value must not be less than 10.
|
regenerate
|
(Optional) Generates a new key for the certificate even if the named key already exists.
|
Defaults
Certificate autoenrollment is not enabled.
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
12.3(7)T
|
The percent argument was added to support key rollover.
|
Usage Guidelines
Use the auto-enroll command to automatically request a router certificate from the certification authority (CA) that is using the parameters in the configuration. This command will generate a new RSA key only if a new key does not exist with the requested label.
A trustpoint that is configured for certificate autoenrollment will attempt to reenroll when the router certificate expires.
Use the regenerate keyword to provide seamless key rollover for manual certificate enrollment. A new key pair is created with a temporary name, and the old certificate and key pair are retained until a new certificate is received from the CA. When the new certificate is received, the old certificate and key pair are discarded and the new key pair is renamed with the name of the original key pair. Some CAs require a new key for reenrollment to work.
If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable:
! RSA keypair associated with trustpoint is exportable
Examples
The following example shows how to configure the router to autoenroll with the CA named "trustme1" on startup. In this example, the regenerate keyword is issued, so a new key will be generated for the certificate. The renewal percentage is configured as 90 so if the certificate has a lifetime of one year, a new certificate is requested 36.5 days before the old certificate expires.
crypto ca trustpoint trustme1
enrollment url http://trustme1.company.com/
subject-name OU=Spiral Dept., O=tiedye.com
auto-enroll 90 regenerate
crypto ca authenticate trustme1
Related Commands
Command
|
Description
|
crypto ca authenticate
|
Retrieves the CA certificate and authenticates it.
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
backup-gateway
To configure a server to "push down" a list of backup gateways to the client, use the backup-gateway command in global configuration mode. To remove a backup gateway, use the no form of this command.
backup-gateway {ip-address | hostname}
no backup-gateway {ip-address | hostname}
Syntax Description
ip-address
|
IP address of the gateway.
|
hostname
|
Host name of the gateway.
|
Defaults
A list of backup gateways is not configured.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
Before using the backup-gateway command, you must first configure the crypto isakmp client configuration group command.
An example of an attribute-value (AV) pair for the backup gateway attribute is as follows:
ipsec:ipsec-backup-gateway=10.1.1.1
Note
•
If you have to configure more than one backup gateway, you have to add a backup-gateway command line for each.
•
You can configure a maximum of 10 backup gateways.
Examples
The following example shows that gateway 10.1.1.1 has been configured as a backup gateway:
crypto isakmp client configuration group group1
The following output example shows that five backup gateways have been configured:
crypto isakmp client configuration group sdm
key 6 RMZPPMRQMSdiZNJg`EBbCWTKSTi\d[
backup-gateway 172.12.12.12
backup-gateway 172.12.12.13
backup-gateway 172.12.12.14
backup-gateway 172.12.12.130
backup-gateway 172.12.12.131
Related Commands
Command
|
Description
|
crypto isakmp client configuration group
|
Specifies to which group a policy profile will be defined.
|
bidirectional
To enable incoming and outgoing IP traffic to be exported across a monitored interface, use the bidirectional command in router IP traffic export (RITE) configuration mode. To return to the default functionality, use the no form of this command.
bidirectional
no bidirectional
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not enabled, only incoming traffic is exported.
Command Modes
RITE configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
By default, only incoming IP traffic is exported. If you choose to export outgoing IP traffic, you must issue both the bidirectional command, which enables outgoing traffic to be exported, and the outgoing command, which specifies how the outgoing traffic will be filtered.
The ip traffic-export profile command allows you to begin a profile that can be configured to export IP packets as they arrive or leave a selected router ingress interface. A designated egress interface exports the captured IP packets out of the router. Thus, the router can export unaltered IP packets to a directly connected device.
Examples
The following example shows how to export both incoming and outgoing IP traffic on the FastEthernet interface:
Router(config)# ip traffic-export profile johndoe
Router(config-rite)# interface FastEthernet1/0.1
Router(config-rite)# bidirectional
Router(config-rite)# incoming access-list 101
Router(config-rite)# outgoing access-list 101
Router(config-rite)# mac-address 6666.6666.3333
Related Commands
Command
|
Description
|
interface (RITE)
|
Specifies the outgoing interface for exporting traffic.
|
ip traffic-export profile
|
Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
|
outgoing
|
Configures filtering for outgoing export traffic.
|
block count
To lock out group members for a length of time after a set number of incorrect passwords, use the block count command in local RADIUS server group configuration mode. To remove the user block after invalid login attempts, use the no form of this command.
