Cisco IOS Security Command Reference, Release 12.3 T
Security Commands: accounting through clear ip ips statistics

Table Of Contents

accounting (gatekeeper)

accounting (line)

accounting (server-group)

accounting acknowledge broadcast

acl (ISAKMP)

address

addressed-key

administrator authentication list

administrator authorization list

appfw policy-name

application (application firewall policy)

arap authentication

attribute (server-group)

attribute nas-port format

attribute type

audit-trail

authentication (IKE policy)

authentication command

authentication list (tti-registrar)

authentication terminal

authentication trustpoint

authentication url

authorization

authorization (server-group)

authorization (tti-registrar)

authorization list (global)

authorization list (tti-registrar)

authorization username

authorization username (tti-registrar)

auth-type

auto secure

auto-enroll

backup-gateway

bidirectional

block count

ca trust-point

cache clear age

cache disable

cache max

cache refresh

call admission limit

call guard-timer

cdp-url

certificate

clear aaa cache filterserver acl

clear aaa local user fail-attempts

clear aaa local user lockout

clear access-template

clear crypto call admission statistics

clear crypto engine accelerator counter

clear crypto ipsec client ezvpn

clear crypto isakmp

clear crypto sa

clear crypto session

clear dot1x

clear eou

clear ip admission cache

clear ip auth-proxy cache

clear ip ips configuration

clear ip ips statistics


accounting (gatekeeper)

To enable accounting services on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting services, use the no form of this command.

accounting [vsa]

no accounting [vsa]

Syntax Description

vsa

(Optional) Configures the vendor-specific attribute (VSA) method of accounting.


Defaults

Accounting is disabled.

Command Modes

Gatekeeper configuration

Command History

Release
Modification

11.3(2)NA

This command was introduced.

12.0(3)T

This command was integrated into Cisco IOS Release 12.0(3)T.

12.1(5)XM

The vsa keyword was added.

12.2(2)T

The vsa keyword was integrated into Cisco IOS Release 12.2(2)T.

12.2(2)XB1

This command was implemented on the Cisco AS5850 universal gateway.


Usage Guidelines

Specify a RADIUS server before using the accounting command.

There are three different methods of accounting. The H.323 method sends the call detail record (CDR) to the RADIUS server, the syslog method uses the system logging facility to record the CDRs, and the VSA method collects VSAs.

Examples

The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records:

aaa accounting connection start-stop group radius
gatekeeper
 accounting

The following example shows how to enable VSA accounting:

aaa accounting connection start-stop group radius
gatekeeper
 accounting exec vsa

Related Commands

Command
Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.


accounting (line)

To enable authentication, authorization, and accounting (AAA) accounting services to a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.

accounting {arap | commands level | connection | exec} [default | list-name]

no accounting {arap | commands level | connection | exec} [default | list-name]

Syntax Description

arap

Enables accounting on lines configured for AppleTalk Remote Access Protocol (ARAP).

commands level

Enables accounting on the selected lines for all commands at the specified privilege level. Valid privilege level entries are 0 through 15.

connection

Enables both CHAP and PAP, and performs PAP authentication before CHAP.

exec

Enables accounting for all system-level events not associated with users, such as reloads on the selected lines.

default

(Optional) The name of the default method list, created with the aaa accounting command.

list-name

(Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.


Defaults

Accounting is disabled.

Command Modes

Line configuration

Command History

Release
Modification

11.3 T

This command was introduced.


Usage Guidelines

After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.

Examples

The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10:

line 10
 accounting commands 15 charlie

Related Commands

Command
Description

aaa accounting

Enables AAA accounting of requested services for billing or security purposes.


accounting (server-group)

To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode.

accounting [accept | reject] list-name

Syntax Description

accept

(Optional) All attributes will be rejected except for required attributes and the attributes specified in the listname.

reject

(Optional) All attributes will be accepted except for the attributes specified in the listname.

list-name

Given name for the accept or reject list.


Defaults

If specific attributes are not accepted or rejected, all attributes will be accepted.

Command Modes

Server-group configuration

Command History

Release
Modification

12.2(1)DX

This command was introduced.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(4)T

This command was integrated into Cisco IOS Release 12.2(4)T.

12.2(13)T

Platform support was added for the Cisco 7401ASR.


Usage Guidelines

An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data.

Only one filter may be used for RADIUS accounting per server group.


Note The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute (server-group configuration) command to add to an accept or reject list.


