-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
crypto map client authentication list
crypto map client configuration address
crypto map isakmp authorization list
crypto map redundancy replay-interval
crypto mib ipsec flowmib history failure size
crypto mib ipsec flowmib history tunnel size
crypto pki certificate query (ca-trustpoint)
crypto pki server info requests
crypto pki server password generate
crypto pki server request pkcs10
crypto provisioning petitioner
crypto key decrypt rsa
To delete the encrypted RSA key and leave only the unencrypted key on the running router, use the crypto key decrypt rsa command in global configuration mode.
crypto key decrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
The private key running on the router is encrypted.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto key decrypt rsa command to store the decrypted private key in NvRAM the next time NvRAM is written (which is immediately if the write keyword is issed).
Examples
The following example shows how to decrypt the RSA key "pki1-72a.cisco.com":
Router(config)# crypto key decrypt write rsa name pki1-72a.cisco.com passphrase cisco1234Related Commands
crypto key encrypt rsa
Encrypts the RSA private key.
show crypto key mypubkey rsa
Displays the RSA public keys of your router.
crypto key encrypt rsa
To encrypt the RSA private key, use the crypto key encrypt rsa command in global configuration mode.
crypto key encrypt [write] rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
RSA keys are not encrypted.
Command Modes
Global configuration
Command History
Usage Guidelines
The private key is encrypted (protected) via the specified passphrase. After the key is protected, it may continue to be used by the router; that is Internet Key Exchange (IKE) tunnels and encrypted key export attempts should continue to work because the key remains "unlocked."
To lock the key, which can be used to disable the router, issue the crypto key lock rsa privileged EXEC command. (When you lock the encrypted key, all functions which use the locked key are disabled.)
Examples
The following example shows how to encrypt the RSA key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the RSA key is encrypted and unlocked.
Router(config)# crypto key encrypt rsa name pki1-72a.cisco.com passphrase cisco1234Router(config)# exitRouter# show crypto key mypubkey rsa% Key pair was generated at:00:15:32 GMT Jun 25 2003
Key name:pki1-72a.cisco.com
Usage:General Purpose Key
*** The key is protected and UNLOCKED. ***
Key is not exportable.
Key Data:
305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00E0CC9A 1D23B52C
CD00910C ABD392AE BA6D0E3F FC47A0EF 8AFEE340 0EC1E62B D40E7DCC
23C4D09E
03018B98 E0C07B42 3CFD1A32 2A3A13C0 1FF919C5 8DE9565F 1F020301 0001
% Key pair was generated at:00:15:33 GMT Jun 25 2003
Key name:pki1-72a.cisco.com.server
Usage:Encryption Key
Key is exportable.
Key Data:
307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D3491E 2A21D383
854D7DA8 58AFBDAC 4E11A7DD E6C40AC6 66473A9F 0C845120 7C0C6EC8 1FFF5757
3A41CE04 FDCB40A4 B9C68B4F BC7D624B 470339A3 DE739D3E F7DDB549 91CD4DA4
DF190D26 7033958C 8A61787B D40D28B8 29BCD0ED 4E6275C0 6D020301 0001
Router#Related Commands
crypto key export pem
To export Rivest, Shamir, and Adelman (RSA) keys in privacy-enhanced mail (PEM)-formatted files, use the crypto key export pem command in global configuration mode.
crypto key export rsa key-label pem {terminal | url url} {3des | des} passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto key export pem command allows you to export RSA key pairs in PEM-formatted files. The PEM files can then be imported back into a Cisco IOS router or other public key infrastructure (PKI) applications.
Note
Before you can export a RSA key pair in a PEM file, ensure that the RSA key pair is exportable. To generate an exportable RSA key pair, issue the crypto key generate rsa command and specify the exportable keyword.
Examples
The following example shows how to generate, export, bring the key back (import), and verify the status of the RSA key pair "mycs":
! Generate the key pair!Router(config)# crypto key generate rsa general-purpose label mycs exportableThe name for the keys will be: mycsChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys ...[OK]!! Archive the key pair to a remote location, and use a good password.!Router(config)# crypto key export rsa mycs pem url nvram: 3des PASSWORD% Key name: mycsUsage: General Purpose KeyExporting public key...Destination filename [mycs.pub]?Writing file to nvram:mycs.pubExporting private key...Destination filename [mycs.prv]?Writing file to nvram:mycs.prv!! Import the key as a different name.!Router(config)# crypto key import rsa mycs2 pem url nvram:mycs PASSWORD% Importing public key or certificate PEM file...Source filename [mycs.pub]?Reading file from nvram:mycs.pub% Importing private key PEM file...Source filename [mycs.prv]?Reading file from nvram:mycs.prv% Key pair import succeeded.!! After the key has been imported, it is no longer exportable.!! Verify the status of the key.!Router# show crypto key mypubkey rsa% Key pair was generated at: 18:04:56 GMT Jun 6 2003Key name: mycsUsage: General Purpose KeyKey is exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001% Key pair was generated at: 18:17:25 GMT Jun 6 2003Key name: mycs2Usage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001Related Commands
crypto key generate rsa
Generates RSA key pairs.
crypto key import pem
Imports RSA keys in PEM-formatted files.
crypto key generate rsa
To generate Rivest, Shamir, and Adelman (RSA) key pairs, use the crypto key generate rsa command in global configuration mode.
crypto key generate rsa [general-keys | usage-keys | signature | encryption] [label key-label] [exportable] [modulus modulus-size] [storage devicename:] [on devicename:]
Syntax Description
Command Default
RSA key pairs do not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to generate RSA key pairs for your Cisco device (such as a router).
RSA keys are generated in pairs—one public RSA key and one private RSA key.
If your router already has RSA keys when you issue this command, you will be warned and prompted to replace the existing keys with new keys.
Note
Note
This command is not saved in the router configuration; however, the RSA keys generated by this command are saved in the private configuration in NVRAM (which is never displayed to the user or backed up to another device) the next time the configuration is written to NVRAM.
Note
There are two mutually exclusive types of RSA key pairs: special-usage keys and general-purpose keys. When you generate RSA key pairs, you will be prompted to select either special-usage keys or general-purpose keys.
Special-Usage Keys
If you generate special-usage keys, two pairs of RSA keys will be generated. One pair will be used with any Internet Key Exchange (IKE) policy that specifies RSA signatures as the authentication method, and the other pair will be used with any IKE policy that specifies RSA encrypted keys as the authentication method.
A certification authority (CA) is used only with IKE policies specifying RSA signatures, not with IKE policies specifying RSA-encrypted nonces. (However, you could specify more than one IKE policy and have RSA signatures specified in one policy and RSA-encrypted nonces in another policy.)
If you plan to have both types of RSA authentication methods in your IKE policies, you may prefer to generate special-usage keys. With special-usage keys, each key is not unnecessarily exposed. (Without special-usage keys, one key is used for both authentication methods, increasing the exposure of that key.)
General-Purpose Keys
If you generate general-purpose keys, only one pair of RSA keys will be generated. This pair will be used with IKE policies specifying either RSA signatures or RSA encrypted keys. Therefore, a general-purpose key pair might get used more frequently than a special-usage key pair.
