Table Of Contents

accounting (gatekeeper)

accounting (line)

accounting (server-group)

accounting acknowledge broadcast

acl (ISAKMP)

address

addressed-key

administrator authentication list

administrator authorization list

appfw policy-name

application (application firewall policy)

arap authentication

attribute (server-group)

attribute nas-port format

attribute type

audit-trail

authentication (IKE policy)

authentication command

authentication list (tti-registrar)

authentication terminal

authentication trustpoint

authentication url

authorization

authorization (server-group)

authorization (tti-registrar)

authorization list (global)

authorization list (tti-registrar)

authorization username

authorization username (tti-registrar)

auth-type

auto secure

auto-enroll

backup-gateway

bidirectional

block count

ca trust-point

cache clear age

cache disable

cache max

cache refresh

call admission limit

call guard-timer

cdp-url

certificate

clear aaa cache filterserver acl

clear aaa local user fail-attempts

clear aaa local user lockout

clear access-template

clear crypto call admission statistics

clear crypto engine accelerator counter

clear crypto ipsec client ezvpn

clear crypto isakmp

clear crypto sa

clear crypto session

clear dot1x

clear eou

clear ip admission cache

clear ip auth-proxy cache

clear ip ips configuration

clear ip ips statistics

accounting (gatekeeper)

To enable accounting services on the gatekeeper, use the accounting command in gatekeeper configuration mode. To disable accounting services, use the no form of this command.

accounting [vsa]

no accounting [vsa]

Syntax Description

vsa	(Optional) Configures the vendor-specific attribute (VSA) method of accounting.

Defaults

Accounting is disabled.

Command Modes

Gatekeeper configuration

Command History

Release	Modification
11.3(2)NA	This command was introduced.
12.0(3)T	This command was integrated into Cisco IOS Release 12.0(3)T.
12.1(5)XM	The vsa keyword was added.
12.2(2)T	The vsa keyword was integrated into Cisco IOS Release 12.2(2)T.
12.2(2)XB1	This command was implemented on the Cisco AS5850 universal gateway.

Usage Guidelines

Specify a RADIUS server before using the accounting command.

There are three different methods of accounting. The H.323 method sends the call detail record (CDR) to the RADIUS server, the syslog method uses the system logging facility to record the CDRs, and the VSA method collects VSAs.

Examples

The following example enables the gateway to report user activity to the RADIUS server in the form of connection accounting records:

aaa accounting connection start-stop group radius

gatekeeper

 accounting

The following example shows how to enable VSA accounting:

aaa accounting connection start-stop group radius

gatekeeper

 accounting exec vsa

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.

accounting (line)

To enable authentication, authorization, and accounting (AAA) accounting services to a specific line or group of lines, use the accounting command in line configuration mode. To disable AAA accounting services, use the no form of this command.

accounting {arap | commands level | connection | exec} [default | list-name]

no accounting {arap | commands level | connection | exec} [default | list-name]

Syntax Description

arap	Enables accounting on lines configured for AppleTalk Remote Access Protocol (ARAP).
commands level	Enables accounting on the selected lines for all commands at the specified privilege level. Valid privilege level entries are 0 through 15.
connection	Enables both CHAP and PAP, and performs PAP authentication before CHAP.
exec	Enables accounting for all system-level events not associated with users, such as reloads on the selected lines.
default	(Optional) The name of the default method list, created with the aaa accounting command.
list-name	(Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command.

Defaults

Accounting is disabled.

Command Modes

Line configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.

Examples

The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10:

line 10

 accounting commands 15 charlie

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security purposes.

accounting (server-group)

To specify an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request, use the accounting command in server-group configuration mode.

accounting [accept | reject] list-name

Syntax Description

accept	(Optional) All attributes will be rejected except for required attributes and the attributes specified in the listname.
reject	(Optional) All attributes will be accepted except for the attributes specified in the listname.
list-name	Given name for the accept or reject list.

Defaults

If specific attributes are not accepted or rejected, all attributes will be accepted.

Command Modes

Server-group configuration

Command History

Release	Modification
12.2(1)DX	This command was introduced.
12.2(2)DD	This command was integrated into Cisco IOS Release 12.2(2)DD.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.
12.2(13)T	Platform support was added for the Cisco 7401ASR.

Usage Guidelines

An accept or reject list (also known as a filter) for RADIUS accounting allows users to send only the accounting attributes their business requires, thereby reducing unnecessary traffic and allowing users to customize their own accounting data.

Only one filter may be used for RADIUS accounting per server group.

---

Note The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute (server-group configuration) command to add to an accept or reject list.

---

Examples

The following example shows how to specify accept list "usage-only" for RADIUS accounting:

aaa new-model

aaa authentication ppp default group radius-sg

aaa authorization network default group radius-sg

aaa group server radius radius-sg

 server 1.1.1.1

 accounting accept usage-only

!

radius-server host 1.1.1.1 key mykey1

radius-server attribute list usage-only

 attribute 1,40,42-43,46

Related Commands

Command	Description
aaa authentication ppp	Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
aaa authorization	Sets parameters that restrict network access to the user.
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
aaa new-model	Enables the AAA access control model.
attribute (server-group configuration)	Adds attributes to an accept or reject list.
authorization (server-group configuration)	Specifies an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server.
radius-server attribute list	Defines an accept or reject list name.

accounting acknowledge broadcast

To define a designated broadcast accounting server group, use the accounting acknowledge broadcast command in server group RADIUS configuration mode. To disable the broadcast functionality, use the no form of this command.

accounting acknowledge broadcast

no accounting acknowledge broadcast

Syntax Description

This command has no arguments or keywords.

Defaults

Accounting broadcast functionality is disabled for the RADIUS server group.

Command Modes

Server group RADIUS configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Examples

The following example enables accounting broadcast functionality on RADIUS server group abcgroup:

Router(config)# aaa group server radius abcgroup

Router(config-sg-radius)# accounting acknowledge broadcast

Related Commands

Command	Description
aaa accounting update	Enables periodic interim accounting records to be sent to the accounting server.
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
gw-accounting aaa	Enables VoIP gateway accounting through the AAA system.

acl (ISAKMP)

To configure split tunneling, use the acl command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration and restore the default value, use the no form of this command.

acl number

no acl number

Syntax Description

number

Specifies a group of access control lists (ACLs) that represent protected subnets for split tunneling purposes.

Defaults

Split tunneling is not enabled; all data is sent via the Virtual Private Network (VPN) tunnel.

Command Modes

ISAKMP group configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.

Usage Guidelines

Use the acl command to specify which groups of ACLs represent protected subnets for split tunneling. Split tunneling is the ability to have a secure tunnel to the central site and simultaneous clear text tunnels to the Internet.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the acl command.

Examples

The following example shows how to correctly apply split tunneling for the group name "cisco." In this example, all traffic sourced from the client and destined to the subnet 192.168.1.0 will be sent via the VPN tunnel.

crypto isakmp client configuration group cisco

  key cisco

  dns 10.2.2.2 10.3.2.3

  pool dog

  acl 199

!

access-list 199 permit ip 192.168.1.0 0.0.0.255 any

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies the policy profile of the group that will be defined.

address

To specify the IP address of the Rivest, Shamir, and Adelman (RSA) public key of the remote peer that you will manually configure in the keyring, use the address command in rsa-pubkey configuration mode. To remove the IP address, use the no form of this command.

address ip-address

no address ip-address

Syntax Description

ip-address

IP address of the remote peer.

Defaults

No default behavior or values

Command Modes

Rsa-pubkey configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Before you can use this command, you must enter the rsa-pubkey command in the crypto keyring mode.

Examples

The following example specifies the RSA public key of an IP Security (IPSec) peer:

Router(config)# crypto keyring vpnkeyring

Router(conf-keyring)# rsa-pubkey name host.vpn.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(conf-keyring)# exit

Related Commands

Command	Description
crypto keyring	Defines a crypto keyring to be used during IKE authentication.
key-string	Specifies the RSA public key of a remote peer.
rsa-pubkey	Defines the RSA manual key to be used for encryption or signatures during IKE authentication.

addressed-key

To specify which peer's RSA public key you will manually configure, use the addressed-key command in public key chain configuration mode.

addressed-key key-address [encryption | signature]

Syntax Description

key-address	Specifies the IP address of the remote peer's RSA keys.
encryption	(Optional) Indicates that the RSA public key to be specified will be an encryption special usage key.
signature	(Optional) Indicates that the RSA public key to be specified will be a signature special usage key.

Defaults

If neither the encryption nor signature keywords are used, general purpose keys will be specified.

Command Modes

Public key chain configuration. This command invokes public key configuration mode.

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command or the named-key command to specify which IP Security peer's RSA public key you will manually configure next.

Follow this command with the key string command to specify the key.

If the IPSec remote peer generated general-purpose RSA keys, do not use the encryption or signature keywords.

If the IPSec remote peer generated special-usage keys, you must manually specify both keys: use this command and the key-string command twice and use the encryption and signature keywords respectively.

Examples

The following example manually specifies the RSA public keys of two IPSec peers. The peer at 10.5.5.1 uses general-purpose keys, and the other peer uses special-usage keys.

Router(config)# crypto key pubkey-chain rsa

Router(config-pubkey-chain)# named-key otherpeer.example.com

Router(config-pubkey-key)# address 10.5.5.1

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 005C300D 06092A86 4886F70D 01010105

Router(config-pubkey)# 00034B00 30480241 00C5E23B 55D6AB22

Router(config-pubkey)# 04AEF1BA A54028A6 9ACC01C5 129D99E4

Router(config-pubkey)# 64CAB820 847EDAD9 DF0B4E4C 73A05DD2

Router(config-pubkey)# BD62A8A9 FA603DD2 E2A8A6F8 98F76E28

Router(config-pubkey)# D58AD221 B583D7A4 71020301 0001

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# addressed-key 10.1.1.2 encryption

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973

Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5

Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8

Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB

Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B

Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# addressed-key 10.1.1.2 signature

Router(config-pubkey-key)# key-string

Router(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCC

Router(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228

Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882E

Router(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16

Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4

Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1

Router(config-pubkey)# quit

Router(config-pubkey-key)# exit

Router(config-pubkey-chain)# exit

Router(config)#

Related Commands

Command	Description
crypto key pubkey-chain rsa	Enters public key configuration mode (to allow you to manually specify the RSA public keys of other devices).
key-string (IKE)	Specifies the RSA public key of a remote peer.
named-key	Specifies which peer RSA public key you will manually configure.
show crypto key pubkey-chain rsa	Displays peer RSA public keys stored on your router.

administrator authentication list

To authenticate an administrative introducer for a Secure Device Provisioning (SDP) transaction, use the administrator authentication list command in tti-registrar configuration mode. To disable administrative introducer authentication, use the no form of this command.

administrator authentication list list-name

no administrator authentication list list-name

Syntax Description

list-name

Name of list.

Defaults

All introducers are authenticated as users; their username is used directly to build the device name.