Examples

The following example shows how to specify accept list "usage-only" for RADIUS accounting:

aaa new-model
aaa authentication ppp default group radius-sg
aaa authorization network default group radius-sg
aaa group server radius radius-sg
 server 1.1.1.1
 accounting accept usage-only
!
radius-server host 1.1.1.1 key mykey1
radius-server attribute list usage-only
 attribute 1,40,42-43,46

Related Commands

Command
Description

aaa authentication ppp

Specifies one or more AAA authentication methods for use on serial interfaces running PPP.

aaa authorization

Sets parameters that restrict network access to the user.

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

attribute (server-group configuration)

Adds attributes to an accept or reject list.

authorization (server-group configuration)

Specifies an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server.

radius-server attribute list

Defines an accept or reject list name.


accounting acknowledge broadcast

To define a designated broadcast accounting server group, use the accounting acknowledge broadcast command in server group RADIUS configuration mode. To disable the broadcast functionality, use the no form of this command.

accounting acknowledge broadcast

no accounting acknowledge broadcast

Syntax Description

This command has no arguments or keywords.

Defaults

Accounting broadcast functionality is disabled for the RADIUS server group.

Command Modes

Server group RADIUS configuration

Command History

Release
Modification

12.3(4)T

This command was introduced.


Examples

The following example enables accounting broadcast functionality on RADIUS server group abcgroup:

Router(config)# aaa group server radius abcgroup
Router(config-sg-radius)# accounting acknowledge broadcast

Related Commands

Command
Description

aaa accounting update

Enables periodic interim accounting records to be sent to the accounting server.

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

gw-accounting aaa

Enables VoIP gateway accounting through the AAA system.


acl (ISAKMP)

To configure split tunneling, use the acl command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.

acl number

no acl number

Syntax Description

number

Specifies a group of access control lists (ACLs) that represent protected subnets for split tunneling purposes.


Defaults

Split tunneling is not enabled; all data is sent via the Virtual Private Network (VPN) tunnel.

Command Modes

ISAKMP group configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the acl command.

Examples

The following example shows how to correctly apply split tunneling for the group name "cisco." In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 will be sent via the VPN tunnel.

crypto isakmp client configuration group cisco
  key cisco
  dns 10.2.2.2 10.3.2.3
  pool dog
  acl 199
!
access-list 199 permit ip 192.168.1.0 0.0.0.255 any

Related Commands

Command
Description

crypto isakmp client configuration group

Specifies the policy profile of the group that will be defined.


address

To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.

address ip-address

no address ip-address

Syntax Description

ip-address

IP address of the remote peer.


Defaults

No default behavior or values

Command Modes

Rsa-pubkey configuration

Command History

Release
Modification

11.3 T

This command was introduced.


Usage Guidelines

Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.

Examples

The following example specifies the RSA public key of an IP Security (IPSec) peer:

Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit

Related Commands

Command
Description

crypto keyring

Defines a crypto keyring to be used during IKE authentication.

key-string

Specifies the RSA public key of a remote peer.

rsa-pubkey

Defines the RSA manual key to be used for encryption or signatures during IKE authentication.


addressed-key

To specify which peer's RSA public key you will manually configure, use the addressed-key command in public key chain configuration mode.

addressed-key key-address [encryption | signature]

Syntax Description

key-address

Specifies the IP address of the remote peer's RSA keys.

encryption

(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.

signature

(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.


Defaults

If neither the encryption nor signature keywords are used, general purpose keys will be specified.

Command Modes

Public key chain configuration. This command invokes public key configuration mode.

Command History

Release
Modification

11.3 T

This command was introduced.


Usage Guidelines

Use this command or the named-key command to specify which IP Security peer's RSA public key you will manually configure next.

Follow this command with the key string command to specify the key.

If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keywords.

If the IPSec remote peer generated special-usage keys, you must manually specify both keys: use this command and the key-string command twice and use the encryption and signature keywords respectively.

Examples

The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys.

Router(config)# crypto key pubkey-chain rsa
Router(config-pubkey-chain)# named-key otherpeer.example.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 005C300D 06092A86 4886F70D 01010105
Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22
Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4
Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2
Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28
Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# addressed-key 10.1.1.2 encryption
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# addressed-key 10.1.1.2 signature
Router(config-pubkey-key)# key-string
Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC
Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228
Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E
Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16
Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4
Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(config-pubkey-chain)# exit
Router(config)#

Related Commands

Command
Description

crypto key pubkey-chain rsa

Enters public key configuration mode (to allow you to manually specify the RSA public keys of other devices).

key-string (IKE)

Specifies the RSA public key of a remote peer.

named-key

Specifies which peer RSA public key you will manually configure.

show crypto key pubkey-chain rsa

Displays peer RSA public keys stored on your router.


administrator authentication list

To authenticate an administrative introducer for a Secure Device Provisioning (SDP) transaction, use the administrator authentication list command in tti-registrar configuration mode. To disable administrative introducer authentication, use the no form of this command.

administrator authentication list list-name

no administrator authentication list list-name

Syntax Description

list-name

Name of list.