block count count time {seconds | infinite}
no block count count time {seconds | infinite}
Syntax Description
count
|
Number of failed passwords that triggers a lockout.
|
time
|
Time that the lockout should last.
|
seconds
|
Number of seconds that the lockout should last.
|
infinite
|
Length of time for the lockout is indefinite until an administrator manually unblocks the locked username.
|
Defaults
No default behavior or values
Command Modes
Local RADIUS server group configuration
Command History
Release
|
Modification
|
12.2(11)JA
|
This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
|
12.3(11)T
|
This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.
|
Usage Guidelines
If the infinite keyword is entered, an administrator must manually unblock the locked username.
Examples
The following command locks out group members for 120 seconds after three incorrect passwords are entered:
Related Commands
Command
|
Description
|
clear radius local-server
|
Clears the statistics display or unblocks a user.
|
debug radius local-server
|
Displays the debug information for the local server.
|
group
|
Enters user group configuration mode and configures shared setting for a user group.
|
nas
|
Adds an access point or router to the list of devices that use the local authentication server.
|
radius-server host
|
Specifies the remote RADIUS server host.
|
radius-server local
|
Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
|
reauthentication time
|
Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
|
show radius local-server statistics
|
Displays statistics for a local network access server.
|
ssid
|
Specifies up to 20 SSIDs to be used by a user group.
|
user
|
Authorizes a user to authenticate using the local authentication server.
|
vlan
|
Specifies a VLAN to be used by members of a user group.
|
ca trust-point
To identify the trustpoints that will be used to validate a certificate during Internet Key Exchange (IKE) authentication, use the ca trust-point command in ISAKMP profile configuration mode. To remove the trustpoint, use the no form of this command.
ca trust-point trustpoint-name
no ca trust-point trustpoint-name
Syntax Description
trustpoint-name
|
The trustpoint name as defined in the global configuration.
|
Defaults
If there is no trustpoint defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.
Command Modes
ISAKMP profile configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
The ca trust-point command can be used multiple times to define more than one trustpoint.
This command is useful when you want to restrict validation of certificates to a list of trustpoints. For example, the router global configuration has two trustpoints, A and B, which are trusted by VPN1 and VPN2, respectively. Each Virtual Private Network (VPN) wants to restrict validation only to its trustpoint.
Before you can use this command, you must enter the crypto isakmp profile command.
Note
A router initiating IKE and a router responding to the IKE request should have symmetrical trustpoint configurations. For example, a responding router (in IKE Main Mode) performing RSA signature encryption and authentication might use trustpoints that were defined in the global configuration when sending the CERT-REQ payloads. However, the router might use a restricted list of trustpoints that were defined in the ISAKMP profile for the certificate verification. If the peer (the IKE initiator) is configured to use a certificate whose trustpoint is in the global list of the responding router but not in ISAKMP profile of the responding router, the certificate will be rejected. (However, if the initiating router does not know about the trustpoints in the global configuration of the responding router, the certificate can still be authenticated.)
Examples
The following example specifies two trustpoints, A and B. The ISAKMP profile configuration restricts each VPN to one trustpoint.
enrollment url http://kahului:80
enrollment url http://arjun:80
crypto isakmp profile vpn1
crypto isakmp profile vpn2
Related Commands
Command
|
Description
|
crypto isakmp profile
|
Defines an ISAKMP profile.
|
cache clear age
To specify when, in minutes, cache entries expire and the cache is cleared, use the cache clear age command in AAA filter configuration mode. To return to the default value, use the no form of this command.
cache clear age minutes
no cache clear age
Syntax Description
minutes
|
Any value from 0 to 4294967295; the default value is 1440 minutes.
|
Defaults
1440 minutes (1 day)
Command Modes
AAA filter configuration
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced.
|
Usage Guidelines
After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache clear age command to specify when cache entries should expire. If this command is not specified, the default value (1440 minutes) will be enabled.
Examples
The following example shows how to configure the cache entries to expire every 60 minutes:
Related Commands
Command
|
Description
|
aaa cache filter
|
Enables filter cache configuration.
|
cache disable
To disable the cache, use the cache disable command in AAA filter configuration mode. To return to the default, use the no form of this command.
cache disable
no cache disable
Syntax Description
This command has no arguments or keywords.
Defaults
Caching is enabled.