Named Key Pairs
If you generate a named key pair using the key-pair-label argument, you must also specify the usage-keys keyword or the general-keys keyword. Named key pairs allow you to have multiple RSA key pairs, enabling the Cisco IOS software to maintain a different key pair for each identity certificate.
Modulus Length
When you generate RSA keys, you will be prompted to enter a modulus length. The longer the modulus, the stronger the security. However a longer modules takes longer to generate (see Table 18 for sample times) and takes longer to use.
Cisco IOS software does not support a modulus greater than 4096 bits. A length of less than 512 bits is normally not recommended. In certain situations, the shorter modulus may not function properly with IKE, so we recommend using a minimum modulus of 1024 bits.
Note
The largest private RSA key modulus is 2048 bits. Therefore, the largest RSA private key a router may generate or import is 2048 bits.
The recommended modulus for a CA is 2048 bits; the recommended modulus for a client is 1024 bits.
Specifying a Storage Location for RSA Keys
When you issue the crypto key generate rsa command with the storage devicename: keyword and argument, the RSA keys will be stored on the specified device. This location will supersede any crypto key storage command settings.
Specifying a Device for RSA Key Generation
As of Cisco IOS Release 12.4(11)T and later releases, you may specify the device where RSA keys are generated. Devices supported include NVRAM, local disks, and USB tokens. If your router has a USB token configured and available, the USB token can be used as cryptographic device in addition to a storage device. Using a USB token as a cryptographic device allows RSA operations such as key generation, signing, and authentication of credentials to be performed on the token. The private key never leaves the USB token and is not exportable. The public key is exportable.
RSA keys may be generated on a configured and available USB token, by the use of the on devicename: keyword and argument. Keys that reside on a USB token are saved to persistent token storage when they are generated. The number of keys that can be generated on a USB token is limited by the space available. If you attempt to generate keys on a USB token and it is full you will receive the following message:
% Error in generating keys:no available resourcesKey deletion will remove the keys stored on the token from persistent storage immediately. (Keys that do not reside on a token are saved to or deleted from non-token storage locations when the write memory or similar command is issued.)
For information on configuring a USB token, see "Storing PKI Credentials" chapter in the Cisco IOS Security Configuration Guide, Release 12.4T. For information on using on-token RSA credentials, see "Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment chapter in the Cisco IOS Security Configuration Guide, Release 12.4T.
Examples
The following example generates a general usage 1024-bit RSA key pair on a USB token with the label "ms2" with crypto engine debugging messages shown:
Router(config)# crypto key generate rsa on usbtoken0 label ms2 modulus 1024The name for the keys will be: ms2% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be on-token, non-exportable...Jan 7 02:41:40.895: crypto_engine: Generate public/private keypair [OK]Jan 7 02:44:09.623: crypto_engine: Create signatureJan 7 02:44:10.467: crypto_engine: Verify signatureJan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_CREATE_PUBKEY(hw)(ipsec)Jan 7 02:44:10.467: CryptoEngine0: CRYPTO_ISA_RSA_PUB_DECRYPT(hw)(ipsec)Now, the on-token keys labeled "ms2" may be used for enrollment.
The following example generates special-usage RSA keys:
Router(config)# crypto key generate rsa usage-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates general-purpose RSA keys:
Note
Router(config)# crypto key generate rsa general-keysThe name for the keys will be: myrouter.example.comChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus[512]? <return>Generating RSA keys.... [OK].The following example generates the general purpose RSA key pair "exampleCAkeys":
crypto key generate rsa general-keys exampleCAkeyscrypto ca trustpoint exampleCAkeysenroll url http://exampleCAkeys/certsrv/mscep/mscep.dllrsakeypair exampleCAkeys 1024 1024The following example specifies the RSA key storage location of "usbtoken0:" for "tokenkey1":
crypto key generate rsa general-keys label tokenkey1 storage usbtoken0:
Related Commands
crypto key import pem
To import Rivest, Shamir, and Adelman (RSA) keys in privacy-enhanced mail (PEM)-formatted files, use the crypto key import pem command in global configuration mode.
crypto key import rsa key-label pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto key import pem command allows you to import RSA key pairs in PEM-formatted files. The files can be previously exported from another Cisco IOS router or generated by other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate, export, bring the key back (import), and verify the status of the RSA key pair "mycs":
! Generate the key pair!Router(config)# crypto key generate rsa general-purpose label mycs exportableThe name for the keys will be: mycsChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys ...[OK]!! Archive the key pair to a remote location, and use a good password.!Router(config)# crypto key export rsa mycs pem url nvram: 3des PASSWORD% Key name: mycsUsage: General Purpose KeyExporting public key...Destination filename [mycs.pub]?Writing file to nvram:mycs.pubExporting private key...Destination filename [mycs.prv]?Writing file to nvram:mycs.prv!! Import the key as a different name.!Router(config)# crypto key import rsa mycs2 pem url nvram:mycs PASSWORD% Importing public key or certificate PEM file...Source filename [mycs.pub]?Reading file from nvram:mycs.pub% Importing private key PEM file...Source filename [mycs.prv]?Reading file from nvram:mycs.prv% Key pair import succeeded.!! After the key has been imported, it is no longer exportable.!! Verify the status of the key.!Router# show crypto key mypubkey rsa% Key pair was generated at: 18:04:56 GMT Jun 6 2003Key name: mycsUsage: General Purpose KeyKey is exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001% Key pair was generated at: 18:17:25 GMT Jun 6 2003Key name: mycs2Usage: General Purpose KeyKey is not exportable.Key Data:30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E652539C30C12E 295AB73F B1DF9FAD 86F88192 7D4FA4D2 8BA7FB49 9045BAB9 373A31CBA6B1B8F4 329F2E7E 8A50997E AADBCFAA 23C29E19 C45F4F05 DBB2FA51 4B7E9F79A1095115 759D6BC3 5DFB5D7F BCF655BF 6317DB12 A8287795 7D8DC6A3 D31B2486C9C96D2C 2F70B50D 3B4CDDAE F661041A 445AE11D 002EEF08 F2A627A0 5B020301 0001Related Commands
crypto key export pem
Exports RSA keys in PEM-formatted files.
crypto key generate rsa
Generates RSA key pairs.
crypto key lock rsa
To lock the RSA private key in a router, use the crypto key lock rsa command in privileged EXEC mode.
crypto key lock rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
RSA keys are encrypted, but not locked.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When the crypto key lock rsa command is issued, the unencrypted copy of the key is deleted. Because the private key is not available, all RSA operations will fail.
This command affects only the "run-time" access to the key; that is, it does not affect the key that is stored in NVRAM.
Examples
The following example shows how to lock the key "pki1-72a.cisco.com." Thereafter, the show crypto key mypubkey rsa command is issued to verify that the key is protected (encrypted) and locked.