Command Modes

tti-registrar configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

When you use the administrator authentication list command in SDP transactions, the RADIUS or TACACS+ authentication, authorization, and accounting (AAA) server checks for a valid account by looking at the username and password.

The authentication list and the authorization list usually both point to the same AAA list. It is possible that the lists can be on different databases, but it is generally not recommended.

Examples

The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:

Router(config)# crypto provisioning registrar

Router(tti-registrar)# pki-server mycs

Router(tti-registrar)# administrator authentication list authen-rad

Router(tti-registrar)# administrator authorization list author-rad

Router(tti-registrar)# authentication list authen-tac

Router(tti-registrar)# authorization list author-tac

Router(tti-registrar)# template username ftpuser password ftppwd

Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt

Router(tti-registrar)# end

Related Commands

Command	Description
administrator authorization list	Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for an administrative introducer in an SDP transaction.
authentication list (tti-registrar)	Authenticates an introducer in an SDP transaction.
authorization list (tti-registrar)	Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP transaction.

administrator authorization list

To specify the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS command-line interface (CLI) snippet that is sent back to the petitioner for an administrative introducer in a Secure Device Provisioning (SDP) transaction, use the administrator authorization list command in tti-registrar configuration mode. To disable the subject name and list of template variables, use the no form of this command.

administrator authorization list list-name

no administrator authorization list list-name

Syntax Description

list-name

Name of list.

Defaults

There is no authorization information requested from the authentication, authorization, and accounting (AAA) server for the administrator.

Command Modes

tti-registrar configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

When you use the administrator authorization list command in SDP transactions, the RADIUS or TACACS+ AAA server stores the subject name and template variables. The name and variables are sent back to the petitioner in the Cisco IOS CLI snippets. This list and the authorization list are usually on the same database, but they can be on different AAA databases. (Storing lists on different databases is not recommended.)

When a petitioner makes an introducer request, multiple queries are sent to the AAA list database on the RADIUS or TACACS+ server. The queries search for entries of the following form:

user Password <userpassword>

   cisco-avpair="ttti:subjectname=<<DN subjectname>>"

   cisco-avpair="tti:iosconfig#<<value>>"

   cisco-avpair="tti:iosconfig#<<value>>"

   cisco-avpair="tti:iosconfig#=<<value>>"

---

Note The existence of a valid AAA username record is enough to pass the authentication check. The cisco-avpair=tti information is necessary only for the authorization check.

---

If a subject name were received in the authorization response, the registrar stores it in the enrollment database, and that subject name overrides the subject name that is supplied in the subsequent certificate request (PKCS10) from the petitioner device.

The numbered tti:iosconfig values are expanded into the Cisco IOS snippet that is sent to the petitioner. The configurations replace any numbered ($1 through $9) template variable. Because the default Cisco IOS snippet template does not include the variables $1 through $9, these variables are ignored unless you configure an external Cisco IOS snippet template. To specify an external configuration, use the template config command.

---

Note The template configuration location may include a variable $n, which is expanded to the name that the administrator enters in the additional SDP dialog.

---

Examples

The following example shows that an administrative authentication list named authen-rad and an administrative authorization list named author-rad have been configured on a RADIUS AAA server; a user authentication list named authen-tac and a user authorization list named author-tac have been configured on a TACACS+ server:

Router(config)# crypto provisioning registrar

Router(tti-registrar)# pki-server mycs

Router(tti-registrar)# administrator authentication list authen-rad

Router(tti-registrar)# administrator authorization list author-rad

Router(tti-registrar)# authentication list authen-tac

Router(tti-registrar)# authorization list author-tac

Router(tti-registrar)# template username ftpuser password ftppwd

Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt

Router(tti-registrar)# end

Related Commands

Command	Description
administrator authentication list	Authenticates an administrative introducer for an SDP transaction.
authentication list (tti-registrar)	Authenticates a user introducer for an SDP transaction.
authorization list (tti-registrar)	Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP operation.

appfw policy-name

To define an application firewall policy and put the router in application firewall policy configuration mode, use the appfw policy-name command in global configuration mode. To remove a policy from the router configuration, use the no form of this command.

appfw policy-name policy-name

no appfw policy-name policy-name

Syntax Description

policy-name

Name of application policy.

Defaults

If this command is not issued, an application firewall policy cannot be created.

Command Modes

Global configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

This command puts the router in application firewall policy (appfw-policy-protocol) configuration mode, which allows you to begin defining the application firewall policy that will later be applied to the Cisco IOS Firewall via the ip inspect name command.

What Is an Application Firewall Policy?

The application firewall uses static signatures to detect security violations. A static signature is a collection of parameters that specifies which protocol conditions must be met before an action is taken. (For example, a signature may specify that an HTTP data stream containing the POST method must reset the connection.) These protocol conditions and reactions are defined by the end user via a command-line interface (CLI) to form an application firewall policy (also known as a security policy).

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  strict-http action allow alarm

  content-length maximum 1 action allow alarm

  content-type-verification match-req-rsp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

Related Commands

Command	Description
application	Puts the router in appfw-policy-protocol configuration mode and begin configuring inspection parameters for a given protocol.
ip inspect name	Defines a set of inspection rules.

application (application firewall policy)

To put the router in appfw-policy-protocol configuration mode and begin configuring inspection parameters for a given protocol, use the application command in application firewall policy configuration mode. To remove protocol-specific rules, use the no form of this command.

application protocol

no application protocol

Syntax Description

protocol

Protocol-specific traffic will be inspected. Currently, the only supported protocol is HTTP (specified via the http keyword), which defines the web policy.

Defaults

You cannot set up protocol-specific inspection parameters.

Command Modes

Application firewall policy configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

This command puts the router in appfw-policy-protocol configuration mode, where "protocol" is dependent upon the specified protocol. Because HTTP is currently the only available protocol, the configuration mode is "appfw-policy-http."

HTTP-Specific Inspection Commands

After you issue the application command and enter the appfw-policy-http configuration mode, begin configuring inspection parameters for HTTP traffic by issuing any of the following commands:

•audit-trail

•content-length

•content-type-verification

•max-header-length

•max-uri-length

•port-misuse

•request-method

•strict-http

•timeout

•transfer-encoding

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  strict-http action allow alarm

  content-length maximum 1 action allow alarm

  content-type-verification match-req-rsp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

Related Commands

Command	Description
appfw policy-name	Defines an application firewall policy and puts the router in application firewall policy configuration mode.

arap authentication

To enable authentication, authorization, and accounting (AAA) authentication for AppleTalk Remote Access Protocol (ARAP) on a line, use the arap authentication command in line configuration mode. To disable authentication for an ARAP line, use the no form of this command.

arap authentication {default | list-name} [one-time]

no arap authentication {default | list-name}

---

Caution If you use a list-name value that was not configured with the aaa authentication arap command, ARAP will be disabled on this line.

---

Syntax Description

default	Default list created with the aaa authentication arap command.
list-name	Indicated list created with the aaa authentication arap command.
one-time	(Optional) Accepts the username and password in the username field.

Defaults

ARAP authentication uses the default set with aaa authentication arap command. If no default is set, the local user database is checked.

Command Modes

Line configuration

Command History

Release	Modification
10.3	This command was introduced.
11.0	The one-time keyword was added.

Usage Guidelines

This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default keyword. Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.

Examples

The following example specifies that the TACACS+ authentication list called MIS-access is used on ARAP line 7:

line 7

 arap authentication MIS-access

Related Commands

Command	Description
aaa authentication arap	Enables an AAA authentication method for ARAP using TACACS+.

attribute (server-group)

To add attributes to an accept or reject list, use the attribute command in server-group configuration mode. To remove attributes from the list, use the no form of this command.

attribute value1 [value2 [value3]...]

no attribute value1 [value2 [value3]...]

Syntax Description

value1 [value2 [value3]...]

Attributes to include in an accept or reject list. The value can be a single integer, such as 7, or a range of numbers, such as 56-59. At least one attribute value must be specified.

Defaults

If this command is not enabled, all attributes are sent to the network access server (NAS).

Command Modes

Server-group configuration

Command History

Release	Modification
12.2(1)DX	This command was introduced.
12.2(2)DD	This command was integrated into Cisco IOS Release 12.2(2)DD.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.
12.2(13)T	Platform support was added for the Cisco 7401 ASR.

Usage Guidelines

Used in conjunction with the radius-server attribute list command (which defines the list name), the attribute command can be used to add attributes to an accept or reject list (also known as a filter). Filters are used to prevent the network access server (NAS) from receiving and processing unwanted attributes for authorization or accounting.

The attribute command can be used multiple times to add attributes to a filter. However, if a required attribute is specified in a reject list, the NAS will override the command and accept the attribute. Required attributes are as follows:

•For authorization:

–6 (Service-Type)

–7 (Framed-Protocol)

•For accounting:

–4 (NAS-IP-Address)

–40 (Acct-Status-Type)

–41 (Acct-Delay-Time)

–44 (Acct-Session-ID)

---

Note The user will not receive an error at the point of configuring a reject list for required attributes because the list does not specify a purpose—authorization or accounting. The server will determine whether an attribute is required when it is known what the attribute is to be used for.

---

Examples

The following example shows how to add attributes 12, 217, 6-10, 13, 64-69, and 218 to the list name "standard":

radius-server attribute list standard

attribute 12,217,6-10,13

attribute 64-69,218

Related Commands

Command	Description
accounting (server-group configuration)	Specifies an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request.
authorization (server-group configuration)	Specifies an accept or reject list for attributes that are returned in an Access-Accept packet from the RADIUS server.
radius-server attribute list	Defines an accept or reject list name.

attribute nas-port format

To configure services to use specific named methods for different service types, which can be set to use their own respective RADIUS server groups, use the attribute nas-port format command in server-group configuration mode. To remove the override, which is to use specific named methods for different service types, use the no form of this command.

attribute nas-port format format-type [string]

no attribute nas-port format format-type [string]

Syntax Description

format-type	Type of format (see Table 12).
string	(Optional) Pattern of the data format (see Table 13).

Defaults

Default format type is used for all services.

Command Modes

Server-group configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

The following format types may be configured.

Table 12 Format Types

a	Format is type, channel, or port.
b	Either interface(16), isdn(16), or async(16).
c	Data format (bits): shelf(2), slot(4), port(5), or channel(5).
d	Data format (bits): slot(4), module(1), port(3), vpi(8), or vci(16).
e	Configurable data format (see Table 13).

The following characters may be used in the string pattern of the data format.