Command Modes
AAA filter configuration
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced.
|
Usage Guidelines
After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache disable command to disable filter caching. This command can be used to verify that the access control lists (ACLs) are being downloaded.
Examples
The following example shows how to disable filter caching:
Related Commands
Command
|
Description
|
aaa cache filter
|
Enables filter cache configuration.
|
cache max
To limit the absolute number of entries that a cache can maintain for a particular server, use the cache max command in AAA filter configuration mode. To return to the default value, use the no form of this command.
cache max number
no cache max
Syntax Description
number
|
Maximum number of entries the cache can maintain. Any value from 0 to 4294967295; the default value is 100 entries.
|
Defaults
100 entries
Command Modes
AAA filter configuration
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced.
|
Usage Guidelines
After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache max command to specify the maximum number of entries the cache can have at any given time. If this command is not specified, the default value (100 entries) will be enabled.
Examples
The following example shows how to configure the cache to maintain a maximum of 150 entries:
Related Commands
Command
|
Description
|
aaa cache filter
|
Enables filter cache configuration.
|
cache refresh
To refresh a cache entry after a new session begins, use the cache refresh command in AAA filter configuration mode. To disable this functionality, use the no form of this command.
cache refresh
no cache refresh
Syntax Description
This command has no arguments or keywords.
Defaults
This command is enabled by default.
Command Modes
AAA filter configuration
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced.
|
Usage Guidelines
The cache refresh command is used in an attempt to keep cache entries from the filter server, that are being referred to by new sessions, within the cache. This command resets the idle timer for these entries when they are referenced by new calls.
Examples
The following example shows how to disable the cache refresh command:
Related Commands
Command
|
Description
|
aaa cache filter
|
Enables filter cache configuration.
|
call admission limit
To instruct Internet Key Exchange (IKE) to drop security association (SA) requests (that is, calls for Call Admission Control [CAC]) when a specified percentage of system resources is being consumed, use the call admission limit command in global configuration mode. To disable this feature, use the no form of this command.
call admission limit percent
no call admission limit percent
Syntax Description
percent
|
Percentage of the system resources that, when used, causes IKE to stop accepting new SA requests. Valid values are 1 to 100.
|
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
It is recommended that initially you specify a value of 90. You will have to alter the value depending on the network topology, the capabilities of the router, and the traffic patterns.
Examples
The following example causes IKE to drop calls when 90 percent of system resources are being used:
Router(config)# call admission limit 90
Related Commands
Command
|
Description
|
show call admission statistics
|
Monitors the global CAC configuration parameters and the behavior of CAC.
|
call guard-timer
To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer command in controller configuration mode. To remove the call guard-timer command from your configuration file, use the no form of this command.
call guard-timer milliseconds [on-expiry {accept | reject}]
no call guard-timer milliseconds [on-expiry {accept | reject}]
Syntax Description
milliseconds
|
Specifies the number of milliseconds to wait for a response from the RADIUS server.
|
on-expiry accept
|
(Optional) Accepts the call if a response is not received from the RADIUS server within the specified time.
|
on-expiry reject
|
(Optional) Rejects the call if a response is not received from the RADIUS server within the specified time.
|
Defaults
No default behavior or values.
Command Modes
Controller configuration
Command History
Release
|
Modification
|
12.1(3)T
|
This command was introduced.
|
Examples
The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.
clock source line primary
ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis
call guard-timer 20000 on-expiry accept
Related Commands
Command
|
Description
|
aaa preauth
|
Enters AAA preauthentication configuration mode.
|
cdp-url
To specify a certificate revocation list (CRL) distribution point (CDP) to be used in certificates that are issued by the certificate server, use the cdp-url command in certificate server configuration mode. To remove a CDP from your configuration, use the no form of this command.
cdp-url url
no cdp-url url
Syntax Description
url
|
HTTP URL where CRLs are published.
|
Defaults
When verifying a certificate that does not have a specified CDP, Cisco IOS public key infrastructure (PKI) clients will use Simple Certificate Enrollment Protocol (SCEP) to retrieve the CRL directly from their configured certificate server.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
CRLs are issued once every specified time period via the lifetime crl command. Thereafter, the CRL is written to the specified database location as ca-label.crl (where ca-label is the name of the certificate server). It is the responsibility of the network administrator to ensure that the CRL is available from the location that is specified via the cdp-url command. If the cdp-url command is not specified, the CDP certificate extension will not be included in the certificates that are issued by the certificate server. Thus, Cisco IOS public key infrastructure (PKI)l clients will automatically use SCEP to retrieve a CRL from the certificate server, which puts an additional load on the certificate server because it must provide SCEP server support to for each CRL request.