Router# crypto key lock rsa name pki1-72a.cisco.com passphrase cisco1234!Router# show crypto key mypubkey rsa% Key pair was generated at:20:29:41 GMT Jun 20 2003Key name:pki1-72a.cisco.comUsage:General Purpose Key*** The key is protected and LOCKED. ***Key is exportable.Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D7808D C5FF14AC0D2B55AC 5D199F2F 7CB4B355 C555E07B 6D0DECBE 4519B1F0 75B12D6F 902D6E9FB6FDAD8D 654EF851 5701D5D7 EDA047ED 9A2A619D 5639DF18 EB020301 0001Related Commands
crypto key pubkey-chain rsa
To enter public key configuration mode (so you can manually specify other devices' RSA public keys), use the crypto key pubkey-chain rsa command in global configuration mode.
crypto key pubkey-chain rsa
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enter public key chain configuration mode. Use this command when you need to manually specify other IPSec peers' RSA public keys. You need to specify other peers' keys when you configure RSA encrypted nonces as the authentication method in an Internet Key Exchange policy at your peer router.
Examples
The following example specifies the RSA public keys of two other IPSec peers. The remote peers use their IP address as their identity.
Router(config)# crypto key pubkey-chain rsaRouter(config-pubkey-chain)# addressed-key 10.5.5.1Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DBRouter(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045BRouter(config-pubkey)# 90288A26 DBC64468 7789F76E EE21Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# addressed-key 10.1.1.2Router(config-pubkey-key)# key-stringRouter(config-pubkey)# 0738BC7A 2BC3E9F0 679B00FE 53987BCCRouter(config-pubkey)# 01030201 42DD06AF E228D24C 458AD228Router(config-pubkey)# 58BB5DDD F4836401 2A2D7163 219F882ERouter(config-pubkey)# 64CE69D4 B583748A 241BED0F 6E7F2F16Router(config-pubkey)# 0DE0986E DF02031F 4B0B0912 F68200C4Router(config-pubkey)# C625C389 0BFF3321 A2598935 C1B1Router(config-pubkey)# quitRouter(config-pubkey-key)# exitRouter(config-pubkey-chain)# exitRouter(config)#Related Commands
crypto key unlock rsa
To unlock the RSA private key in a router, use the crypto key unlock rsa command in privileged EXEC mode.
crypto key unlock rsa [name key-name] passphrase passphrase
Syntax Description
Defaults
The encrypted private key is locked.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When a router with an encrypted RSA key (via the crypto key encrypt rsa command) initially boots up, the key does not exist in plain text and is therefore considered to be locked. Because the private key is not available, all RSA operations will fail. After you unlock the private key, RSA operations will function again.
This command affects only the "run-time" access to the key; that is, it does not affect the key that is stored in NVRAM.
Examples
The following example shows how to unlock the key "pki1-72a.cisco.com":
Router# crypto key unlock rsa name pki1-72a.cisco.com passphrase cisco1234Related Commands
crypto key zeroize rsa
To delete all RSA keys from your router, use the crypto key zeroize rsa command in global configuration mode.
crypto key zeroize rsa [key-pair-label]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T
This command was introduced.
12.2(8)T
The key-pair-label argument was added.
Usage Guidelines
This command deletes all Rivest, Shamir, and Adelman (RSA) keys that were previously generated by your router unless you include the key-pair-label argument, which will delete only the specified RSA key pair. If you issue this command, you must also perform two additional tasks for each trustpoint that is associated with the key pair that was deleted:
•
•
Note
This command is not saved to the configuration.
Examples
The following example deletes the general-purpose RSA key pair that was previously generated for the router. After deleting the RSA key pair, the administrator contacts the CA administrator and requests that the certificate of the router be revoked. The administrator then deletes the certificate of the router from the configuration.
crypto key zeroize rsacrypto ca certificate chainno certificateRelated Commands
crypto keyring
To define a crypto keyring to be used during Internet Key Exchange (IKE) authentication, use the crypto keyring command in global configuration mode. To remove the keyring, use the no form of this command.
crypto keyring keyring-name [vrf fvrf-name]
no crypto keyring keyring-name [vrf fvrf-name]
Syntax Description
Defaults
All the Internet Security Association and Key Management Protocol (ISAKMP) keys that were defined in the global configuration are part of the default global keyring.
Command Modes
Global configuration
Command History
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the isakmp profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
crypto keyring vpnkeyspre-shared-key address 10.72.23.11 key vpnsecretcrypto isakmp profile vpnprofilekeyring vpnkeyscrypto map (global IPSec)
To enter crypto map configuration mode and create or modify a crypto map entry, to create a crypto profile that provides a template for configuration of dynamically created crypto maps, or to configure a client accounting list, use the crypto map command in global configuration mode. To delete a crypto map entry, profile, or set, use the no form of this command.
crypto map map-name seq-num [ipsec-manual]
crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name]
crypto map map-name [client-accounting-list aaalist]
no crypto map map-name seq-num
Note
Syntax Description
Defaults
No crypto maps exist.
Peer discovery is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create a new crypto map entry, to create a crypto map profile, or to modify an existing crypto map entry or profile.
After a crypto map entry has been created, you cannot change the parameters specified at the global configuration level because these parameters determine which of the configuration commands are valid at the crypto map level. For example, after a map entry has been created using the ipsec-isakmp keyword, you cannot change it to the option specified by the ipsec-manual keyword; you must delete and reenter the map entry.
After you define crypto map entries, you can assign the crypto map set to interfaces using the crypto map (interface IPSec) command.
Crypto Map Functions
Crypto maps provide two functions: filtering and classifying traffic to be protected and defining the policy to be applied to that traffic. The first use affects the flow of traffic on an interface; the second affects the negotiation performed (via IKE) on behalf of that traffic.
IPSec crypto maps define the following:
•
•
•
•
Multiple Crypto Map Entries with the Same Map Name Form a Crypto Map Set
A crypto map set is a collection of crypto map entries, each with a different seq-num argument but the same map-name argument. Therefore, for a given interface, you could have certain traffic forwarded to one IPSec peer with specified security applied to that traffic and other traffic forwarded to the same or a different IPSec peer with different IPSec security applied. To accomplish differential forwarding you would create two crypto maps, each with the same map-name argument, but each with a different seq-num argument. Crypto profiles must have unique names within a crypto map set.
Sequence Numbers
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority.
For example, consider a crypto map set that contains three crypto map entries: mymap 10, mymap 20, and mymap 30. The crypto map set named "mymap" is applied to serial interface 0. When traffic passes through serial interface 0, the traffic is evaluated first for mymap 10. If the traffic matches any access list permit statement entry in the extended access list in mymap 10, the traffic will be processed according to the information defined in mymap 10 (including establishing IPSec SAs when necessary). If the traffic does not match the mymap 10 access list, the traffic will be evaluated for mymap 20, and then mymap 30, until the traffic matches a permit entry in a map entry. (If the traffic does not match a permit entry in any crypto map entry, it will be forwarded without any IPSec security.)
Dynamic Crypto Maps
Refer to the "Usage Guidelines" section of the crypto dynamic-map command for a discussion on dynamic crypto maps.
Crypto map entries that reference dynamic map sets should be the lowest priority map entries, allowing inbound SA negotiation requests to try to match the static maps first. Only after the request does not match any of the static maps, do you want it to be evaluated against the dynamic map set.