Table 13 Characters Supported by Format-Type e 

0	Zero
1	One
f	DS0 shelf
s	DS0 slot
a	DS0 adapter
P	DS0 port
i	DS0 subinterface
c	DS0 channel
F	Async shelf
S	Async slot
P	Async port
L	Async line
S	PPPoX slot (includes PPP over ATM [PPPoA], PPP over Ethernet over ATM [PPPoEoA], PPP over Ethernet over Ethernet [PPPoEoE], PPP over Ethernet over VLAN [PPPoEoVLAN], and PPP over Ethernet over Queue in Queue [PPPoEoQinQ]).
A	PPPoX adapter
P	PPPoX port
V	PPPoX VLAN ID
I	PPPoX virtual path identifier (VPI)
C	PPPoX virtual channel indicator (VCI)
U	Session ID

Examples

The following example shows that a leased-line PPP client has chosen to send no RADIUS Attribute 5 while the default is set for format d:

interface Serial2/0

 no ip address

 encapsulation ppp

 ppp accounting SerialAccounting

 ppp authentication pap

aaa accounting network default start-stop group radius 

aaa accounting network SerialAccounting start-stop group group1

aaa group server radius group1

 server 64.101.159.172 auth-port 1645 acct-port 1646

 attribute nas-port none

radius-server host 64.101.159.172 auth-port 1645 acct-port 1646

radius-server attribute nas-port format d

Related Commands

Command	Description
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
ip radius source-interface	Forces RADIUS to use the IP adressing of a specified interface for all outgoing RADIUS packets.
radius-server host	Specifies a RADIUS server host.

attribute type

To define an attribute type that is to be added to an attribute list locally on a router, use the attribute type command in global configuration mode. To remove the attribute type from the list, use the no form of this command.

attribute type {name}{value} [service service] [protocol protocol] [tag]

no attribute type {name}{value} [service service] [protocol protocol] [tag]

Syntax Description

name	Defines the Cisco IOS authentication, authorization, and accounting (AAA) internal name of the Internet Engineering Task Force (IETF) RADIUS attribute to be added to the attribute list.
value	Defines a string, binary, or IPv4 address value. This is the RADIUS attribute that is being defined in Cisco IOS AAA format. When a string is added to the attribute value, the string should be inside quotation marks. For example, if the value is "interface-config" and the string is "ip unnumbered FastEthernet0," you would write interface-config "ip unnumbered FastEthernet0".
service service	(Optional) Access method, which is typically PPP.
protocol protocol	(Optional) Type of protocol, which can be ATM, IP, or virtual private dial-up network (VPDN).
tag	(Optional) Provides a means of grouping attributes that refer to the same VPDN tunnel.

Defaults

An attribute type is not added to the attribute list.

Command Modes

Global configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Attributes are added to the attribute list each time a new attribute type is defined.

When using the no form of this command, the entire line must be provided to avoid ambiguity.

Attributes are not validated at configuration. The AAA subsystem "knows" only the format that is expected by the services when the service defines a given attribute inside a definition file. However, it cannot validate the attribute information itself. This validation is done by a service when it first uses the attribute. This validation applies whether the AAA server is RADIUS or TACACS+. Thus, if you are not familiar with configuring a AAA server, it is advisable that you test your attribute list on a test device with the service that will be using the list before configuring and using it in a production environment.

Examples

The following example shows that the attribute list named "TEST" is to be added to the subscriber profile "cisco.com." The attribute TEST includes the attribute types interface-config "ip unnumbered FastEthernet0" and interface-config "ip vrf forwarding blue."

aaa authentication ppp template1 local

aaa authorization network template1 local

!

aaa attribute list TEST

   attribute type interface-config "ip unnumbered FastEthernet0" service ppp protocol lcp

   attribute type interface-config "ip vrf forwarding blue" service ppp protocol lcp

!

ip vrf blue

 description vrf blue template1

 rd 1:1

 route-target export 1:1

 route-target import 1:1

!

subscriber authorization enable

!

subscriber profile cisco.com

 service local

 aaa attribute list TEST

!

bba-group pppoe grp1

 virtual-template 1

 service profile cisco.com

!

interface Virtual-Template1

 no ip address

 no snmp trap link-status

 no peer default ip address

 no keepalive

 ppp authentication pap template1

 ppp authorization template1

!

Related Commands

Command	Description
aaa attribute list	Defines a AAA attribute list locally on a router.

audit-trail

To turn audit trail messages on or off, use the audit-trail command in appfw-policy-http configuration mode. To return to the default value, use the no form of this command.

audit-trail {on | off}

no audit-trail {on | off}

Syntax Description

on	Audit trail messages are generated.
off	Audit trail messages are not generated.

Defaults

If this command is not issued, the default value specified via the ip inspect audit-trail command will be used.

Command Modes

appfw-policy-http configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

The audit-trail command will override the ip inspect audit-trail global command.

Examples

The following example, which shows how to define the HTTP application firewall policy "mypolicy," enables audit trail messages for the given policy. This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  audit trail on

  strict-http action allow alarm

  content-length maximum 1 action allow alarm

  content-type-verification match-req-rsp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

Related Commands

Command	Description
ip inspect audit-trail	Turns on audit trail messages.

authentication (IKE policy)

To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the authentication method to the default value, use the no form of this command.

authentication {rsa-sig | rsa-encr | pre-share}

no authentication

Syntax Description

rsa-sig	Specifies RSA signatures as the authentication method.
rsa-encr	Specifies RSA encrypted nonces as the authentication method.
pre-share	Specifies preshared keys as the authentication method.

Defaults

RSA signatures

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

Use this command to specify the authentication method to be used in an IKE policy.

If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).

If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and commands.)

If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.)

Examples

The following example configures an IKE policy with preshared keys as the authentication method (all other parameters are set to the defaults):

crypto isakmp policy 15

 authentication pre-share

 exit

Related Commands

Command	Description
crypto isakmp key	Configures a preshared authentication key.
crypto isakmp policy	Defines an IKE policy.
crypto key generate rsa (IKE)	Generates RSA key pairs.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the Diffie-Hellman group identifier within an IKE policy.
hash (IKE policy)	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

authentication command

To specify the HTTP command that is sent to the certification authority (CA) for authentication, use the authentication command in ca-profile-enroll configuration mode.

authentication command {http-command}

Syntax Description

http-command

Defines the HTTP command. Note The http-command argument is not the HTTP URL.

Defaults

No default behavior or values

Command Modes

Ca-profile-enroll configuration

Command History

Release	Modification
12.2(13)ZH	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

Use the authentication command to send the HTTP request to the CA server for certificate authentication. Before enabling this command, you must use the authentication url command.

After enabling this command, you can use the parameter command to specify enrollment parameters for your enrollment profile.

Examples

The following example shows how to configure certificate authentication via HTTP for the enrollment profile named "E":

crypto ca trustpoint Entrust

  enrollment profile E

  serial

crypto ca profile enrollment E

 authentication url  http://entrust:81

 authentication command  GET /certs/cacert.der

 enrollment url  http://entrust:81/cda-cgi/clientcgi.exe

 enrollment command  POST reference_number=$P2&authcode=$P1

&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ

 parameter 1 value aaaa-bbbb-cccc

 parameter 2 value 5001

Related Commands

Command	Description
authentication url	Specifies the URL of the CA server to which to send authentication requests.
crypto ca profile enrollment	Defines an enrollment profile.
parameter	Specifies parameters for an enrollment profile.

authentication list (tti-registrar)

To authenticate the introducer in an Easy Secure Device Deployment (EzSDD) transaction, use the authentication list command in tti-registrar configuration mode. To disable the authentication, use the no form of this command.

authentication list list-name

no authentication list list-name

Syntax Description

list-name

Name of the list.

Defaults

An introducer is not authenticated.

Command Modes

tti-registrar configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

This command is used in EzSDD transactions. When the command is configured, the RADIUS or TACACS+ AAA server checks for a valid account by looking at the username and password.

The authentication list and the authorization list will usually both point to the same AAA list, but it is possible that the lists can be on different databases. This latter scenario is not recommended.

Examples

The following example shows that an authentication list named "authen-tac" has been configured. In this example, the authentication list is on a TACACS+ AAA server and the authorization list is on a RADIUS AAA server.

Router(config)# crypto wui tti registrar

Router(tti-registrar)# pki-server mycs

Router(tti-registrar)# authentication list authen-tac

Router(tti-registrar)# authorization list author-rad

Router(tti-registrar)# template username ftpuser password ftppwd

Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt

Router(tti-registrar)# end

Related Commands

Command	Description
authorization list (tti-registrar)	Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner in an EzSDD operation.
debug crypto wui	Displays information about an EzSDD operation.
template config	Specifies a remote URL for a Cisco IOS CLI configuration template.
template username	Establishes a template username and password to access the configuration template on the file system.

authentication terminal

To manually cut-and-paste certificate authentication requests, use the authentication terminal command in ca-profile-enroll configuration mode. To delete a current authentication request, use the no form of this command.

authentication terminal

no authentication terminal

Syntax Description

This command has no arguments or keywords.

Defaults

An authentication request is not specified.

Command Modes

Ca-profile-enroll configuration

Command History

Release	Modification
12.2(13)ZH	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

A user may manually cut-and-paste certificate authentication requests when a network connection between the router and certification authority (CA) is not available. After this command is enabled, the authentication request is printed on the console terminal so that it can be manually copied (cut) by the user.

Examples

The following example shows how to specify manual certificate authentication and certificate enrollment via HTTP:

crypto ca profile enrollment E

 authentication terminal

 enrollment terminal

 enrollment url  http://entrust:81/cda-cgi/clientcgi.exe

 enrollment command  POST reference_number=$P2&authcode=$P1

&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ

 parameter 1 value aaaa-bbbb-cccc

 parameter 2 value 5001

Related Commands

Command	Description
crypto ca profile enrollment	Defines an enrollment profile.

authentication trustpoint

To specify the trustpoint used to authenticate the Secure Device Provisioning (SDP) petitioner device's existing certificate, use the authentication trustpoint command in tti-registrar configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.

authentication trustpoint {trustpoint-label | use-any}

no authentication trustpoint {trustpoint-label | use-any}

Syntax Description

trustpoint-label	Name of trustpoint.
use-any	Use any configured trustpoint.

Defaults

If this command is not specified, the petitioner-signing certificate is not verified.

Command Modes

tti-registrar configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Issue the authentication trustpoint command in tti-registrar configuration mode to validate the signing certificate that the petitioner used.

Examples

The following example shows how to specify the trustpoint mytrust for the petitioner-signing certificate:

crypto provisioning registrar

 authentication trustpoint mytrust

After the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:

crypto pki trustpoint tti

 enrollment url http://pki1-36a.cisco.com:80 

 revocation-check crl

 rsakeypair tti 1024

 auto-enroll 70 

Related Commands

Command	Description
crypto ca trustpoint	Declares the CA that your router should use.
crypto provisioning petitioner	Configures a device to become an SDP petitioner and enters tti-petitioner configuration mode.
trustpoint signing	Specifies the trustpoint associated with the SDP exchange between the petitioner and the registrar for signing the SDP data including the certificate.

authentication url

To specify the URL of the certification authority (CA) server to which to send authentication requests, use the authentication url command in ca-profile-enroll configuration mode. To delete the authentication URL from your enrollment profile, use the no form of this command.

authentication url url

no authentication url url

Syntax Description

url

URL of the CA server to which your router should send authentication requests. If you are using Simple Certificate Enrollment Protocol (SCEP) for enrollment, the url argument must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA. If you are using TFTP for enrollment, the url argument must be in the form tftp://certserver/file_specification. (If the URL does not include a file specification, the fully qualified domain name [FQDN] of the router will be used.)