Note
The CRL will always be available via SCEP, which is enabled by default, if the HTTP server is enabled.
Note
For large PKI deployments, it is recommended that you configure an HTTP-based CDP; for example, cdp-url http://myhttpserver.company.com/mycs.crl.
The CDP URL may be changed after the certificate server is running, but existing certificates will not be reissued with the new CDP that is specified via the cdp-url command.
The certificate server supports only one CDP; thus, all certificates that are issued include the same CDP.
Examples
The following example shows how to configure a CDP:
Router(config)# crypto pki server aaa
Router(cs-server)# database level minimum
Router(cs-server)# database url tftp://10.1.1.1/johndoe/
Router(cs-server)# issuer-name CN=aaa
Router(cs-server)# cdp-url http://msca-root.cisco.com/certEnroll/aaa.crl
Verifying a CDP Configuration
The following example is sample output from the show crypto ca certificates command, which allows you to verify the specified CDP. In this example, the CDP is "http://msca-root.cisco.com/certEnroll/aaa.crl."
Router# show crypto ca certificates
Certificate Serial Number: 03
Certificate Usage: General Purpose
OID.1.2.840.113549.1.9.2 = Router.cisco.com
http://msca-root.cisco.com/certEnroll/aaa.crl
start date: 18:44:49 GMT Jun 6 2003
end date: 18:44:49 GMT Jun 5 2004
renew date: 00:00:00 GMT Jan 1 1970
Associated Trustpoints: bbb
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
crypto pki server revoke
|
Revokes a certificate based on its serial number.
|
lifetime crl
|
Defines the lifetime of the CRL that is used by the certificate server.
|
show crypto ca certificates
|
Displays information about your certificate, the certification authority certificate, and any registration authority certificates.
|
certificate
To manually add certificates, use the certificate command in certificate chain configuration mode. To delete your router's certificate or any registration authority certificates stored on your router, use the no form of this command.
certificate certificate-serial-number
no certificate certificate-serial-number
Syntax Description
certificate-serial-number
|
Serial number of the certificate to add or delete.
|
Defaults
No default behavior or values.
Command Modes
Certificate chain configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually used only to add or delete certificates.
Examples
The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted.
myrouter# show crypto ca certificates
Name: myrouter.example.com
Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF
Key Usage: General Purpose
Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F
myrouter# configure terminal
myrouter(config)# crypto ca certificate chain myca
myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF
% Are you sure you want to remove the certificate [yes/no]? yes
% Be sure to ask the CA administrator to revoke this certificate.
myrouter(config-cert-chain)# exit
Related Commands
Command
|
Description
|
crypto ca certificate chain
|
Enters the certificate chain configuration mode.
|
clear aaa cache filterserver acl
To clear the cache status for a particular filter or all filters, use the clear aaa cache filterserver acl command in EXEC mode.
clear aaa cache filterserver acl [filter-name]
Syntax Description
filter-name
|
(Optional) Cache status of a specified filter is cleared.
|
Command Modes
EXEC
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced.
|
Usage Guidelines
After you clear the cache status for a particular filter or all filters, it is recommended that you enable the show aaa cache filterserver command to verify that the cache status.
Examples
The following example shows how to clear the cache for all filters:
clear aaa cache filterserver acl
Related Commands
Command
|
Description
|
show aaa cache filterserver
|
Displays the cache status.
|
clear aaa local user fail-attempts
To clear the unsuccessful login attempts of a user, use the clear aaa local user fail-attempts command in privileged EXEC mode.
clear aaa local user fail-attempts {username username | all}
Syntax Description
username username
|
Name of the user.
|
all
|
Unsuccessful login attempts are cleared for all users.
|
Defaults
Unsuccessful login attempts are not cleared.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
This command is available only to users having root privilege.
Examples
The following example shows that the unsuccessful login attempts for all users will be cleared:
Router# clear aaa local user fail-attempts all
Related Commands
Command
|
Description
|
aaa local authentication attempts max-fail
|
Specifies the maximum number of unsuccessful authentication attempts before a user is locked out.
|
clear aaa local user lockout
|
Unlocks the locked-out users.
|
show aaa local user locked
|
Displays a list of all locked-out users.
|
clear aaa local user lockout
To unlock the locked-out users, use the clear aaa local user lockout command in privileged EXEC mode.
clear aaa local user lockout {username username | all}
Syntax Description
username username
|
Name of the user to be unlocked.
|
all
|
All users are to be unlocked.
|
Defaults
Locked-out users remain locked out.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
Only a user having root privilege can use this command.