To make a crypto map entry referencing a dynamic crypto map set the lowest priority map entry, give the map entry the highest seq-num of all the map entries in a crypto map set.
Create dynamic crypto map entries using the crypto dynamic-map command. After you create a dynamic crypto map set, add the dynamic crypto map set to a static crypto map set with the crypto map (global IPSec) command using the dynamic keyword.
TED
TED is an enhancement to the IPSec feature. Defining a dynamic crypto map allows you to dynamically determine an IPSec peer; however, only the receiving router has this ability. With TED, the initiating router can dynamically determine an IPSec peer for secure IPSec communications.
Dynamic TED helps to simplify IPSec configuration on the individual routers within a large network. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms that are required.
Note
Crypto Map Profiles
Crypto map profiles are created using the profile profile-name keyword and argument combination. Crypto map profiles are used as configuration templates for dynamically creating crypto maps on demand for use with the Layer 2 Transport Protocol (L2TP) Security feature. The relevant SAs the crypto map profile will be cloned and used to protect IP traffic on the L2TP tunnel.
Note
Examples
The following example shows the minimum required crypto map configuration when IKE will be used to establish the SAs:
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1The following example shows the minimum required crypto map configuration when the SAs are manually established:
crypto transform-set someset ah-md5-hmac esp-descrypto map mymap 10 ipsec-manualmatch address 102set transform-set somesetset peer 10.0.0.5set session-key inbound ah 256 98765432109876549876543210987654set session-key outbound ah 256 fedcbafedcbafedcfedcbafedcbafedcset session-key inbound esp 256 cipher 0123456789012345set session-key outbound esp 256 cipher abcdefabcdefabcdThe following example configures an IPSec crypto map set that includes a reference to a dynamic crypto map set.
Crypto map "mymap 10" allows SAs to be established between the router and either (or both) of two remote IPSec peers for traffic matching access list 101. Crypto map "mymap 20" allows either of two transform sets to be negotiated with the remote peer for traffic matching access list 102.
Crypto map entry "mymap 30" references the dynamic crypto map set "mydynamicmap," which can be used to process inbound SA negotiation requests that do not match "mymap" entries 10 or 20. In this case, if the peer specifies a transform set that matches one of the transform sets specified in "mydynamicmap," for a flow permitted by the access list 103, IPSec will accept the request and set up SAs with the remote peer without previously knowing about the remote peer. If the request is accepted, the resulting SAs (and temporary crypto map entry) are established according to the settings specified by the remote peer.
The access list associated with "mydynamicmap 10" is also used as a filter. Inbound packets that match any access list permit statement in this list are dropped for not being IPSec protected. (The same is true for access lists associated with static crypto maps entries.) Outbound packets that match a permit statement without an existing corresponding IPSec SA are also dropped.
crypto map mymap 10 ipsec-isakmpmatch address 101set transform-set my_t_set1set peer 10.0.0.1set peer 10.0.0.2crypto map mymap 20 ipsec-isakmpmatch address 102set transform-set my_t_set1 my_t_set2set peer 10.0.0.3crypto map mymap 30 ipsec-isakmp dynamic mydynamicmap!crypto dynamic-map mydynamicmap 10match address 103set transform-set my_t_set1 my_t_set2 my_t_set3The following example configures TED on a Cisco router:
crypto map testtag 10 ipsec-isakmp dynamic dmap discoverThe following example configures a crypto profile to be used as a template for dynamically created crypto maps when IPSec is used to protect an L2TP tunnel:
crypto map l2tpsec 10 ipsec-isakmp profile l2tpRelated Commands
crypto map (interface IPSec)
To apply a previously defined crypto map set to an interface, use the crypto map command in interface configuration mode. To remove the crypto map set from the interface, use the no form of this command.
crypto map map-name [redundancy standby-group-name[stateful]]
no crypto map [map-name] [redundancy standby-group-name [stateful]]
Syntax Description
Defaults
No crypto maps are assigned to interfaces.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map name but a different sequence number, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry that has the lowest sequence number is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
Note
The standby name must be configured on all devices in the standby group, and the standby address must be configured on at least one member of the group. If the standby name is removed from the router, the IPSec security associations (SAs) will be deleted. If the standby name is added again, regardless of whether the same name or a different name is used, the crypto map (using the redundancy option) will have to be reapplied to the interface.
Note
The stateful keyword enables stateful failover of IKE and IPSec sessions. Stateful Switchover (SSO) must also be configured for IPSec stateful failover to operate correctly.
Examples
The following example shows how all remote Virtual Private Network (VPN) gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255The crypto map on the interface binds this standby address as the local tunnel endpoint for all instances of "mymap" and, at the same time, ensures that stateless HSRP failover is facilitated between an active and standby device that belongs to the same standby group, "group1."
Reverse route injection (RRI) is also enabled to provide the ability for only the active device in the HSRP group to be advertising itself to inside devices as the next hop VPN gateway to the remote proxies. If a failover occurs, routes are deleted on the former active device and created on the new active device.
The following example shows how to configure IPSec stateful failover on the crypto map "to-peer-outside":
crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsideinterface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out statefulRelated Commands
crypto map client authentication list
To configure Internet Key Exchange extended authentication (Xauth) on your router, use the crypto map client authentication list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name client authentication list list-name
no crypto map map-name client authentication list list-name
Syntax Description
Defaults
Xauth is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Before configuring Xauth, you should complete the following tasks:
•
•
•
•
After enabling Xauth, you should apply the crypto map on which Xauth is configured to the router interface.
Examples
The following example configures user authentication (a list of authentication methods called xauthlist) on an existing static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistThe following example configures user authentication (a list of authentication methods called xauthlist) on a dynamic crypto map called xauthdynamic that has been applied to a static crypto map called xauthmap:
crypto map xauthmap client authentication list xauthlistcrypto map xauthmap 10 ipsec-isakmp dynamic xauthdynamicRelated Commands
crypto map client configuration address
To configure IKE Mode Configuration on your router, use the crypto map client configuration address command in global configuration mode. To disable IKE Mode Configuration, use the no form of this command.
crypto map tag client configuration address [initiate | respond]
no crypto map tag client configuration address
Syntax Description
Defaults
IKE Mode Configuration is not enabled.
Command Modes
Global configuration
Command History
12.0(4)XE
This command was introduced.
12.0(7)T
This command was implemented in Cisco IOS release 12.0(7)T.
Usage Guidelines
At the time of this publication, this feature is an IETF draft with limited support. Therefore this feature was not designed to enable the configuration mode for every IKE connection by default.
Examples
The following examples configure IKE Mode Configuration on your router:
crypto map dyn client configuration address initiatecrypto map dyn client configuration address respondRelated Commands
crypto map (global)
Creates or modifies a crypto map entry and enters the crypto map configuration mode
crypto map isakmp authorization list
To enable Internet Key Exchange (IKE) querying of authentication, authorization, and accounting (AAA) for tunnel attributes in aggressive mode, use the crypto map isakmp authorization list command in global configuration mode. To restore the default value, use the no form of this command.
crypto map map-name isakmp authorization list list-name
no crypto map map-name isakmp authorization list list-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto map client authorization list command to enable key lookup from a AAA server.