Defaults

Your router does not recognize the CA URL until you declare one using this command.

Command Modes

Ca-profile-enroll configuration

Command History

Release	Modification
12.2(13)ZH	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.

Usage Guidelines

If you do not specify the authentication command after you enable the authentication url command, the authentication url command functions the same as the enrollment url url command in trustpoint configuration mode. That is, the authentication url command will then be used only for certificate enrollment—not authentication.

This command allows the user to specify a different URL or a different method for authenticating a certificate and enrolling a certificate; for example, manual authentication and TFTP enrollment.

Examples

The following example shows how to configure an enrollment profile for direct HTTP enrollment with a CA server. In this example, the authentication command is also present.

crypto ca trustpoint Entrust

  enrollment profile E

  serial

crypto ca profile enrollment E

 authentication url  http://entrust:81

 authentication command  GET /certs/cacert.der

 enrollment url  http://entrust:81/cda-cgi/clientcgi.exe

 enrollment command  POST reference_number=$P2&authcode=$P1

&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQ

 parameter 1 value aaaa-bbbb-cccc

 parameter 2 value 5001

The following example shows how to configure the enrollment profile named "E" to perform certificate authentication via HTTP and manual certificate enrollment:

crypto ca profile enrollment E

 authentication url  http://entrust:81

 authentication command  GET /certs/cacert.der

 enrollment terminal

 parameter 1 value aaaa-bbbb-cccc

 parameter 2 value 5001

Related Commands

Command	Description
authentication command	Specifies the HTTP command that is sent to the CA for authentication.
crypto ca profile enrollment	Defines an enrollment profile.
enrollment	Specifies the enrollment parameters of your CA.

authorization

To enable authentication, authorization, and accounting (AAA) authorization for a specific line or group of lines, use the authorization command in line configuration mode. To disable authorization, use the no form of this command.

authorization {arap | commands level | exec | reverse-access} [default | list-name]

no authorization {arap | commands level | exec | reverse-access} [default | list-name]

Syntax Description

arap	Enables authorization for lines configured for AppleTalk Remote Access (ARA) protocol.
commands	Enables authorization on the selected lines for all commands at the specified privilege level.
level	Specific command level to be authorized. Valid entries are 0 through 15.
exec	Enables authorization to determine if the user is allowed to run an EXEC shell on the selected lines.
reverse-access	Enables authorization to determine if the user is allowed reverse access privileges.
default	(Optional) The name of the default method list, created with the aaa authorization command.
list-name	(Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command.

Defaults

Authorization is not enabled.

Command Modes

Line configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.

Examples

The following example enables command authorization (for level 15) using the method list named charlie on line 10:

line 10

 authorization commands 15 charlie

Related Commands

Command	Description
aaa authorization	Sets parameters that restrict user access to a network.

authorization (server-group)

To filter attributes in outbound Access Requests to the RADIUS server for purposes of authentication or authorization, use the authorization command in server-group configuration mode. To remove the filter on the authorization request or reply, use the no form of the command.

authorization [request | reply] [accept | reject] list-name

Syntax Description

request	(Optional) Defines filters for outgoing authorization Access Requests.
reply	(Optional) Defines filters for incoming authorization Accept or Reject packets and for outgoing accounting requests.
accept	(Optional) Indicates that the required attributes and the attributes specified in the list-name argument will be accepted. All other attributes will be rejected.
reject	(Optional) Indicates that the attributes specified in the list-name will be rejected. All other attributes will be accepted.
list-name	Defines the given name for the accept or reject list.

Defaults

If specific attributes are not accepted or rejected, all attributes will be accepted.

Command Modes

Server-group configuration

Command History

Release	Modification
12.2(1)DX	This command was introduced.
12.2(2)DD	This command was integrated into Cisco IOS Release 12.2(2)DD.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(4)T	This command was integrated into Cisco IOS Release 12.2(4)T.
12.2(13)T	Platform support was added for the Cisco 7401ASR.
12.3(3)B	The request and reply keywords were added.
12.3(7)T	The request and reply keywords were integrated into Cisco IOS Release 12.3(7)T.

Usage Guidelines

An accept or reject list (also known as a filter) for RADIUS authorization allows users to configure the network access server (NAS) to restrict the use of specific attributes, thereby preventing the NAS from processing unwanted attributes.

Only one filter may be used for RADIUS authorization per server group.

---

Note The listname must be the same as the listname defined in the radius-server attribute list command, which is used with the attribute (server-group configuration) command to add to an accept or reject list.

---

Examples

The following example shows how to configure accept list "min-author" in an Access-Accept packet from the RADIUS server:

aaa new-model

aaa authentication ppp default group radius-sg

aaa authorization network default group radius-sg

aaa group server radius radius-sg

 server 1.1.1.1

 authorization accept min-author

!

radius-server host 1.1.1.1 key mykey1

radius-server attribute list min-author

 attribute 6-7

The following example shows that the attribute "all-attr" will be rejected in all outbound authorization Access Request messages:

aaa group server radius ras

 server 272.19.192.238 auth-port 1745 acct-port 1746

 authorization request reject all-attr

Related Commands

Command	Description
aaa authentication ppp	Specifies one or more AAA authentication methods for use on serial interfaces running PPP.
aaa authorization	Sets parameters that restrict network access to the user.
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
aaa new-model	Enables the AAA access control model.
accounting (server-group configuration)	Specifies an accept or reject list for attributes that are to be sent to the RADIUS server in an accounting request.
attribute (server-group configuration)	Adds attributes to an accept or reject list.
radius-server attribute list	Defines an accept or reject list name.

authorization (tti-registrar)

To enable authentication, authorization, and accounting (AAA) authorization for an introducer or a certificate, use the authorization command in tti-registrar configuration mode. To disable authorization, use the no form of this command.

authorization {login} | {certificate} | {login certificate}

no authorization {login} | {certificate} | {login certificate}

Syntax Description

login	Use the username of the introducer for AAA authorization.
certificate	Use the certificate of the petitioner for AAA authorization.
login certificate	Use the username of the introducer and the certificate of the petitioner for AAA authorization.

Defaults

If an authorization list is configured, then authorization is enabled by default.

Command Modes

tti-registrar configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

This command controls the authorization of the introduction. Authorization can be based on the following:

•The login of the petitioner (username and password) to the registrar

•The current certificate of the petitioner

•Both the login of the introducer and the current certificate of the petitioner

If you issue the authorization login command, the introducer logs in with a username and password such as ttiuser and mypassword, which are used against the configured authorization list to contact the AAA server and determine the appropriate authorization.

If you issue the authorization certificate command, the certificate of the petitioner is used to build an AAA username, which is used to obtain authorization information.

If you issue the authorization login certificate command, authorization for the introducer combines with authorization for the petitioner's current certificate. This means that two AAA authorization lookups occur. In the first lookup, the introducer username is used to retrieve any AAA attributes associated with the introducer. The second lookup is done using the configured certificate name field. If an AAA attribute appears in both lookups, the second one prevails.

Examples

The following example shows how to specify authorization for both the introducer and the current certificate of the petitioner:

crypto provisioning registrar

 authorization login certificate

Related Commands

Command	Description
authorization list (tti-registrar)	Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner for a user introducer in an SDP transaction.

authorization list (global)

To specify the authentication, authorization, and accounting (AAA) authorization list, use the authorization list command in global configuration mode. To disable the authorization list, use the no form of this command.

authorization list list-name

no authorization list list-name

Syntax Description

list-name

Name of the AAA authorization list.

Defaults

An authorization list is not configured.

Command Modes

Global configuration

Command History

Release	Modification
12.3(1)	This command was introduced.

Usage Guidelines

Use the authorization list command to specify a AAA authorization list. For components that do not support specifying the application label, a default label of "any" from the AAA server will provide authorization. Likewise, a label of "none" from the AAA database indicates that the specified certificate is not valid. (The absence of any application label is equivalent to a label of "none," but "none" is included for completeness and clarity.)

Examples

The following example shows that the AAA authorization list "maxaa" is specified:

aaa authorization network maxaaa group tacac+

aaa new-model

crypto ca trustpoint msca

enrollment url http://caserver.mycompany.com

 authorization list maxaa

 authorization username subjectname serialnumber

Related Commands

Command	Description
authorization username	Specifies the parameters for the different certificate fields that are used to build the AAA username.

authorization list (tti-registrar)

To specify the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS command-line interface (CLI) snippet that is sent back to the petitioner in an Easy Secure Device Deployment (EzSDD) operation, use the authorization list command in tti-registrar configuration mode. To disable the subject name and list of template variables, use the no form of this command.

authorization list list-name

no authorization list list-name

Syntax Description

list-name

Name of the list.

Defaults

There is no authorization list on the AAA server.

Command Modes

tti-registrar configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

This command is used in EzSDD operations. When the command is used, the RADIUS or TACACS+ AAA server stores the subject name and template variables. The name and variables are sent back to the petitioner in the Cisco IOS CLI snippets. This list and the authorization list are usually on the same database, but they can be on different AAA databases. (Storing lists on different databases is not recommended.)

When a petitioner makes an introducer request, multiple queries are sent to the AAA list database on the RADIUS or TACACS+ server. The queries search for entries of the following form:

user Password <userpassword>

   cisco-avpair="ttti:subjectname=<<DN subjectname>>"

   cisco-avpair="tti:iosconfig#<<value>>"

   cisco-avpair="tti:iosconfig#<<value>>"

   cisco-avpair="tti:iosconfig#=<<value>>"

---

Note The existence of a valid AAA username record is enough to pass the authentication check. The "cisco-avpair=tti" information is necessary only for the authorization check.

---

If a subject name was received in the authorization response, the TTI registrar stores it in the enrollment database, and that "subjectname" overrides the subject name that is supplied in the subsequent certificate request (PKCS10) from the petitioner device.

The numbered "tti:iosconfig" values are expanded into the TTI Cisco IOS snippet that is sent to the petitioner. The configurations replace any numbered ($1 through $9) template variable. Because the default Cisco IOS snippet template does not include the variables $1 through $9, these variables are ignored unless you configure an external Cisco IOS snippet template. To specify an external configuration, use the template config command.

---

Note The template configuration location may include a variable "$n," which is expanded to the name with which the user is logged in.

---

Examples

The following example shows that the authorization list name is "author-rad." In this example, the authentication list is on a TACACS+ AAA server and the authorization list is on a RADIUS AAA server.