Defaults

All introducers are authenticated as users; their username is used directly to build the device name.

Command Modes

tti-registrar configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

When you use the administrator authentication list command in SDP transactions, the RADIUS or TACACS+ authentication, authorization, and accounting (AAA) server checks for a valid account by looking at the username and password.

The authentication list and the authorization list usually both point to the same AAA list. It is possible that the lists can be on different databases, but it is generally not recommended.

Examples

The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:

Router(config)# crypto provisioning registrar
Router(tti-registrar)# pki-server mycs
Router(tti-registrar)# administrator authentication list authen-rad
Router(tti-registrar)# administrator authorization list author-rad
Router(tti-registrar)# authentication list authen-tac
Router(tti-registrar)# authorization list author-tac
Router(tti-registrar)# template username ftpuser password ftppwd
Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt
Router(tti-registrar)# end

Related Commands

Command
Description

administrator authorization list

Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for an administrative introducer in an SDP transaction.

authentication list (tti-registrar)

Authenticates an introducer in an SDP transaction.

authorization list (tti-registrar)

Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP transaction.


administrator authorization list

To specify the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS command-line interface (CLI) snippet that is sent back to the petitioner for an administrative introducer in a Secure Device Provisioning (SDP) transaction, use the administrator authorization list command in tti-registrar configuration mode. To disable the subject name and list of template variables, use the no form of this command.

administrator authorization list list-name

no administrator authorization list list-name

Syntax Description

list-name

Name of list.


Defaults

There is no authorization information requested from the authentication, authorization, and accounting (AAA) server for the administrator.

Command Modes

tti-registrar configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

When you use the administrator authorization list command in SDP transactions, the RADIUS or TACACS+ AAA server stores the subject name and template variables. The name and variables are sent back to the petitioner in the Cisco IOS CLI snippets. This list and the authorization list are usually on the same database, but they can be on different AAA databases. (Storing lists on different databases is not recommended.)

When a petitioner makes an introducer request, multiple queries are sent to the AAA list database on the RADIUS or TACACS+ server. The queries search for entries of the following form:

user Password <userpassword>
   cisco-avpair="ttti:subjectname=<<DN subjectname>>"
   cisco-avpair="tti:iosconfig#<<value>>"
   cisco-avpair="tti:iosconfig#<<value>>"
   cisco-avpair="tti:iosconfig#=<<value>>"

Note The existence of a valid AAA username record is enough to pass the authentication check. The cisco-avpair=tti information is necessary only for the authorization check.


If a subject name were received in the authorization response, the registrar stores it in the enrollment database, and that subject name overrides the subject name that is supplied in the subsequent certificate request (PKCS10) from the petitioner device.

The numbered tti:iosconfig values are expanded into the Cisco IOS snippet that is sent to the petitioner. The configurations replace any numbered ($1 through $9) template variable. Because the default Cisco IOS snippet template does not include the variables $1 through $9, these variables are ignored unless you configure an external Cisco IOS snippet template. To specify an external configuration, use the template config command.


Note The template configuration location may include a variable $n, which is expanded to the name that the administrator enters in the additional SDP dialog.


Examples

The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:

Router(config)# crypto provisioning registrar
Router(tti-registrar)# pki-server mycs
Router(tti-registrar)# administrator authentication list authen-rad
Router(tti-registrar)# administrator authorization list author-rad
Router(tti-registrar)# authentication list authen-tac
Router(tti-registrar)# authorization list author-tac
Router(tti-registrar)# template username ftpuser password ftppwd
Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt
Router(tti-registrar)# end

Related Commands

Command
Description

administrator authentication list

Authenticates an administrative introducer for an SDP transaction.

authentication list (tti-registrar)

Authenticates a user introducer for an SDP transaction.

authorization list (tti-registrar)

Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP operation.


appfw policy-name

To define an application firewall policy and put the router in application firewall policy configuration mode, use the appfw policy-name command in global configuration mode. To remove a policy from the router configuration, use the no form of this command.

appfw policy-name policy-name

no appfw policy-name policy-name

Syntax Description

policy-name

Name of application policy.