Examples
The following example shows that all locked-out users will be unlocked:
Router# clear aaa local user lockout all
Related Commands
Command
|
Description
|
aaa local authentication attempts max-fail
|
Specifies the maximum number of unsuccessful authentication attempts before a user is locked out.
|
clear aaa local user fail-attempts
|
Clears the unsuccessful login attempts of a user.
|
show aaa local user loced
|
Displays a list of all locked-out users.
|
clear access-template
To manually clear a temporary access list entry from a dynamic access list, use the clear access-template command in EXEC mode.
clear access-template [access-list-number | name] [dynamic-name] [source] [destination]
Syntax Description
access-list-number
|
(Optional) Number of the dynamic access list from which the entry is to be deleted.
|
name
|
(Optional) Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
|
dynamic-name
|
(Optional) Name of the dynamic access list from which the entry is to be deleted.
|
source
|
(Optional) Source address in a temporary access list entry to be deleted.
|
destination
|
(Optional) Destination address in a temporary access list entry to be deleted.
|
Command Modes
EXEC
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
Usage Guidelines
This command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.
Examples
The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:
clear access-template vendor 172.20.1.12
Related Commands
Command
|
Description
|
access-list (IP extended)
|
Defines an extended IP access list.
|
access-template
|
Places a temporary access list entry on a router to which you are connected manually.
|
show ip accounting
|
Displays the active accounting or checkpointed database or displays access list violations.
|
clear crypto call admission statistics
To clear the counters that track the number of accepted and rejected Internet Key Exchange (IKE) requests, use the call admission limit command in global configuration mode.
clear crypto call admission statistics
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Examples
The following example sets to zero the number of accepted and rejected IKE requests:
Router(config)# clear crypto call admission statistics
Related Commands
Command
|
Description
|
show crypto call admission statistics
|
Monitors Crypto CAC statistics.
|
clear crypto engine accelerator counter
To reset the statistical and error counters of the hardware accelerator of the router to zero, use the clear crypto engine accelerator counter command in privileged EXEC mode.
clear crypto engine accelerator counter
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.1(3)XL
|
This command was introduced for the Cisco uBR905 cable access router.
|
12.2(2)XA
|
Support was added for the Cisco uBR925 cable access router.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.
|
12.2(15)ZJ
|
This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
|
12.3(4)T
|
The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
|
Examples
The following example shows the statistical and error counters of the router being cleared to zero:
clear crypto engine accelerator counter
Related Commands
Command
|
Description
|
crypto ca
|
Defines the parameters for the certification authority used for a session.
|
crypto cisco
|
Defines the encryption algorithms and other parameters for a session.
|
crypto dynamic-map
|
Creates a dynamic map crypto configuration for a session.
|
crypto engine accelerator
|
Enables the use of the onboard hardware accelerator for IPSec encryption.
|
crypto ipsec
|
Defines the IPSec security associations and transformation sets.
|
crypto isakmp
|
Enables and defines the IKE protocol and its parameters.
|
crypto key
|
Generates and exchanges keys for a cryptographic session.
|
crypto map
|
Creates and modifies a crypto map for a session.
|
debug crypto engine accelerator control
|
Displays each control command as it is given to the crypto engine.
|
debug crypto engine accelerator packet
|
Displays information about each packet sent for encryption and decryption.
|
show crypto engine accelerator ring
|
Displays the contents of command and transmits rings for the crypto engine.
|
show crypto engine accelerator sa-database
|
Displays the active (in-use) entries in the crypto engine SA database.
|
show crypto engine accelerator statistic
|
Displays the current run-time statistics and error counters for the crypto engine.
|
show crypto engine brief
|
Displays a summary of the configuration information for the crypto engine.
|
show crypto engine configuration
|
Displays the version and configuration information for the crypto engine.
|
show crypto engine connections
|
Displays a list of the current connections maintained by the crypto engine.
|
clear crypto ipsec client ezvpn
To reset the Cisco Easy VPN remote state machine and bring down the Cisco Easy VPN remote connection on all interfaces or on a given interface (tunnel), use the clear crypto ipsec client ezvpn command in privileged EXEC mode. If a tunnel name is specified, only the specified tunnel is cleared.