Preshared keys deployed in a large-scale Virtual Private Network (VPN) without a certification authority, with dynamic IP addresses, are accessed during aggression mode of IKE negotiation through a AAA server. Thus, users have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing database, in addition to allowing every user to have their own unique, more secure pre-shared key.
Before configuring the crypto map client authorization list command, you should perform the following tasks:
•
•
•
•
After enabling the crypto map client authorization list command, you should apply the previously defined crypto map to the interface.
Examples
The following example shows how to configure the crypto map client authorization list command:
crypto map ikessaaamap isakmp authorization list ikessaaalistcrypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadynRelated Commands
crypto map isakmp-profile
To configure an Internet Security Association and Key Management Protocol (ISAKMP) profile on a crypto map, use the crypto map isakmp-profile command in global configuration mode. To restore the default values on the crypto map, use the no form of this command.
crypto map map-name isakmp-profile isakmp-profile-name
no crypto map map-name isakmp-profile isakmp-profile-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
This command describes the ISAKMP profile to use to start the IKE exchange. Before configuring this command, you must set up the ISAKMP profile.
Examples
The following example shows that an ISAKMP profile is configured on a crypto map:
crypto map vpnmap isakmp-profile vpnprofileRelated Commands
crypto ipsec transform-set
Defines a transform set—an acceptable combination of security protocols and algorithms.
crypto map (global)
Creates or modifies a crypto map entry.
crypto map local-address
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
If you apply the same crypto map to two interfaces and do not use this command, two separate security associations (with different local IP addresses) could be established to the same peer for similar traffic. If you are using the second interface as redundant to the first interface, it could be preferable to have a single security association (with a single local IP address) created for traffic sharing the two interfaces. Having a single security association decreases overhead and makes administration simpler.
This command allows a peer to establish a single security association (and use a single local IP address) that is shared by the two redundant interfaces.
If applying the same crypto map set to more than one interface, the default behavior is as follows:
•
•
However, if you use a local-address for that crypto map set, it has multiple effects:
•
•
One suggestion is to use a loopback interface as the referenced local address interface, because the loopback interface never goes down.
Examples
The following example assigns crypto map set "mymap" to the S0 interface and to the S1 interface. When traffic passes through either S0 or S1, the traffic will be evaluated against the all the crypto maps in the "mymap" set. When traffic through either interface matches an access list in one of the "mymap" crypto maps, a security association will be established. This same security association will then apply to both S0 and S1 traffic that matches the originally matched IPSec access list. The local address that IPSec will use on both interfaces will be the IP address of interface loopback0.
interface S0crypto map mymapinterface S1crypto map mymapcrypto map mymap local-address loopback0Related Commands
crypto map (interface IPSec)
Applies a previously defined crypto map set to an interface.
crypto map redundancy replay-interval
To modify the interval at which inbound and outbound replay updates are passed from an active device to a standby device, use the crypto map redundancy replay-interval command in global configuration mode. To return to the default functionality, use the no form of this command.
crypto map map-name redundancy replay-interval inbound in-value outbound out-value
no crypto map map-name redundancy replay-interval inbound in-value outbound out-value
Syntax Description
Defaults
inbound in-value: one update every 1,000 packets
outbound out-value: one update every 100,000 packets
Command Modes
Global configuration
Command History
Usage Guidelines
Note
Stateful failover enables a router to continue processing and forwarding packets after a planned or unplanned outage occurs; that is, a backup (secondary) router automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason.
The crypto map redundancy replay-interval command allows you to modify the interval in which an IP redundancy-enabled crypto map sends anti-replay updates from the active router to the standby router.
Examples
The following example shows how to enable replay checking for the crypto map "to-peer-outside" and enable IPSec stateful failover:
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outside!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out stateful
crypto mib ipsec flowmib history failure size
To change the size of the IP Security (IPSec) MIB failure history table, use the crypto mib ipsec flowmib history failure size command in global configuration mode.
crypto mib ipsec flowmib history failure size number
Syntax Description
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2 T.
Usage Guidelines
Use the crypto mib ipsec flowmib history failure size command to change the size of a failure history table. If you do not configure the size of a failure history table, the default of 200 will be implemented.
A failure history table stores the reason for tunnel failure and the time failure occurred. A failure history table can be used as a simple method to distinguish between a normal and an abnormal tunnel termination. That is, if a tunnel entry in the tunnel history table has no associated failure record, the tunnel must have terminated normally. However, every failure does not correspond to a tunnel. Supported setup failures are recorded in the failure table, but a history table is not associated because a tunnel was never set up.
Examples
In the following example, the size of a failure history table is configured to be 140:
Router(config)# crypto mib ipsec flowmib history failure size 140Related Commands
crypto mib ipsec flowmib history tunnel size
To change the size of the IP Security (IPSec) tunnel history table, use the crypto mib ipsec flowmib history tunnel size command in global configuration mode.
crypto mib ipsec flowmib history tunnel size number
Syntax Description
Defaults
The default table size is 200.
Command Modes
Global configuration
Command History
12.1(4)E
This command was introduced.
12.2(4)T
This command was integrated into Cisco IOS Release 12.2 T.
Usage Guidelines
Use the crypto mib ipsec flowmib history tunnel size command to change the size of a tunnel history table. If you do not configure the size of a tunnel history table, the default of 200 will be implemented.
A tunnel history table stores the attribute and statistics records, which contain the attributes and the last snapshot of the traffic statistics of a given tunnel. A tunnel history table accompanies a failure table, so you can display the complete history of a given tunnel. However, a tunnel history table does not accompany every failure table because every failure does not correspond to a tunnel. Thus, supported setup failures are recorded in the failure table, but an associated history table is not recorded because a tunnel was never set up.
As an optimization, a tunnel endpoint table can be combined with a tunnel history table. However, if a tunnel endpoint table is combined, all three tables (the failure history table, tunnel history table, and the endpoint table) must remain the same size even though the MIB allows each table to be distinct.
Examples
In the following example, the size of the tunnel history table changed to 130:
Router(config)# crypto mib ipsec flowmib history tunnel size 130crypto pki authenticate
To authenticate the certification authority (by getting the certificate of the CA), use the crypto pki authenticate command in global configuration mode.
crypto pki authenticate name
Syntax Description
name
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto ca identity command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T
The crypto ca authenticate command was introduced.
12.3(7)T
This command replaced the crypto ca authenticate command.
Usage Guidelines
This command is required when you initially configure CA support at your router.
This command authenticates the CA to your router by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you perform this command.
If you are using RA mode (using the enrollment mode ra command) when you issue the crypto pki authenticate command, then registration authority signing and encryption certificates will be returned from the CA as well as the CA certificate.
This command is not saved to the router configuration. However. the public keys embedded in the received CA (and RA) certificates are saved to the configuration as part of the RSA public key record (called the "RSA public key chain").