Defaults

If this command is not issued, an application firewall policy cannot be created.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

This command puts the router in application firewall policy (appfw-policy-protocol) configuration mode, which allows you to begin defining the application firewall policy that will later be applied to the Cisco IOS Firewall via the ip inspect name command.

What Is an Application Firewall Policy?

The application firewall uses static signatures to detect security violations. A static signature is a collection of parameters that specifies which protocol conditions must be met before an action is taken. (For example, a signature may specify that an HTTP data stream containing the POST method must reset the connection.) These protocol conditions and reactions are defined by the end user via a command-line interface (CLI) to form an application firewall policy (also known as a security policy).

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.
appfw policy-name mypolicy
 application http
  strict-http action allow alarm
  content-length maximum 1 action allow alarm
  content-type-verification match-req-rsp action allow alarm
  max-header-length request 1 response 1 action allow alarm
  max-uri-length 1 action allow alarm
  port-misuse default action allow alarm
  request-method rfc default action allow alarm
  request-method extension default action allow alarm
  transfer-encoding type default action allow alarm
!
!
! Apply the policy to an inspection rule. 
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
!
!
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
 ip inspect firewall in
!
!

Related Commands

Command
Description

application

Puts the router in appfw-policy-protocol configuration mode and begin configuring inspection parameters for a given protocol.

ip inspect name

Defines a set of inspection rules.


application (application firewall policy)

To put the router in appfw-policy-protocol configuration mode and begin configuring inspection parameters for a given protocol, use the application command in application firewall policy configuration mode. To remove protocol-specific rules, use the no form of this command.

application protocol

no application protocol

Syntax Description

protocol

Protocol-specific traffic will be inspected. Currently, the only supported protocol is HTTP (specified via the http keyword), which defines the web policy.


Defaults

You cannot set up protocol-specific inspection parameters.

Command Modes

Application firewall policy configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

This command puts the router in appfw-policy-protocol configuration mode, where "protocol" is dependent upon the specified protocol. Because HTTP is currently the only available protocol, the configuration mode is "appfw-policy-http."

HTTP-Specific Inspection Commands

After you issue the application command and enter the appfw-policy-http configuration mode, begin configuring inspection parameters for HTTP traffic by issuing any of the following commands:

audit-trail

content-length

content-type-verification

max-header-length

max-uri-length

port-misuse

request-method

strict-http

timeout

transfer-encoding

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.
appfw policy-name mypolicy
 application http
  strict-http action allow alarm
  content-length maximum 1 action allow alarm
  content-type-verification match-req-rsp action allow alarm
  max-header-length request 1 response 1 action allow alarm
  max-uri-length 1 action allow alarm
  port-misuse default action allow alarm
  request-method rfc default action allow alarm
  request-method extension default action allow alarm
  transfer-encoding type default action allow alarm
!
!
! Apply the policy to an inspection rule. 
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
!
!
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
 ip inspect firewall in
!
!

Related Commands

Command
Description

appfw policy-name

Defines an application firewall policy and puts the router in application firewall policy configuration mode.


arap authentication

To enable authentication, authorization, and accounting (AAA) authentication for AppleTalk Remote Access Protocol (ARAP) on a line, use the arap authentication command in line configuration mode. To disable authentication for an ARAP line, use the no form of this command.

arap authentication {default | list-name} [one-time]

no arap authentication {default | list-name}


Caution If you use a list-name value that was not configured with the aaa authentication arap command, ARAP will be disabled on this line.

Syntax Description

default

Default list created with the aaa authentication arap command.

list-name

Indicated list created with the aaa authentication arap command.

one-time

(Optional) Accepts the username and password in the username field.


Defaults

ARAP authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.

Command Modes

Line configuration

Command History

Release
Modification

10.3

This command was introduced.

11.0

The one-time keyword was added.


Usage Guidelines

This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.

Examples

The following example specifies that the TACACS+ authentication list called MIS-access is used on ARAP line 7:

line 7
 arap authentication MIS-access

Related Commands

Command
Description

aaa authentication arap

Enables an AAA authentication method for ARAP using TACACS+.


attribute (server-group)

To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command.

attribute value1 [value2 [value3]...]

no attribute value1 [value2 [value3]...]

Syntax Description

value1 [value2 [value3]...]

Attributes to include in an accept or reject list. The value can be a single integer, such as 7, or a range of numbers, such as 56-59. At least one attribute value must be specified.


Defaults

If this command is not enabled, all attributes are sent to the network access server (NAS).

Command Modes

Server-group configuration

Command History

Release
Modification

12.2(1)DX

This command was introduced.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(4)T

This command was integrated into Cisco IOS Release 12.2(4)T.