Router(config)# crypto wui tti registrar

Router(tti-registrar)# pki-server mycs

Router(tti-registrar)# authentication list authen-tac

Router(tti-registrar)# authorization list author-rad

Router(tti-registrar)# template username ftpuser password ftppwd

Router(tti-registrar)# template config ftp://ftp-server/iossnippet.txt

Router(tti-registrar)# end

Related Commands

Command	Description
authentication list (tti-registrar)	Authenticates the introducer in an EzSDD operation.
debug crypto wui	Displays information about an EzSDD operation.
template config	Specifies a remote URL for a Cisco IOS CLI configuration template.
template username	Establishes a template username and password to access the configuration template on the file system.

authorization username

To specify the parameters for the different certificate fields that are used to build the authentication, authorization and accounting (AAA) username, use the authorization username command in global configuration mode. To disable the parameters, use the no form of this command.

authorization username {subjectname subjectname}

no authorization username {subjectname subjectname}

Syntax Description

subjectname

AAA username that is generated from the certificate subject name.

subjectname

Builds the username. The following are options that may be used as the AAA username: •all—Entire distinguished name (subject name) of the certificate. •commonname—Certificate common name. •country—Certificate country. •email—Certificate email. •ipaddress—Certificate ipaddress. •locality—Certificate locality. •organization—Certificate organization. •organizationalunit—Certificate organizational unit. •postalcode—Certificate postal code. •serialnumber—Certificate serial number. •state—Certificate state field. •streetaddress—Certificate street address. •title—Certificate title. •unstructuredname—Certificate unstructured name.

Defaults

Parameters for the certificate fields are not specified.

Command Modes

Global configuration

Command History

Release	Modification
12.3(1)	This command was introduced.
12.3(11)T	The all option for the subjectname argument was added.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.

Examples

The following example shows that the serialnumber option is to be used as the authorization username:

aaa authorization network maxaaa group tacac+

aaa new-model

crypto ca trustpoint msca

enrollment url http://caserver.mycompany.com

 authorization list maxaaa

 authorization username subjectname serialnumber

Related Commands

Command	Description
authorization list	Specifies the AAA authorization list.

authorization username (tti-registrar)

To specify the parameters for the different certificate fields that are used to build the authentication, authorization, and accounting (AAA) username, use the authorization username command in tti-registrar configuration mode. To disable the parameters, use the no form of this command.

authorization username {subjectname subjectname}

no authorization username {subjectname subjectname}

Syntax Description

subjectname

AAA username that is generated from the certificate subject name.

subjectname

Builds the username. The following options can be used as the AAA username: •all—Entire distinguished name (subject name) of the certificate •commonname—Certificate common name •country—Certificate country •email—Certificate e-mail •ipaddress—Certificate IP address •locality—Certificate locality •organization—Certificate organization •organizationalunit—Certificate organizational unit •postalcode—Certificate postal code •serialnumber—Certificate serial number •state—Certificate state field •streetaddress—Certificate street address •title—Certificate title •unstructuredname—Certificate unstructured name

Defaults

Parameters for the certificate fields are not specified.

Command Modes

tti-registrar configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example shows that the serialnumber option is used as the authorization username:

aaa authorization network maxaaa group tacac+

aaa new-model

crypto ca trustpoint msca

enrollment url http://caserver.mycompany.com

 authorization list maxaaa

 authorization username subjectname serialnumber

Related Commands

Command	Description
authorization list	Specifies the AAA authorization list.

auth-type

To set policy for devices that are dynamically authenticated or unauthenticated, use the auth-type command in identity profile configuration mode. To remove the policy that was specified, use the no form of this command.

auth-type {authorize | not-authorize} policy policy-name

no auth-type {authorize | not-authorize} policy policy-name

Syntax Description

authorize	Policy is specified for all authorized devices.
not-authorize	Policy is specified for all unauthorized devices.
policy policy-name	Specifies the name of the identity policy to apply for the associated authentication result.

Defaults

A policy is not set for authorized or unauthorized devices.

Command Modes

Identity profile configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

This command is used when a device is dynamically authenticated or unauthenticated by the network access device, and the device requires the name of the policy that should be applied for that authentication result.

Examples

The following example shows that 802.1x authentication applies to the identity policy "grant" for all dynamically authenticated hosts:

Router (config)# ip access-list extended allow-acl

Router (config-ext-nacl)# permit ip any any

Router (config-ext-nacl)# exit

Router (config)# identity policy grant

Router (config-identity-policy)# access-group allow-acl

Router (config-identity-policy)# exit

Router (config)# identity profile dot1x 

Router (config-identity-prof)# auth-type authorize policy grant

Related Commands

Command	Description
identity policy	Creates an identity policy.
identity profile dot1x	Creates an 802.1x identity profile.

auto secure

To secure the management and forwarding planes of the router, use the auto secure command in privileged EXEC mode.

auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]

Syntax Description

management	(Optional) Only the management plane will be secured.
forwarding	(Optional) Only the forwarding plane will be secured.
no-interact	(Optional) The user will not be prompted for any interactive configurations. If this keyword is not enabled, the command will show the user the noninteractive configuration and the interactive configurations thereafter.
full	(Optional) The user will be prompted for all interactive questions. This is the default.
ntp	(Optional) Specifies the configuration of the Network Time Protocol (NTP) feature in the AutoSecure command line-interface (CLI).
login	(Optional) Specifies the configuration of the Login feature in the AutoSecure CLI.
ssh	(Optional) Specifies the configuration of the Secure Shell (SSH) feature in the AutoSecure CLI.
firewall	(Optional) Specifies the configuration of the firewall feature in the AutoSecure CLI.
tcp-intercept	(Optional) Specifies the configuration of the TCP-Intercept feature in the AutoSecure CLI.

Defaults

Autosecure is not enabled.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(1)	This command was introduced.
12.2(18)S	This command was integrated into Cisco IOS Release 12.2(18)T.
12.3(4)T	The following keywords were added in Cisco IOS Release 12.3(4)T: full, ntp, login, ssh, firewall, and tcp-intercept.
12.3(8)T	Support for the roll-back functionality and system logging messages were added to Cisco IOS Release 12.3(8)T.

Usage Guidelines

The auto secure command allows a user to disable common IP services that can be exploited for network attacks by using a single CLI. This command eliminates the complexity of securing a router both by automating the configuration of security features and by disabling certain features that are enabled by default and that could be exploited for security holes.

---

Caution If you are using Security Device Manager (SDM), you must manually enable the HTTP server via the ip http server command.

---

This command takes you through a semi-interactive session (also known as the AutoSecure dialogue) in which to secure the management and forwarding planes. This command gives you the option to secure just the management or forwarding plane; if neither option is selected, the dialogue will ask you to configure both planes.

---

Caution If your device is managed by a network management (NM) application, securing the management plane could turn off vital services and disrupt the NM application support.

---

This command also allows you to go through all noninteractive configuration portions of the dialogue before the interactive portions. The noninteractive portions of the dialogue can be enabled by selecting the optional no-interact keyword.

Roll-back and System Logging Message Support

In Cisco IOS Release 12.3(8)T, support for roll-back of the AutoSecure configuration is introduced. Roll-back enables a router to revert back to its preautosecure configuration state if the AutoSecure configuration fails.

System Logging Messages capture any changes or tampering of the AutoSecure configuration that were applied on the running configuration.

---

Note Prior to Cisco IOS Release 12.3(8)T, roll-back of the AutoSecure configuration is unavailable; thus, you should always save the running configuration before configuring AutoSecure.

---

Examples

The following example shows how to enable AutoSecure to secure only the management plane:

Router# auto secure management

Related Commands

Command	Description
ip http server	Enables the HTTP server on your system, including the Cisco web browser user interface.
show auto secure config	Displays AutoSecure configurations.

auto-enroll

To enable certificate autoenrollment, use the auto-enroll command in ca-trustpoint configuration mode. To disable certificate autoenrollment, use the no form of this command.

auto-enroll [percent] [regenerate]

no auto-enroll [percent] [regenerate]

Syntax Description

percent	(Optional) The renewal percentage parameter causes the router to request a new certificate after the specified percent lifetime of the current certificate is reached. If not specified, the request for a new certificate is made when the old certificate expires. The specified percent value must not be less than 10.
regenerate	(Optional) Generates a new key for the certificate even if the named key already exists.

Defaults

Certificate autoenrollment is not enabled.

Command Modes

Ca-trustpoint configuration

Command History

Release	Modification
12.2(8)T	This command was introduced.
12.3(7)T	The percent argument was added to support key rollover.

Usage Guidelines

Use the auto-enroll command to automatically request a router certificate from the certification authority (CA) that is using the parameters in the configuration. This command will generate a new RSA key only if a new key does not exist with the requested label.

A trustpoint that is configured for certificate autoenrollment will attempt to reenroll when the router certificate expires.

Use the regenerate keyword to provide seamless key rollover for manual certificate enrollment. A new key pair is created with a temporary name, and the old certificate and key pair are retained until a new certificate is received from the CA. When the new certificate is received, the old certificate and key pair are discarded and the new key pair is renamed with the name of the original key pair. Some CAs require a new key for reenrollment to work.

If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable:

! RSA keypair associated with trustpoint is exportable

Examples

The following example shows how to configure the router to autoenroll with the CA named "trustme1" on startup. In this example, the regenerate keyword is issued, so a new key will be generated for the certificate. The renewal percentage is configured as 90 so if the certificate has a lifetime of one year, a new certificate is requested 36.5 days before the old certificate expires.

crypto ca trustpoint trustme1

 enrollment url http://trustme1.company.com/

 subject-name OU=Spiral Dept., O=tiedye.com

 ip-address ethernet0

 serial-number none

 auto-enroll 90 regenerate

 password revokeme

 rsakeypair trustme1 2048

 exit

crypto ca authenticate trustme1

Related Commands

Command	Description
crypto ca authenticate	Retrieves the CA certificate and authenticates it.
crypto ca trustpoint	Declares the CA that your router should use.

backup-gateway

To configure a server to "push down" a list of backup gateways to the client, use the backup-gateway command in global configuration mode. To remove a backup gateway, use the no form of this command.

backup-gateway {ip-address | hostname}

no backup-gateway {ip-address | hostname}

Syntax Description

ip-address	IP address of the gateway.
hostname	Host name of the gateway.

Defaults

A list of backup gateways is not configured.

Command Modes

Global configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

Before using the backup-gateway command, you must first configure the crypto isakmp client configuration group command.

An example of an attribute-value (AV) pair for the backup gateway attribute is as follows:

ipsec:ipsec-backup-gateway=10.1.1.1

---

Note•If you have to configure more than one backup gateway, you have to add a backup-gateway command line for each.

•You can configure a maximum of 10 backup gateways.

---

Examples

The following example shows that gateway 10.1.1.1 has been configured as a backup gateway:

crypto isakmp client configuration group group1

 backup-gateway 10.1.1.1

The following output example shows that five backup gateways have been configured:

crypto isakmp client configuration group sdm

 key 6 RMZPPMRQMSdiZNJg`EBbCWTKSTi\d[

 pool POOL1

 acl 150

 backup-gateway 172.12.12.12

 backup-gateway 172.12.12.13

 backup-gateway 172.12.12.14

 backup-gateway 172.12.12.130

 backup-gateway 172.12.12.131

 max-users 250

 max-logins 2

Related Commands

Command	Description
crypto isakmp client configuration group	Specifies to which group a policy profile will be defined.

bidirectional

To enable incoming and outgoing IP traffic to be exported across a monitored interface, use the bidirectional command in router IP traffic export (RITE) configuration mode. To return to the default functionality, use the no form of this command.

bidirectional

no bidirectional

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not enabled, only incoming traffic is exported.