Note
error retrieving certificate :incomplete chain
If you receive an error message similar to this one, check the expiration date of your CA certificate. If the expiration date of your CA certificate is set after the year 2049, you must reduce the expiration date by a year or more.Examples
In the following example, the router requests the certificate of the CA. The CA sends its certificate and the router prompts the administrator to verify the certificate of the CA by checking the CA certificate's fingerprint. The CA administrator can also view the CA certificate's fingerprint, so you should compare what the CA administrator sees to what the router displays on the screen. If the fingerprint on the router's screen matches the fingerprint viewed by the CA administrator, you should accept the certificate as valid.
Router(config)# crypto pki authenticate mycaCertificate has the following attributes:Fingerprint: 0123 4567 89AB CDEF 0123Do you accept this certificate? [yes/no] y#Related Commands
crypto pki cert validate
To determine if a trustpoint has been successfully authenticated, a certificate has been requested and granted, and if the certificate is currently valid, use the crypto pki cert validate command in global configuration mode.
crypto pki cert validate trustpoint
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.3(8)T
This command was introduced. Also, effective with Cisco IOS Release 12.3(8)T, this command replaced the crypto ca cert validate command.
Usage Guidelines
The crypto pki cert validate command validates the router's own certificate for a given trustpoint. Use this command as a sanity check after enrollment to verify that the trustpoint is properly authenticated, a certificate has been requested and granted for the trustpoint, and that the certificate is currently valid. A certificate is valid if it is signed by the trustpoint certification authority (CA), not expired, and so on.
Examples
The following examples show the possible output from the crypto pki cert validate command:
Router(config)# crypto pki cert validate kaValidation Failed: trustpoint not found for kaRouter(config)# crypto pki cert validate kaValidation Failed: can't get local certificate chainRouter(config)# crypto pki cert validate kaCertificate chain has 2 certificates.Certificate chain for ka is validRouter(config)# crypto pki cert validate kaCertificate chain has 2 certificates.Validation Error: no certs on chainRouter(config)# crypto pki cert validate kaCertificate chain has 2 certificates.Validation Error: unspecified errorRelated Commands
crypto pki trustpoint
Declares the certification authority that the router should use.
show crypto pki trustpoints
Displays the trustpoints that are configured in the router.
crypto pki certificate chain
To enter the certificate chain configuration mode, use the crypto pki certificate chain command in global configuration mode. (You need to be in certificate chain configuration mode to delete certificates.)
crypto pki certificate chain name
Syntax Description
name
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T
The crypto ca certificate chain command was introduced.
12.3(7)T
This command replaced the crypto ca certificate chain command.
Usage Guidelines
This command puts you into certificate chain configuration mode. When you are in certificate chain configuration mode, you can delete certificates using the certificate command.
Examples
The following example deletes the router's certificate. In this example, the router had a general-purpose RSA key pair with one corresponding certificate. The show command is used to determine the serial number of the certificate to be deleted.
Router# show crypto pki certificatesCertificateSubject NameName: myrouter.example.comIP Address: 10.0.0.1Status: AvailableCertificate Serial Number: 0123456789ABCDEF0123456789ABCDEFKey Usage: General PurposeCA CertificateStatus: AvailableCertificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5FKey Usage: Not SetRouter# configure terminalRrouter(config)# crypto pki certificate chain mycaRouter(config-cert-chain)# no certificate 0123456789ABCDEF0123456789ABCDEF% Are you sure you want to remove the certificate [yes/no]? yes% Be sure to ask the CA administrator to revoke this certificate.Router(config-cert-chain)# exitRelated Commands
crypto pki certificate map
To define certificate-based access control lists (ACLs), use the crypto pki certificate map command in ca-certificate-map configuration mode. To remove the certificate-based ACLs, use the no form of this command.
crypto pki certificate map label sequence-number
no crypto pki certificate map label sequence-number
Syntax Description
Defaults
No default behavior or value.
Command Modes
Ca-certificate-map configuration
Command History
12.2(15)T
The crypto ca certificate map command was introduced.
12.3(7)T
This command replaced the crypto ca certificate map command.
Usage Guidelines
Issuing this command places the router in CA certificate map configuration mode where you can specify several certificate fields together with their matching criteria. The general form of these fields is as follows:
field-name match-criteria match-value
The field-name in the above example is one of the certificate fields. Field names are similar to the names used in the International Telecommunication Union Telecommunication Standardization Sector (ITU-T) X.509 standard. The name field is a special field that matches any subject name or related name field in the certificate, such as the alt-subject-name, subject-name, and unstructured-subject-name fields.
•
•
•
•
•
•
•
Note
The match-criteria in the example is one of the following logical operators:
•
•
•
•
•
•
The match-value is a case-insensitive string or a date.
Examples
The following example shows how to configure a certificate-based ACL that will allow any certificate issued by Cisco Systems to an entity within the cisco.com domain. The label is Cisco, and the sequence is 10.
crypto pki certificate map Cisco 10issuer-name co Cisco Systemsunstructured-subject-name co cisco.comThe following example accepts any certificate issued by Cisco Systems for an entity with DIAL or organizationUnit component ou=WAN. This certificate-based ACL consists of two separate ACLs tied together with the common label Group. Because the check for DIAL has a lower sequence number, it is performed first. Note that the string "DIAL" can occur anywhere in the subjectName field of the certificate, but the string WAN must be in the organizationUnit component.
crypto pki certificate map Group 10issuer-name co Cisco Systemssubject-name co DIALcrypto pki certificate map Group 20issuer-name co Cisco Systemssubject-name co ou=WANCase is ignored in string comparisons; therefore, DIAL in the previous example will match dial, DIAL, Dial, and so on. Also note that the component identifiers (o=, ou=, cn=, and so on) are not required unless it is desirable that the string to be matched occurs in a specific component of the name. (Refer to the ITU-T security standards for more information about certificate fields and components such as ou=.)
If a component identifier is specified in the match string, the exact string, including the component identifier, must appear in the certificate. This requirement can present a problem if more than one component identifier is included in the match string. For example, "ou=WAN,o=Cisco Systems" will not match a certificate with the string "ou=WAN,ou=Engineering,o=Cisco Systems" because the "ou=Engineering" string separates the two desired component identifiers.
To match both "ou=WAN" and "o=Cisco Systems" in a certificate while ignoring other component identifiers, you could use this certificate map:
crypto pki certificate map Group 10subject-name co ou=WANsubject-name co o=CiscoAny space character proceeding or following the equal sign (=) character in component identifiers is ignored. Therefore "o=Cisco" in the proceeding example will match "o = Cisco," "o= Cisco," "o =Cisco," and so on.
Related Commands
crypto pki certificate query (ca-trustpoint)
To specify that certificates should not be stored locally but retrieved from a certification authority (CA) trustpoint, use the crypto pki certificate query command in ca-trustpoint configuration mode. To cause certificates to be stored locally per trustpoint, use the no form of this command.
crypto pki certificate query
no crypto pki certificate query
Syntax Description
This command has no arguments or keywords.
Defaults
CA trustpoints are stored locally in the router's NVRAM.
Command Modes
Ca-trustpoint configuration
Command History
12.2(8)T
The crypto ca certificate query (ca-trustpoint) command was introduced.
12.3(7)T
This command replaced the crypto ca certificate query (ca-trustpoint) command.