12.2(13)T

Platform support was added for the Cisco 7401 ASR.


Usage Guidelines

Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the network access server (NAS) from receiving and processing unwanted attributes for authorization or accounting.

The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:

For authorization:

6 (Service-Type)

7 (Framed-Protocol)

For accounting:

4 (NAS-IP-Address)

40 (Acct-Status-Type)

41 (Acct-Delay-Time)

44 (Acct-Session-ID)


Note The user will not receive an error at the point of configuring a reject list for required attributes because the list does not specify a purpose—authorization or accounting. The server will determine whether an attribute is required when it is known what the attribute is to be used for.


Examples

The following example shows how to add attributes 12, 217, 6-10, 13, 64-69, and 218 to the list name "standard":

radius-server attribute list standard
attribute 12,217,6-10,13
attribute 64-69,218

Related Commands

Command
Description

accounting (server-group configuration)

Specifies an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request.

authorization (server-group configuration)

Specifies an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server.

radius-server attribute list

Defines an accept or reject list name.


attribute nas-port format

To configure services to use specific named methods for different service types, which can be set to use their own respective RADIUS server groups, use the attribute nas-port format command in server-group configuration mode. To remove the override, which is to use specific named methods for different service types, use the no form of this command.

attribute nas-port format format-type [string]

no attribute nas-port format format-type [string]

Syntax Description

format-type

Type of format (see Table 12).

string

(Optional) Pattern of the data format (see Table 13).


Defaults

Default format type is used for all services.

Command Modes

Server-group configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

The following format types may be configured.

Table 12 Format Types

a

Format is type, channel, or port.

b

Either interface(16), isdn(16), or async(16).

c

Data format (bits): shelf(2), slot(4), port(5), or channel(5).

d

Data format (bits): slot(4), module(1), port(3), vpi(8), or vci(16).

e

Configurable data format (see Table 13).


The following characters may be used in the string pattern of the data format.

Table 13 Characters Supported by Format-Type e 

0

Zero

1

One

f

DS0 shelf

s

DS0 slot

a

DS0 adapter

P

DS0 port

i

DS0 subinterface

c

DS0 channel

F

Async shelf

S

Async slot

P

Async port

L

Async line

S

PPPoX slot (includes PPP over ATM [PPPoA], PPP over Ethernet over ATM [PPPoEoA], PPP over Ethernet over Ethernet [PPPoEoE], PPP over Ethernet over VLAN [PPPoEoVLAN], and PPP over Ethernet over Queue in Queue [PPPoEoQinQ]).

A

PPPoX adapter

P

PPPoX port

V

PPPoX VLAN ID

I

PPPoX virtual path identifier (VPI)

C

PPPoX virtual channel indicator (VCI)

U

Session ID


Examples

The following example shows that a leased-line PPP client has chosen to send no RADIUS Attribute 5 while the default is set for format d:

interface Serial2/0
 no ip address
 encapsulation ppp
 ppp accounting SerialAccounting
 ppp authentication pap

aaa accounting network default start-stop group radius 
aaa accounting network SerialAccounting start-stop group group1

aaa group server radius group1
 server 64.101.159.172 auth-port 1645 acct-port 1646
 attribute nas-port none

radius-server host 64.101.159.172 auth-port 1645 acct-port 1646
radius-server attribute nas-port format d

Related Commands

Command
Description

aaa group server radius

Groups different RADIUS server hosts into distinct lists and distinct methods.

ip radius source-interface

Forces RADIUS to use the IP adressing of a specified interface for all outgoing RADIUS packets.

radius-server host

Specifies a RADIUS server host.


attribute type

To define an attribute type that is to be added to an attribute list locally on a router, use the attribute type command in global configuration mode. To remove the attribute type from the list, use the no form of this command.

attribute type {name}{value} [service service] [protocol protocol] [tag]

no attribute type {name}{value} [service service] [protocol protocol] [tag]

Syntax Description

name

Defines the Cisco IOS authentication, authorization, and accounting (AAA) internal name of the Internet Engineering Task Force (IETF) RADIUS attribute to be added to the attribute list.

value

Defines a string, binary, or IPv4 address value. This is the RADIUS attribute that is being defined in Cisco IOS AAA format. When a string is added to the attribute value, the string should be inside quotation marks. For example, if the value is "interface-config" and the string is "ip unnumbered FastEthernet0," you would write interface-config "ip unnumbered FastEthernet0".

service service

(Optional) Access method, which is typically PPP.

protocol protocol

(Optional) Type of protocol, which can be ATM, IP, or virtual private dial-up network (VPDN).