Command Modes

RITE configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.2(25)S	This command was integrated into Cisco IOS Release 12.2(25)S.

Usage Guidelines

By default, only incoming IP traffic is exported. If you choose to export outgoing IP traffic, you must issue both the bidirectional command, which enables outgoing traffic to be exported, and the outgoing command, which specifies how the outgoing traffic will be filtered.

The ip traffic-export profile command allows you to begin a profile that can be configured to export IP packets as they arrive or leave a selected router ingress interface. A designated egress interface exports the captured IP packets out of the router. Thus, the router can export unaltered IP packets to a directly connected device.

Examples

The following example shows how to export both incoming and outgoing IP traffic on the FastEthernet interface:

Router(config)# ip traffic-export profile johndoe

Router(config-rite)# interface FastEthernet1/0.1

Router(config-rite)# bidirectional 

Router(config-rite)# incoming access-list 101 

Router(config-rite)# outgoing access-list 101 

Router(config-rite)# mac-address 6666.6666.3333 

Related Commands

Command	Description
interface (RITE)	Specifies the outgoing interface for exporting traffic.
ip traffic-export profile	Creates or edits an IP traffic export profile and enables the profile on an ingress interface.
outgoing	Configures filtering for outgoing export traffic.

block count

To lock out group members for a length of time after a set number of incorrect passwords, use the block count command in local RADIUS server group configuration mode. To remove the user block after invalid login attempts, use the no form of this command.

block count count time {seconds | infinite}

no block count count time {seconds | infinite}

Syntax Description

count	Number of failed passwords that triggers a lockout.
time	Time that the lockout should last.
seconds	Number of seconds that the lockout should last.
infinite	Length of time for the lockout is indefinite until an administrator manually unblocks the locked username.

Defaults

No default behavior or values

Command Modes

Local RADIUS server group configuration

Command History

Release	Modification
12.2(11)JA	This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T	This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Usage Guidelines

If the infinite keyword is entered, an administrator must manually unblock the locked username.

Examples

The following command locks out group members for 120 seconds after three incorrect passwords are entered:

block count 3 time 120

Related Commands

Command	Description
clear radius local-server	Clears the statistics display or unblocks a user.
debug radius local-server	Displays the debug information for the local server.
group	Enters user group configuration mode and configures shared setting for a user group.
nas	Adds an access point or router to the list of devices that use the local authentication server.
radius-server host	Specifies the remote RADIUS server host.
radius-server local	Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time	Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics	Displays statistics for a local network access server.
ssid	Specifies up to 20 SSIDs to be used by a user group.
user	Authorizes a user to authenticate using the local authentication server.
vlan	Specifies a VLAN to be used by members of a user group.

ca trust-point

To identify the trustpoints that will be used to validate a certificate during Internet Key Exchange (IKE) authentication, use the ca trust-point command in ISAKMP profile configuration mode. To remove the trustpoint, use the no form of this command.

ca trust-point trustpoint-name

no ca trust-point trustpoint-name

Syntax Description

trustpoint-name

The trustpoint name as defined in the global configuration.

Defaults

If there is no trustpoint defined in the Internet Security Association and Key Management Protocol (ISAKMP) profile configuration, the default is to validate the certificate using all the trustpoints that are defined in the global configuration.

Command Modes

ISAKMP profile configuration

Command History

Release	Modification
12.2(15)T	This command was introduced.

Usage Guidelines

The ca trust-point command can be used multiple times to define more than one trustpoint.

This command is useful when you want to restrict validation of certificates to a list of trustpoints. For example, the router global configuration has two trustpoints, A and B, which are trusted by VPN1 and VPN2, respectively. Each Virtual Private Network (VPN) wants to restrict validation only to its trustpoint.

Before you can use this command, you must enter the crypto isakmp profile command.

---

Note A router initiating IKE and a router responding to the IKE request should have symmetrical trustpoint configurations. For example, a responding router (in IKE Main Mode) performing RSA signature encryption and authentication might use trustpoints that were defined in the global configuration when sending the CERT-REQ payloads. However, the router might use a restricted list of trustpoints that were defined in the ISAKMP profile for the certificate verification. If the peer (the IKE initiator) is configured to use a certificate whose trustpoint is in the global list of the responding router but not in ISAKMP profile of the responding router, the certificate will be rejected. (However, if the initiating router does not know about the trustpoints in the global configuration of the responding router, the certificate can still be authenticated.)

---

Examples

The following example specifies two trustpoints, A and B. The ISAKMP profile configuration restricts each VPN to one trustpoint.

crypto ca trustpoint A

enrollment url http://kahului:80

crypto ca trustpoint B

enrollment url http://arjun:80

!

crypto isakmp profile vpn1

 trustpoint A

!

crypto isakmp profile vpn2

 ca trust-point B

Related Commands

Command	Description
crypto isakmp profile	Defines an ISAKMP profile.

cache clear age

To specify when, in minutes, cache entries expire and the cache is cleared, use the cache clear age command in AAA filter configuration mode. To return to the default value, use the no form of this command.

cache clear age minutes

no cache clear age

Syntax Description

minutes

Any value from 0 to 4294967295; the default value is 1440 minutes.

Defaults

1440 minutes (1 day)

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache clear age command to specify when cache entries should expire. If this command is not specified, the default value (1440 minutes) will be enabled.

Examples

The following example shows how to configure the cache entries to expire every 60 minutes:

aaa cache filter

 cache clear age 60

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

cache disable

To disable the cache, use the cache disable command in AAA filter configuration mode. To return to the default, use the no form of this command.

cache disable

no cache disable

Syntax Description

This command has no arguments or keywords.

Defaults

Caching is enabled.

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache disable command to disable filter caching. This command can be used to verify that the access control lists (ACLs) are being downloaded.

Examples

The following example shows how to disable filter caching:

aaa cache filter 

 cache disable

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

cache max

To limit the absolute number of entries that a cache can maintain for a particular server, use the cache max command in AAA filter configuration mode. To return to the default value, use the no form of this command.

cache max number

no cache max

Syntax Description

number

Maximum number of entries the cache can maintain. Any value from 0 to 4294967295; the default value is 100 entries.

Defaults

100 entries

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache max command to specify the maximum number of entries the cache can have at any given time. If this command is not specified, the default value (100 entries) will be enabled.

Examples

The following example shows how to configure the cache to maintain a maximum of 150 entries:

aaa cache filter

 password mycisco

 cache max 150

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

cache refresh

To refresh a cache entry after a new session begins, use the cache refresh command in AAA filter configuration mode. To disable this functionality, use the no form of this command.

cache refresh

no cache refresh

Syntax Description

This command has no arguments or keywords.

Defaults

This command is enabled by default.

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

The cache refresh command is used in an attempt to keep cache entries from the filter server, that are being referred to by new sessions, within the cache. This command resets the idle timer for these entries when they are referenced by new calls.

Examples

The following example shows how to disable the cache refresh command:

aaa cache filter

 password mycisco

 no cache refresh

 cache max 100

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

call admission limit

To instruct Internet Key Exchange (IKE) to drop security association (SA) requests (that is, calls for Call Admission Control [CAC]) when a specified percentage of system resources is being consumed, use the call admission limit command in global configuration mode. To disable this feature, use the no form of this command.

call admission limit percent

no call admission limit percent

Syntax Description

percent

Percentage of the system resources that, when used, causes IKE to stop accepting new SA requests. Valid values are 1 to 100.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

It is recommended that initially you specify a value of 90. You will have to alter the value depending on the network topology, the capabilities of the router, and the traffic patterns.

Examples

The following example causes IKE to drop calls when 90 percent of system resources are being used:

Router(config)# call admission limit 90 

Related Commands

Command	Description
show call admission statistics	Monitors the global CAC configuration parameters and the behavior of CAC.

call guard-timer

To set a guard timer to accept or reject a call in the event that the RADIUS server fails to respond to a preauthentication request, use the call guard-timer command in controller configuration mode. To remove the call guard-timer command from your configuration file, use the no form of this command.

call guard-timer milliseconds [on-expiry {accept | reject}]

no call guard-timer milliseconds [on-expiry {accept | reject}]

Syntax Description

milliseconds	Specifies the number of milliseconds to wait for a response from the RADIUS server.
on-expiry accept	(Optional) Accepts the call if a response is not received from the RADIUS server within the specified time.
on-expiry reject	(Optional) Rejects the call if a response is not received from the RADIUS server within the specified time.

Defaults

No default behavior or values.

Command Modes

Controller configuration

Command History

Release	Modification
12.1(3)T	This command was introduced.

Examples

The following example shows a guard timer that is set at 20000 milliseconds. A call will be accepted if the RADIUS server has not responded to a preauthentication request when the timer expires.

controller T1 0

 framing esf

 clock source line primary

 linecode b8zs

 ds0-group 0 timeslots 1-24 type e&m-fgb dtmf dnis

 cas-custom 0

  call guard-timer 20000 on-expiry accept

aaa preauth

group radius

  dnis required

Related Commands

Command	Description
aaa preauth	Enters AAA preauthentication configuration mode.

cdp-url

To specify a certificate revocation list (CRL) distribution point (CDP) to be used in certificates that are issued by the certificate server, use the cdp-url command in certificate server configuration mode. To remove a CDP from your configuration, use the no form of this command.

cdp-url url

no cdp-url url

Syntax Description

url	HTTP URL where CRLs are published.

Defaults

When verifying a certificate that does not have a specified CDP, Cisco IOS public key infrastructure (PKI) clients will use Simple Certificate Enrollment Protocol (SCEP) to retrieve the CRL directly from their configured certificate server.

Command Modes

Certificate server configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Usage Guidelines

CRLs are issued once every specified time period via the lifetime crl command. Thereafter, the CRL is written to the specified database location as ca-label.crl (where ca-label is the name of the certificate server). It is the responsibility of the network administrator to ensure that the CRL is available from the location that is specified via the cdp-url command. If the cdp-url command is not specified, the CDP certificate extension will not be included in the certificates that are issued by the certificate server. Thus, Cisco IOS public key infrastructure (PKI)l clients will automatically use SCEP to retrieve a CRL from the certificate server, which puts an additional load on the certificate server because it must provide SCEP server support to for each CRL request.

---

Note The CRL will always be available via SCEP, which is enabled by default, if the HTTP server is enabled.

---

---

Note For large PKI deployments, it is recommended that you configure an HTTP-based CDP; for example, cdp-url http://myhttpserver.company.com/mycs.crl.

---

The CDP URL may be changed after the certificate server is running, but existing certificates will not be reissued with the new CDP that is specified via the cdp-url command.

The certificate server supports only one CDP; thus, all certificates that are issued include the same CDP.