Usage Guidelines
Normally, certain certificates are stored locally in the router's NVRAM, and each certificate uses a moderate amount of memory. To save NVRAM space, you can use this command to put the router into query mode, preventing certificates from being stored locally; instead, they are retrieved from a specified CA trustpoint when needed. This will save NVRAM space but could result in a slight performance impact.
The crypto pki certificate query command is a subcommand for each trustpoint; thus, this command can be disabled on a per-trustpoint basis.
Before you can configure this command, you must enable the crypto pki trustpoint command, which puts you in ca-trustpoint configuration mode.
Note
Examples
The following example shows how to prevent certificates and certificate revocation lists (CRLs) from being stored locally on the router; instead, they are retrieved from the "ka" trustpoint when needed.
crypto pki trustpoint ka...crypto pki certificate queryRelated Commands
crypto pki crl request
To request that a new certificate revocation list (CRL) be obtained immediately from the certification authority, use the crypto pki crl request command in global configuration mode.
crypto pki crl request name
Syntax Description
name
Specifies the name of the CA. This is the same name used when the CA was declared with the crypto pki trustpoint command.
Defaults
Normally, the router requests a new CRL when it is verifying a certificate and there is no CRL cached.
Command Modes
Global configuration
Command History
11.3 T
The crypto ca crl request command was introduced.
12.3(7)T
This command replaced the crypto ca crl request command.
Usage Guidelines
A CRL lists all the certificates of the network device that have been revoked. Revoked certificates will not be honored by your router; therefore, any IPSec device with a revoked certificate cannot exchange IP Security traffic with your router.
The first time your router receives a certificate from a peer, it will download a CRL from the CA. Your router then checks the CRL to make sure the certificate of the peer has not been revoked. (If the certificate appears on the CRL, it will not accept the certificate and will not authenticate the peer.)
A CRL can be reused with subsequent certificates until the CRL expires. If your router receives the certificate of a peer after the applicable CRL has expired, it will download the new CRL.
If your router has a CRL which has not yet expired, but you suspect that the contents of the CRL are out of date, use the crypto pki crl request command to request that the latest CRL be immediately downloaded to replace the old CRL.
This command is not saved to the configuration.
Note
Examples
The following example immediately downloads the latest CRL to your router:
crypto pki crl requestcrypto pki enroll
To obtain the certificate(s) of your router from the certification authority, use the crypto pki enroll command in global configuration mode. To delete a current enrollment request, use the no form of this command.
crypto pki enroll name
no crypto pki enroll name
Syntax Description
name
Specifies the name of the CA. Use the same name as when you declared the CA using the crypto pki trustpoint command.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.3 T
The crypto ca enroll command was introduced.
12.3(7)T
This command replaced the crypto ca enroll command.
Usage Guidelines
This command requests certificates from the CA for all of your router's RSA key pairs. This task is also known as enrolling with the CA. (Technically, enrolling and obtaining certificates are two separate events, but they both occur when this command is issued.)
Your router needs a signed certificate from the CA for each RSA key pairs of your router; if you previously generated general purpose keys, this command will obtain the one certificate corresponding to the one general purpose RSA key pair. If you previously generated special usage keys, this command will obtain two certificates corresponding to each of the special usage RSA key pairs.
If you already have a certificate for your keys you will be unable to complete this command; instead, you will be prompted to remove the existing certificate first. (You can remove existing certificates with the no certificate command.)
The crypto pki enroll command is not saved in the router configuration.
Note
Responding to Prompts
When you issue the crypto pki enroll command, you are prompted a number of times.
First, you are prompted to create a challenge password. This password can be up to 80 characters in length. This password is necessary in the event that you ever need to revoke your router's certificate(s). When you ask the CA administrator to revoke your certificate, you must supply this challenge password as a protection against fraudulent or mistaken revocation requests.
Note
If you lose the password, the CA administrator may still be able to revoke the router's certificate but will require further manual authentication of the router administrator identity.
You are also prompted to indicate whether or not your router's serial number should be included in the obtained certificate. The serial number is not used by IP Security or Internet Key Exchange but may be used by the CA to either authenticate certificates or to later associate a certificate with a particular router. (Note that the serial number stored is the serial number of the internal board, not the one on the enclosure.) Ask your CA administrator if serial numbers should be included. If you are in doubt, include the serial number.
Normally, you would not include the IP address because the IP address binds the certificate more tightly to a specific entity. Also, if the router is moved, you would need to issue a new certificate. Finally, a router has multiple IP addresses, any of which might be used with IPSec.
If you indicate that the IP address should be included, you will then be prompted to specify the interface of the IP address. This interface should correspond to the interface that you apply your crypto map set to. If you apply crypto map sets to more than one interface, specify the interface that you name in the crypto map local-address command.
Examples
In the following example, a router with a general-purpose RSA key pair requests a certificate from the CA. When the router displays the certificate fingerprint, the administrator verifies this number by calling the CA administrator, who checks the number. The fingerprint is correct, so the router administrator accepts the certificate.
There can be a delay between when the router administrator sends the request and when the certificate is actually received by the router. The amount of delay depends on the CA method of operation.
Router(config)# crypto pki enroll myca%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password: <mypassword>Re-enter password: <mypassword>% The subject name in the certificate will be: myrouter.example.com% Include the router serial number in the subject name? [yes/no]: yes% The serial number in the certificate will be: 03433678% Include an IP address in the subject name [yes/no]? yesInterface: ethernet0/0Request certificate from CA [yes/no]? yes% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto pki certificates' command will also show the fingerprint.Some time later, the router receives the certificate from the CA and displays the following confirmation message:
Router(config)# Fingerprint: 01234567 89ABCDEF FEDCBA98 75543210%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRouter(config)#If necessary, the router administrator can verify the displayed Fingerprint with the CA administrator.
If there is a problem with the certificate request and the certificate is not granted, the following message is displayed on the console instead:
%CRYPTO-6-CERTREJ: Certificate enrollment request was rejected by Certificate AuthorityThe subject name in the certificate is automatically assigned to be the same as the RSA key pair's name. In the above example, the RSA key pair was named "myrouter.example.com." (The router assigned this name.)
Requesting certificates for a router with special usage keys would be the same as the previous example, except that two certificates would have been returned by the CA. When the router received the two certificates, the router would have displayed the same confirmation message:
%CRYPTO-6-CERTRET: Certificate received from Certificate AuthorityRelated Commands
crypto pki export pem
To export certificates and Rivest, Shamir, and Adelman (RSA) keys that are associated with a trustpoint in a privacy-enhanced mail (PEM)-formatted file, use the crypto pki export pem command in global configuration mode.
crypto pki export trustpoint pem {terminal | url url} {3des | des} passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.3(4)T
The crypto ca export pem command was introduced.
12.3(7)T
This command replaced the crypto ca export pem command.
Usage Guidelines
The crypto pki export pem command allows you to export certificate and RSA key pairs in PEM-formatted files. The PEM files can then be imported back into the Cisco IOS router (via the crypto pki import pem command) or other public key infrastructure (PKI) applications.