clear crypto ipsec client ezvpn [name]
Syntax Description
name
|
(Optional) Identifies the IPSec virtual private network (VPN) tunnel to be disconnected or cleared with a unique, arbitrary name. If no name is specified, all existing tunnels are disconnected or cleared.
|
Defaults
If no tunnel name is specified, all active tunnels on the machine are cleared.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.2(4)YA
|
This command was introduced for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
|
12.2(13)T
|
This command was integrated into Cisco IOS Release 12.2(13)T.
|
12.2(8)YJ
|
This command was enhanced to specify an IPSec VPN tunnel to be cleared or disconnected for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
|
12.2(15)T
|
This command was integrated into Cisco IOS Release 12.2(15)T.
|
Usage Guidelines
The clear crypto ipsec client ezvpn command resets the Cisco Easy VPN remote state machine, bringing down the current Cisco Easy VPN remote connection and bringing it back up on the interface. If you specify a tunnel name, only that tunnel is cleared. If no tunnel name is specified, all active tunnels on the machine are cleared.
If the Cisco Easy VPN remote connection for a particular interface is configured for autoconnect, this command also initiates a new Cisco Easy VPN remote connection.
Examples
The following example shows the Cisco Easy VPN remote state machine being reset:
Router# clear crypto ipsec client ezvpn
Related Commands
Command
|
Description
|
crypto ipsec client ezvpn (global)
|
Creates a Cisco Easy VPN remote configuration.
|
crypto ipsec client ezvpn (interface)
|
Assigns a Cisco Easy VPN remote configuration to an interface.
|
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in privileged EXEC mode.
clear crypto isakmp [connection-id] [active | standby]
Syntax Description
connection-id
|
(Optional) ID of the connection that is to be cleared. If this argument is not used, all existing connections will be cleared.
|
active
|
(Optional) Clears only IKE security associations (SAs) in the active state. For each active SA that is cleared, the standby router will be notified to clear the corresponding standby SA.
|
standby
|
(Optional) Clears only IKE SAs in the standby (secondary) state.
Note If the router is in standby mode, the router will immediately resynchronize the standby SAs; thus, it may appear as though the standby SAs were not cleared.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.3(11)T
|
The active and standby keywords were added.
|
Usage Guidelines
Caution 
If the
connection-id argument is not used, all existing IKE connections will be cleared when this command is issued.
Examples
The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
Router# show crypto isakmp sa
dst src state conn-id slot
172.21.114.123 172.21.114.67 QM_IDLE 1 0
209.165.201.1 209.165.201.2 QM_IDLE 8 0
Router# clear crypto isakmp 1
Router# show crypto isakmp sa
dst src state conn-id slot
209.165.201.1 209.165.201.2 QM_IDLE 8 0
Related Commands
Command
|
Description
|
show crypto isakmp sa
|
Displays current IKE SAs.
|
clear crypto sa
To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in privileged EXEC mode.
clear crypto sa [active | standby]
Virtual Routing and Forwarding (VRF) Syntax
clear crypto sa peer [vrf fvrf-name] address
clear crypto sa [vrf ivrf-name]
Crypto Map Syntax
clear crypto sa map map-name
IP Address, Security Protocol Standard, and SPI Syntax
clear crypto sa entry destination-address protocol spi
Traffic Counters Syntax
clear crypto sa counters
Syntax Description
active
|
(Optional) Clears only IPSec SAs that are in the active state.
|
standby
|
(Optional) Clears only IPSec SAs that are in the standby state.
Note If the router is in standby mode, the router will immediately resynchronize the standby SAs; thus, it may appear as though the standby SAs were not cleared.
|
peer [vrf fvrf-name] address
|
Deletes any IPSec SAs for the specified peer. The fvrf-name argument specifies the front door VRF (FVRF) of the peer address.
|
vrf ivrf-name
|
(Optional) Clears all IPSec SAs whose inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.
|
map
|
Deletes any IPSec SAs for the named crypto map set.
|
map-name
|
Specifies the name of a crypto map set.
|
entry
|
Deletes the IPSec SA with the specified address, protocol, and security parameter index (SPI).
|
destination-address
|
Specifies the IP address of the remote peer.
|
protocol
|
Specifies either the Encapsulation Security Protocol (ESP) or Authentication Header (AH).
|
spi
|
Specifies an SPI (found by displaying the SA database).
|
counters
|
Clears the traffic counters maintained for each SA; the counters keyword does not clear the SAs themselves.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(15)T
|
The vrf keyword and fvrf-name argument for clear crypto sa peer were added. The vrf keyword and ivrf-name argument for clear crypto sa were added.
|
12.3(11)T
|
The active and standby keywords were added.
|
Usage Guidelines
This command clears (deletes) IPSec SAs.