Examples

The following example shows how to configure a CDP:

Router(config)# crypto pki server aaa

Router(cs-server)# database level minimum

Router(cs-server)# database url tftp://10.1.1.1/johndoe/

Router(cs-server)# issuer-name CN=aaa

Router(cs-server)# cdp-url http://msca-root.cisco.com/certEnroll/aaa.crl

Verifying a CDP Configuration

The following example is sample output from the show crypto ca certificates command, which allows you to verify the specified CDP. In this example, the CDP is "http://msca-root.cisco.com/certEnroll/aaa.crl."

Router# show crypto ca certificates 

Certificate

  Status: Available

  Certificate Serial Number: 03

  Certificate Usage: General Purpose

  Issuer: 

    CN = aaa

  Subject:

    Name: Router.cisco.com

    OID.1.2.840.113549.1.9.2 = Router.cisco.com

  CRL Distribution Point: 

    http://msca-root.cisco.com/certEnroll/aaa.crl

  Validity Date: 

    start date: 18:44:49 GMT Jun 6 2003

    end   date: 18:44:49 GMT Jun 5 2004

    renew date: 00:00:00 GMT Jan 1 1970

  Associated Trustpoints: bbb 

Related Commands

Command	Description
crypto pki server	Enables a Cisco IOS certificate server and enters certificate server configuration mode.
crypto pki server revoke	Revokes a certificate based on its serial number.
lifetime crl	Defines the lifetime of the CRL that is used by the certificate server.
show crypto ca certificates	Displays information about your certificate, the certification authority certificate, and any registration authority certificates.

certificate

To manually add certificates, use the certificate command in certificate chain configuration mode. To delete your router's certificate or any registration authority certificates stored on your router, use the no form of this command.

certificate certificate-serial-number

no certificate certificate-serial-number

Syntax Description

certificate-serial-number

Serial number of the certificate to add or delete.

Defaults

No default behavior or values.

Command Modes

Certificate chain configuration

Command History

Release	Modification
11.3 T	This command was introduced.

Usage Guidelines

You could use this command to manually specify a certificate. However, this command is rarely used in this manner. Instead, this command is usually used only to add or delete certificates.

Examples

The following example deletes the router's certificate. In this example, the router had a general purpose RSA key pair with one corresponding certificate. The show command is used in this example to determine the serial number of the certificate to be deleted.

myrouter# show crypto ca certificates

Certificate

  Subject Name

    Name: myrouter.example.com

    IP Address: 10.0.0.1

  Status: Available

  Certificate Serial Number: 0123456789ABCDEF0123456789ABCDEF

  Key Usage: General Purpose

CA Certificate

  Status: Available

  Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F

  Key Usage: Not Set

myrouter# configure terminal

myrouter(config)# crypto ca certificate chain myca

myrouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF

% Are you sure you want to remove the certificate [yes/no]? yes

% Be sure to ask the CA administrator to revoke this certificate.

myrouter(config-cert-chain)# exit

Related Commands

Command	Description
crypto ca certificate chain	Enters the certificate chain configuration mode.

clear aaa cache filterserver acl

To clear the cache status for a particular filter or all filters, use the clear aaa cache filterserver acl command in EXEC mode.

clear aaa cache filterserver acl [filter-name]

Syntax Description

filter-name

(Optional) Cache status of a specified filter is cleared.

Command Modes

EXEC

Command History

Release	Modification
12.2(13)T	This command was introduced.

Usage Guidelines

After you clear the cache status for a particular filter or all filters, it is recommended that you enable the show aaa cache filterserver command to verify that the cache status.

Examples

The following example shows how to clear the cache for all filters:

clear aaa cache filterserver acl

Related Commands

Command	Description
show aaa cache filterserver	Displays the cache status.

clear aaa local user fail-attempts

To clear the unsuccessful login attempts of a user, use the clear aaa local user fail-attempts command in privileged EXEC mode.

clear aaa local user fail-attempts {username username | all}

Syntax Description

username username	Name of the user.
all	Unsuccessful login attempts are cleared for all users.

Defaults

Unsuccessful login attempts are not cleared.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

This command is available only to users having root privilege.

Examples

The following example shows that the unsuccessful login attempts for all users will be cleared:

Router# clear aaa local user fail-attempts all

Related Commands

Command	Description
aaa local authentication attempts max-fail	Specifies the maximum number of unsuccessful authentication attempts before a user is locked out.
clear aaa local user lockout	Unlocks the locked-out users.
show aaa local user locked	Displays a list of all locked-out users.

clear aaa local user lockout

To unlock the locked-out users, use the clear aaa local user lockout command in privileged EXEC mode.

clear aaa local user lockout {username username | all}

Syntax Description

username username	Name of the user to be unlocked.
all	All users are to be unlocked.

Defaults

Locked-out users remain locked out.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(14)T	This command was introduced.

Usage Guidelines

Only a user having root privilege can use this command.

Examples

The following example shows that all locked-out users will be unlocked:

Router# clear aaa local user lockout all

Related Commands

Command	Description
aaa local authentication attempts max-fail	Specifies the maximum number of unsuccessful authentication attempts before a user is locked out.
clear aaa local user fail-attempts	Clears the unsuccessful login attempts of a user.
show aaa local user loced	Displays a list of all locked-out users.

clear access-template

To manually clear a temporary access list entry from a dynamic access list, use the clear access-template command in EXEC mode.

clear access-template [access-list-number | name] [dynamic-name] [source] [destination]

Syntax Description

access-list-number	(Optional) Number of the dynamic access list from which the entry is to be deleted.
name	(Optional) Name of an IP access list from which the entry is to be deleted. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
dynamic-name	(Optional) Name of the dynamic access list from which the entry is to be deleted.
source	(Optional) Source address in a temporary access list entry to be deleted.
destination	(Optional) Destination address in a temporary access list entry to be deleted.

Command Modes

EXEC

Command History

Release	Modification
11.1	This command was introduced.

Usage Guidelines

This command is related to the lock-and-key access feature. It clears any temporary access list entries that match the parameters you define.

Examples

The following example clears any temporary access list entries with a source of 172.20.1.12 from the dynamic access list named vendor:

clear access-template vendor 172.20.1.12

Related Commands

Command	Description
access-list (IP extended)	Defines an extended IP access list.
access-template	Places a temporary access list entry on a router to which you are connected manually.
show ip accounting	Displays the active accounting or checkpointed database or displays access list violations.

clear crypto call admission statistics

To clear the counters that track the number of accepted and rejected Internet Key Exchange (IKE) requests, use the call admission limit command in global configuration mode.

clear crypto call admission statistics

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.3(8)T	This command was introduced.

Examples

The following example sets to zero the number of accepted and rejected IKE requests:

Router(config)# clear crypto call admission statistics 

Related Commands

Command	Description
show crypto call admission statistics	Monitors Crypto CAC statistics.

clear crypto engine accelerator counter

To reset the statistical and error counters of the hardware accelerator of the router to zero, use the clear crypto engine accelerator counter command in privileged EXEC mode.

clear crypto engine accelerator counter

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Privileged EXEC

Command History

Release	Modification
12.1(3)XL	This command was introduced for the Cisco uBR905 cable access router.
12.2(2)XA	Support was added for the Cisco uBR925 cable access router.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T and implemented for the AIM-VPN/EPII and AIM-VPN/HPII on the following platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.
12.2(15)ZJ	This command was implemented for the AIM-VPN/BPII on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.
12.3(4)T	The AIM-VPN/BPII was integrated into Cisco IOS Release 12.3(4)T on the following platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM, Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

Examples

The following example shows the statistical and error counters of the router being cleared to zero:

clear crypto engine accelerator counter

Related Commands

Command	Description
crypto ca	Defines the parameters for the certification authority used for a session.
crypto cisco	Defines the encryption algorithms and other parameters for a session.
crypto dynamic-map	Creates a dynamic map crypto configuration for a session.
crypto engine accelerator	Enables the use of the onboard hardware accelerator for IPSec encryption.
crypto ipsec	Defines the IPSec security associations and transformation sets.
crypto isakmp	Enables and defines the IKE protocol and its parameters.
crypto key	Generates and exchanges keys for a cryptographic session.
crypto map	Creates and modifies a crypto map for a session.
debug crypto engine accelerator control	Displays each control command as it is given to the crypto engine.
debug crypto engine accelerator packet	Displays information about each packet sent for encryption and decryption.
show crypto engine accelerator ring	Displays the contents of command and transmits rings for the crypto engine.
show crypto engine accelerator sa-database	Displays the active (in-use) entries in the crypto engine SA database.
show crypto engine accelerator statistic	Displays the current run-time statistics and error counters for the crypto engine.
show crypto engine brief	Displays a summary of the configuration information for the crypto engine.
show crypto engine configuration	Displays the version and configuration information for the crypto engine.
show crypto engine connections	Displays a list of the current connections maintained by the crypto engine.

clear crypto ipsec client ezvpn

To reset the Cisco Easy VPN remote state machine and bring down the Cisco Easy VPN remote connection on all interfaces or on a given interface (tunnel), use the clear crypto ipsec client ezvpn command in privileged EXEC mode. If a tunnel name is specified, only the specified tunnel is cleared.

clear crypto ipsec client ezvpn [name]

Syntax Description

name	(Optional) Identifies the IPSec virtual private network (VPN) tunnel to be disconnected or cleared with a unique, arbitrary name. If no name is specified, all existing tunnels are disconnected or cleared.

Defaults

If no tunnel name is specified, all active tunnels on the machine are cleared.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(4)YA	This command was introduced for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(8)YJ	This command was enhanced to specify an IPSec VPN tunnel to be cleared or disconnected for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers.
12.2(15)T	This command was integrated into Cisco IOS Release 12.2(15)T.

Usage Guidelines

The clear crypto ipsec client ezvpn command resets the Cisco Easy VPN remote state machine, bringing down the current Cisco Easy VPN remote connection and bringing it back up on the interface. If you specify a tunnel name, only that tunnel is cleared. If no tunnel name is specified, all active tunnels on the machine are cleared.

If the Cisco Easy VPN remote connection for a particular interface is configured for autoconnect, this command also initiates a new Cisco Easy VPN remote connection.

Examples

The following example shows the Cisco Easy VPN remote state machine being reset:

Router# clear crypto ipsec client ezvpn

Related Commands

Command	Description
crypto ipsec client ezvpn (global)	Creates a Cisco Easy VPN remote configuration.
crypto ipsec client ezvpn (interface)	Assigns a Cisco Easy VPN remote configuration to an interface.

clear crypto isakmp

To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in privileged EXEC mode.

clear crypto isakmp [connection-id] [active | standby]

Syntax Description

connection-id	(Optional) ID of the connection that is to be cleared. If this argument is not used, all existing connections will be cleared.
active	(Optional) Clears only IKE security associations (SAs) in the active state. For each active SA that is cleared, the standby router will be notified to clear the corresponding standby SA.
standby	(Optional) Clears only IKE SAs in the standby (secondary) state. Note If the router is in standby mode, the router will immediately resynchronize the standby SAs; thus, it may appear as though the standby SAs were not cleared.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.3(11)T	The active and standby keywords were added.

Usage Guidelines

---

Caution If the connection-id argument is not used, all existing IKE connections will be cleared when this command is issued.

---

Examples

The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:

Router# show crypto isakmp sa

    dst           src          state        conn-id   slot

172.21.114.123 172.21.114.67  QM_IDLE           1       0

209.165.201.1  209.165.201.2  QM_IDLE           8       0

Router# clear crypto isakmp 1

Router# show crypto isakmp sa

    dst           src          state        conn-id   slot

209.165.201.1  209.165.201.2  QM_IDLE           8       0

Router#

Related Commands

Command	Description
show crypto isakmp sa	Displays current IKE SAs.

clear crypto sa

To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in privileged EXEC mode.

clear crypto sa [active | standby]

Virtual Routing and Forwarding (VRF) Syntax

clear crypto sa peer [vrf fvrf-name] address

clear crypto sa [vrf ivrf-name]

Crypto Map Syntax

clear crypto sa map map-name

IP Address, Security Protocol Standard, and SPI Syntax

clear crypto sa entry destination-address protocol spi

Traffic Counters Syntax

clear crypto sa counters

Syntax Description

active	(Optional) Clears only IPSec SAs that are in the active state.
standby	(Optional) Clears only IPSec SAs that are in the standby state. Note If the router is in standby mode, the router will immediately resynchronize the standby SAs; thus, it may appear as though the standby SAs were not cleared.
peer [vrf fvrf-name] address	Deletes any IPSec SAs for the specified peer. The fvrf-name argument specifies the front door VRF (FVRF) of the peer address.
vrf ivrf-name	(Optional) Clears all IPSec SAs whose inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.
map	Deletes any IPSec SAs for the named crypto map set.
map-name	Specifies the name of a crypto map set.
entry	Deletes the IPSec SA with the specified address, protocol, and security parameter index (SPI).
destination-address	Specifies the IP address of the remote peer.
protocol	Specifies either the Encapsulation Security Protocol (ESP) or Authentication Header (AH).
spi	Specifies an SPI (found by displaying the SA database).
counters	Clears the traffic counters maintained for each SA; the counters keyword does not clear the SAs themselves.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3 T	This command was introduced.
12.2(15)T	The vrf keyword and fvrf-name argument for clear crypto sa peer were added. The vrf keyword and ivrf-name argument for clear crypto sa were added.
12.3(11)T	The active and standby keywords were added.

Usage Guidelines

This command clears (deletes) IPSec SAs.

If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)

If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)

---

Note If the peer, map, entry, counters, active, or standby keywords are not used, all IPSec SAs will be deleted.

---

•The peer keyword deletes any IPSec SAs for the specified peer.

•The map keyword deletes any IPSec SAs for the named crypto map set.

•The entry keyword deletes the IPSec SA with the specified address, protocol, and SPI.

•The active and standby keywords delete the IPSec SAs in the active or standby state, respectively.

If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.

The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.

If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.

If the router is processing active IPSec traffic, it is suggested that you clear only the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.

Note that this command clears only IPSec SAs; to clear IKE state, use the clear crypto isakmp command.

Examples

The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:

clear crypto sa

The following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:

clear crypto sa entry 10.0.0.1 AH 256

The following example clears all the SAs for VRF VPN1:

clear crypto sa vrf vpn1

Related Commands

Command	Description
clear crypto isakmp	Clears active IKE connections.

clear crypto session

To delete crypto sessions (IP Security [IPSec] and Internet Key Exchange [IKE] security associations [SAs]), use the clear crypto session command in privileged EXEC mode.

clear crypto session [local ip-address [port local-port]] [remote ip-address [port remote-port]] | [fvrf vrf-name] [ivrf vrf-name]

IPSec and IKE Stateful Failover Syntax

clear crypto session [active | standby]

Syntax Description

local ip-address	(Optional) Clears crypto sessions for a local crypto endpoint. •The ip-address is the IP address of the local crypto endpoint.
port local-port	(Optional) IKE port of the local endpoint. The local-port value can be 1 through 65535. The default value is 500.
remote ip-address	(Optional) Clears crypto sessions for a remote IKE peer. •The ip-address is the IP address of the remote IKE peer.
port remote-port	(Optional) IKE port of the remote endpoint to be deleted. The remote-port value can be from 1 through 65535. The default value is 500.
fvrf vrf-name	(Optional) Specifies the front door virtual routing and forwarding (FVRF) session that is to be cleared.
ivrf vrf-name	(Optional) Specifies the inside VRF (IVRF) session that is to be cleared.
active	(Optional) Clears only IPSec and IKE SAs in the active state.
standby	(Optional) Clears only IPSec and IKE SAs in the standby state. Note If the router is in standby mode, the router will immediately resynchronize the standby SAs with the active router.

Defaults

If the clear crypto session command is entered without any keywords, all existing sessions will be deleted. The IPSec SAs will be deleted first. Then the IKE SAs are deleted. Port default values are 500.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(4)T	This command was introduced.
12.3(11)T	The active and standby keywords were added.

Usage Guidelines

To clear a specific crypto session or a subset of all the sessions, you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, an FVRF name, or an IVRF name.

If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be deleted.

Examples

The following example shows that all crypto sessions will be deleted:

Router# clear crypto session

The following example shows that the crypto session of the FVRF named "blue" will be deleted:

Router# clear crypto session fvrf blue

The following example shows that the crypto sessions of the FVRF "blue" and the IVRF session "green" will be deleted:

Router# clear crypto session fvrf blue ivrf green

The following example shows that the crypto sessions of the local endpoint 10.1.1.1 and remote endpoint 10.2.2.2 will be deleted. The local endpoint port is 5, and the remote endpoint port is 10.

Router# clear crypto session local 10.1.1.1 port 5 remote 10.2.2.2 port 10

Related Commands

Command	Description
description	Adds a description for an IKE peer.
show crypto isakmp peer	Displays peer descriptions.
show crypto session	Displays status information for active crypto sessions in a router.

clear dot1x

To clear 802.1X interface information, use the clear dot1x command in privileged EXEC mode.

clear dot1x {all | interface interface-name}

Syntax Description

all	Clears 802.1X information for all interfaces.
interface interface-name	Clears 802.1X information for the specified interface.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(2)XA	This command was introduced.
12.3(4)T	This command was integrated into Cisco IOS Release 12.3(4)T.

Examples

The following configuration shows that 802.1X information will be cleared for all interfaces:

Router# clear dot1x all

The following configuration shows that 802.1X information will be cleared for the Ethernet 0 interface:

Router# clear dot1x interface ethernet 0

Related Commands

Command	Description
debug dot1x	Displays 802.1X debugging information.
identity profile default	Creates an identity profile and enters dot1x profile configuration mode.
show dot1x	Shows details for an identity profile.

clear eou

To clear all client device entries that are associated with a particular interface or that are on the network access device (NAD), use the clear eou command in privileged EXEC mode.

clear eou {all | authentication {clientless | eap | static} | interface {interface-type} | ip {ip-address} | mac {mac-address} | posturetoken {name}}

Syntax Description

all	Clears all client device entries.
authentication	Authentication type.
clientless	Authentication type is clientless.
eap	Authentication type is Extensible Authentication Procotol (EAP).
static	Authentication type is static.
interface	Provides information about the interface.
interface-type	Type of interface (see Table 14 for a list of interface types).
ip	Specifies an IP address.
ip-address	IP address of the client device.
mac	Specifies a MAC address.
mac-address	The 48-bit address of the client device.
posturetoken	Posture token name.
name	Name of the posture token.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Table 14 lists the interface types that may be used for the interface-type argument.

Table 14 Description of Interface Types 

Interface Type	Description
Async	Asynchronous interface
BVI	Bridge-Group Virtual Interface
CDMA-Ix	Code division multiple access Internet exchange (CDMA Ix) interface
CTunnel	Connectionless Network Protocol (CLNS) tunnel (Ctunnel) interface
Dialer	Dialer interface
Ethernet	IEEE 802.3 standard interface
Lex	Lex interface
Loopback	Loopback interface
MFR	Multilink Frame Relay bundle interface
Multilink	Multilink-group interface
Null	Null interface
Serial	Serial interface
Tunnel	Tunnel interface
Vif	Pragmatic General Multicast (PGM) Multicase Host interface
Virtual-PPP	Virtual PPP interface
Virtual-Template	Virtual template interface
Virtual-TokenRing	Virtual TokenRing interface

Examples

The following example shows that all client device entries are to be cleared:

Router# clear eou all

Related Commands

Command	Description
eou	Displays information about EAPoUDP.

clear ip admission cache

To clear IP admission cache entries from the router, use the clear ip admission cache command in privileged EXEC mode.

clear ip admission cache {* | host ip address}

Syntax Description

*	Clears all IP admission cache entries and associated dynamic access lists.
host ip address	Clears all IP admission cache entries and associated dynamic access lists for the specified host.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.3(8)T	This command was introduced.

Usage Guidelines

Use this command to clear entries from the admission control cache before they time out.

Examples

The following example shows that all admission entries are to be deleted:

Router# clear ip admission cache *

The following example shows that the authentication proxy entry for the host with the IP address 192.168.4.5 is to be deleted:

Router# clear ip admission cache 192.168.4.5

Related Commands

Command	Description
show ip admission cache	Displays the admission control entries or the running admission control configuration.

clear ip auth-proxy cache

To clear authentication proxy entries from the router, use the clear ip auth-proxy cache command in EXEC mode.

clear ip auth-proxy cache {* | host-ip-address}

Syntax Description

*	Clears all authentication proxy entries, including user profiles and dynamic access lists.
host-ip-address	Clears the authentication proxy entry, including user profiles and dynamic access lists, for the specified host.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Use this command to clear entries from the translation table before they time out.

Examples

The following example deletes all authentication proxy entries:

clear ip auth-proxy cache *

The following example deletes the authentication proxy entry for the host with IP address 192.168.4.5:

clear ip auth-proxy cache 192.168.4.5

Related Commands

Command	Description
show ip auth-proxy	Displays the authentication proxy entries or the running authentication proxy configuration.

clear ip ips configuration

To disable Cisco IOS Firewall Intrusion Prevention System (IPS), remove all intrusion detection configuration entries, and release dynamic resources, use the clear ip ips configuration command in EXEC mode.

clear ip ips configuration

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(8)T	The command name was changed from the clear ip audit configuration command to the clear ip ips configuration command.

Examples

The following example clears the existing IPS configuration:

clear ip ips configuration

clear ip ips statistics

To reset statistics on packets analyzed and alarms sent, use the clear ip ips statistics command in EXEC mode.

clear ip ips statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.
12.3(8)T	The command name was changed from the clear ip audit statistics command to the clear ip ips statistics command.

Examples

The following example clears all IPS statistics:

clear ip ips statistics