If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)
If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)
Note
If the peer, map, entry, counters, active, or standby keywords are not used, all IPSec SAs will be deleted.
•
The peer keyword deletes any IPSec SAs for the specified peer.
•
The map keyword deletes any IPSec SAs for the named crypto map set.
•
The entry keyword deletes the IPSec SA with the specified address, protocol, and SPI.
•
The active and standby keywords delete the IPSec SAs in the active or standby state, respectively.
If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.
If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you clear only the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command clears only IPSec SAs; to clear IKE state, use the clear crypto isakmp command.
Examples
The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:
The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256
The following example clears all the SAs for VRF VPN1:
Related Commands
Command
|
Description
|
clear crypto isakmp
|
Clears active IKE connections.
|
clear crypto session
To delete crypto sessions (IP Security [IPSec] and Internet Key Exchange [IKE] security associations [SAs]), use the clear crypto session command in privileged EXEC mode.
clear crypto session [local ip-address [port local-port]] [remote ip-address [port remote-port]] |
[fvrf vrf-name] [ivrf vrf-name]
IPSec and IKE Stateful Failover Syntax
clear crypto session [active | standby]
Syntax Description
local ip-address
|
(Optional) Clears crypto sessions for a local crypto endpoint.
• The ip-address is the IP address of the local crypto endpoint.
|
port local-port
|
(Optional) IKE port of the local endpoint. The local-port value can be 1 through 65535. The default value is 500.
|
remote ip-address
|
(Optional) Clears crypto sessions for a remote IKE peer.
• The ip-address is the IP address of the remote IKE peer.
|
port remote-port
|
(Optional) IKE port of the remote endpoint to be deleted. The remote-port value can be from 1 through 65535. The default value is 500.
|
fvrf vrf-name
|
(Optional) Specifies the front door virtual routing and forwarding (FVRF) session that is to be cleared.
|
ivrf vrf-name
|
(Optional) Specifies the inside VRF (IVRF) session that is to be cleared.
|
active
|
(Optional) Clears only IPSec and IKE SAs in the active state.
|
standby
|
(Optional) Clears only IPSec and IKE SAs in the standby state.
Note If the router is in standby mode, the router will immediately resynchronize the standby SAs with the active router.
|
Defaults
If the clear crypto session command is entered without any keywords, all existing sessions will be deleted. The IPSec SAs will be deleted first. Then the IKE SAs are deleted. Port default values are 500.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
12.3(11)T
|
The active and standby keywords were added.
|
Usage Guidelines
To clear a specific crypto session or a subset of all the sessions, you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, an FVRF name, or an IVRF name.
If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be deleted.
Examples
The following example shows that all crypto sessions will be deleted:
Router# clear crypto session
The following example shows that the crypto session of the FVRF named "blue" will be deleted:
Router# clear crypto session fvrf blue
The following example shows that the crypto sessions of the FVRF "blue" and the IVRF session "green" will be deleted:
Router# clear crypto session fvrf blue ivrf green
The following example shows that the crypto sessions of the local endpoint 10.1.1.1 and remote endpoint 10.2.2.2 will be deleted. The local endpoint port is 5, and the remote endpoint port is 10.
Router# clear crypto session local 10.1.1.1 port 5 remote 10.2.2.2 port 10
Related Commands
Command
|
Description
|
description
|
Adds a description for an IKE peer.
|
show crypto isakmp peer
|
Displays peer descriptions.
|
show crypto session
|
Displays status information for active crypto sessions in a router.
|
clear dot1x
To clear 802.1X interface information, use the clear dot1x command in privileged EXEC mode.
clear dot1x {all | interface interface-name}
Syntax Description
all
|
Clears 802.1X information for all interfaces.
|
interface interface-name
|
Clears 802.1X information for the specified interface.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(2)XA
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Examples
The following configuration shows that 802.1X information will be cleared for all interfaces:
The following configuration shows that 802.1X information will be cleared for the Ethernet 0 interface:
Router# clear dot1x interface ethernet 0
Related Commands
Command
|
Description
|
debug dot1x
|
Displays 802.1X debugging information.
|
identity profile default
|
Creates an identity profile and enters dot1x profile configuration mode.
|
show dot1x
|
Shows details for an identity profile.
|
clear eou
To clear all client device entries that are associated with a particular interface or that are on the network access device (NAD), use the clear eou command in privileged EXEC mode.
clear eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip
{ip-address} | mac {mac-address} | posturetoken {name}}
Syntax Description
all
|
Clears all client device entries.
|
authentication
|
Authentication type.
|
clientless
|
Authentication type is clientless.
|
eap
|
Authentication type is Extensible Authentication Procotol (EAP).
|
static
|
Authentication type is static.
|
interface
|
Provides information about the interface.
|
interface-type
|
Type of interface (see Table 14 for a list of interface types).
|
ip
|
Specifies an IP address.
|
ip-address
|
IP address of the client device.
|
mac
|
Specifies a MAC address.
|
mac-address
|
The 48-bit address of the client device.
|
posturetoken
|
Posture token name.
|
name
|
Name of the posture token.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Table 14 lists the interface types that may be used for the interface-type argument.
Table 14 Description of Interface Types
Interface Type
|
Description
|
Async
|
Asynchronous interface
|
BVI
|
Bridge-Group Virtual Interface
|
CDMA-Ix
|
Code division multiple access Internet exchange (CDMA Ix) interface
|
CTunnel
|
Connectionless Network Protocol (CLNS) tunnel (Ctunnel) interface
|
Dialer
|
Dialer interface
|
Ethernet
|
IEEE 802.3 standard interface
|
Lex
|
Lex interface
|
Loopback
|
Loopback interface
|
MFR
|
Multilink Frame Relay bundle interface
|
Multilink
|
Multilink-group interface
|
Null
|
Null interface
|
Serial
|
Serial interface
|
Tunnel
|
Tunnel interface
|
Vif
|
Pragmatic General Multicast (PGM) Multicase Host interface
|
Virtual-PPP
|
Virtual PPP interface
|
Virtual-Template
|
Virtual template interface
|
Virtual-TokenRing
|
Virtual TokenRing interface
|
Examples
The following example shows that all client device entries are to be cleared:
Related Commands
Command
|
Description
|
eou
|
Displays information about EAPoUDP.
|
clear ip admission cache
To clear IP admission cache entries from the router, use the clear ip admission cache command in privileged EXEC mode.
clear ip admission cache {* | host ip address}
Syntax Description
*
|
Clears all IP admission cache entries and associated dynamic access lists.
|
host ip address
|
Clears all IP admission cache entries and associated dynamic access lists for the specified host.
|
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Use this command to clear entries from the admission control cache before they time out.
Examples
The following example shows that all admission entries are to be deleted:
Router# clear ip admission cache *
The following example shows that the authentication proxy entry for the host with the IP address 192.168.4.5 is to be deleted:
Router# clear ip admission cache 192.168.4.5
Related Commands
Command
|
Description
|
show ip admission cache
|
Displays the admission control entries or the running admission control configuration.
|
clear ip auth-proxy cache
To clear authentication proxy entries from the router, use the clear ip auth-proxy cache command in EXEC mode.
clear ip auth-proxy cache {* | host-ip-address}
Syntax Description
*
|
Clears all authentication proxy entries, including user profiles and dynamic access lists.
|
host-ip-address
|
Clears the authentication proxy entry, including user profiles and dynamic access lists, for the specified host.
|
Command Modes
EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
Usage Guidelines
Use this command to clear entries from the translation table before they time out.
Examples
The following example deletes all authentication proxy entries:
clear ip auth-proxy cache *
The following example deletes the authentication proxy entry for the host with IP address 192.168.4.5:
clear ip auth-proxy cache 192.168.4.5
Related Commands
Command
|
Description
|
show ip auth-proxy
|
Displays the authentication proxy entries or the running authentication proxy configuration.
|
clear ip ips configuration
To disable Cisco IOS Firewall Intrusion Prevention System (IPS), remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip ips configuration command in EXEC mode.
clear ip ips configuration
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.3(8)T
|
The command name was changed from the clear ip audit configuration command to the clear ip ips configuration command.
|
Examples
The following example clears the existing IPS configuration:
clear ip ips configuration
clear ip ips statistics
To reset statistics on packets analyzed and alarms sent, use the clear ip ips statistics command in EXEC mode.
clear ip ips statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Release
|
Modification
|
12.0(5)T
|
This command was introduced.
|
12.3(8)T
|
The command name was changed from the clear ip audit statistics command to the clear ip ips statistics command.
|
Examples
The following example clears all IPS statistics:
clear ip ips statistics