Examples
The following example shows how to generate and export the RSA key pair "aaa" and certificates of the router in PEM files that are associated with the trustpoint "mycs":
Router(config)# crypto key generate rsa general-keys label aaa exportableThe name for the keys will be:aaaChoose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.!How many bits in the modulus [512]:% Generating 512 bit RSA keys ...[OK]!Router(config)# crypto pki trustpoint mycsRouter(ca-trustpoint)# enrollment url http://mycsRouter(ca-trustpoint)# rsakeypair aaaRouter(ca-trustpoint)# exitRouter(config)# crypto pki authenticate mycsCertificate has the following attributes:Fingerprint:C21514AC 12815946 09F635ED FBB6CF31% Do you accept this certificate? [yes/no]:yTrustpoint CA certificate accepted.!Router(config)# crypto pki enroll mycs%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The fully-qualified domain name in the certificate will be:Router% The subject name in the certificate will be:bizarro.cisco.com% Include the router serial number in the subject name? [yes/no]:n% Include an IP address in the subject name? [no]:nRequest certificate from CA? [yes/no]:y% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Router(config)# Fingerprint: 8DA777BC 08477073 A5BE2403 812DD15700:29:11:%CRYPTO-6-CERTRET:Certificate received from Certificate AuthorityRouter(config)# crypto pki export aaa pem terminal 3des cisco123% CA certificate:-----BEGIN CERTIFICATE-----MIICAzCCAa2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzES<snip>waDeNOSI3WlDa0AWq5DkVBkxwgn0TqIJXJOCttjHnWHK1LMcMVGn-----END CERTIFICATE-----% Key name:aaaUsage:General Purpose Key-----BEGIN RSA PRIVATE KEY-----Proc-Type:4,ENCRYPTEDDEK-Info:DES-EDE3-CBC,ED6B210B626BC81AUrguv0jnjwOgowWVUQ2XR5nbzzYHI2vGLunpH/IxIsJuNjRVjbAAUpGk7VnPCT87<snip>kLCOtxzEv7JHc72gMku9uUlrLSnFH5slzAtoC0czfU4=-----END RSA PRIVATE KEY-----% Certificate:-----BEGIN CERTIFICATE-----MIICTjCCAfigAwIBAgICIQUwDQYJKoZIhvcNAQEFBQAwTjELMAkGA1UEBhMCVVMx<snip>6xlBaIsuMxnHmr89KkKkYlU6-----END CERTIFICATE-----Related Commands
crypto pki export pkcs12
To export Rivest, Shamir, and Adelman (RSA) keys within a PKCS12 file at a specified location, use the crypto pki export pkcs12 command in global configuration mode.
crypto pki export trustpointname pkcs12 destination url passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.2(15)T
The crypto ca export pkcs12 command was introduced.
12.3(7)T
This command replaced the crypto ca export pkcs12 command.
Usage Guidelines
The crypto pki export pkcs12 command creates a PKCS 12 file that contains an RSA key pair. The PKCS12 file, along with a certificate authority (CA), is exported to the location that you specify with the destination URL. If you decide not to import the file to another router, you must delete the file.
Security Measures
Keep the PKCS12 file stored in a secure place with restricted access.
An RSA keypair is more secure than a passphrase because the private key in the key pair is not known by multiple parties. When you export an RSA key pair to a PKCS#12 file, the RSA key pair now is only as secure as the passphrase.
To create a good passphrase, be sure to include numbers, as well as both lowercase and uppercase letters. Avoid publicizing the passphrase by mentioning it in e-mail or cell phone communications because the information could be accessed by an unauthorized user.
Examples
The following example exports an RSA key pair with a trustpoint name "mytp" to a Flash file:
Router(config)# crypto pki export mytp pkcs12 flash:myexport mycompanyRelated Commands
crypto pki import
To import a certificate manually via TFTP or as a cut-and-paste at the terminal, use the crypto pki import command in global configuration mode.
crypto pki import name certificate
Syntax Description
name certificate
Name of the certification authority (CA). This name is the same name used when the CA was declared with the crypto pki trustpoint command.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.2(13)T
The crypto ca import command was introduced.
12.3(7)T
This command replaced the crypto ca import command.
Usage Guidelines
You must enter the crypto pki import command twice if usage keys (signature and encryption keys) are used. The first time the command is entered, one of the certificates is pasted into the router; the second time the command is entered, the other certificate is pasted into the router. (It does not matter which certificate is pasted first.)
Examples
The following example shows how to import a certificate via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto pki trustpoint MSenroll terminalcrypto pki authenticate MS!crypto pki enroll MScrypto pki import MS certificateRelated Commands
crypto pki import pem
To import certificates and Rivest, Shamir, and Adelman (RSA) keys to a trustpoint from privacy-enhanced mail (PEM)-formatted files, use the crypto pki import pem command in global configuration mode.
crypto pki import trustpoint pem [usage-keys] {terminal | url url} [exportable] passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.3(4)T
The crypto ca import pem command was introduced.
12.3(7)T
This command replaced the crypto ca import pem command.
Usage Guidelines
The crypto pki import pem command allows you import certificates and RSA key pairs in PEM-formatted files. The files can be previously exported from another router or generated from other public key infrastructure (PKI) applications.
Examples
The following example shows how to import PEM files to trustpoint "ggg" via TFTP:
Router(config)# crypto pki import ggg pem url tftp://10.1.1.2/johndoe/msca cisco1234% Importing CA certificate...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.ca]?Reading file from tftp://10.1.1.2/johndoe/msca.caLoading johndoe/msca.ca from 10.1.1.2 (via Ethernet0):![OK - 1082 bytes]% Importing private key PEM file...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.prv]?Reading file from tftp://10.1.1.2/johndoe/msca.prvLoading johndoe/msca.prv from 10.1.1.2 (via Ethernet0):![OK - 573 bytes]% Importing certificate PEM file...Address or name of remote host [10.1.1.2]?Destination filename [johndoe/msca.crt]?Reading file from tftp://10.1.1.2/johndoe/msca.crtLoading johndoe/msca.crt from 10.1.1.2 (via Ethernet0):![OK - 1289 bytes]% PEM files import succeeded.Router(config)#Related Commands
crypto pki import pkcs12
To import Rivest, Shamir, and Adelman (RSA) keys, use the crypto pki import pkcs12 command in global configuration mode.
crypto pki import trustpointname pkcs12 source url passphrase
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.2(15)T
The crypto ca import pkcs12 command was introduced.
12.3(7)T
This command replaced the crypto ca import pkcs12 command.
Usage Guidelines
When you enter the crypto pki import pkcs12 command, a ke pair and a trustpoint are generated. If you then decide you want to remove the key pair and trustpoint that were generated, enter the crypto key zeroize rsa command to zeroize the key pair and enter the no crypto pki trustpoint command to remove the trustpoint.
Note
Examples
In the following example, an RSA key pair that has been associated with the trustpoint "forward" is to be imported:
Router(config)# crypto pki import forward pkcs12 flash:myexport mycompanyRelated Commands
crypto pki export pkcs12
Exports RSA keys.
crypto pki trustpoint
Declares the CA that your router should use.
crypto key zeroize rsa
Deletes all RSA keys from your router.
crypto pki profile enrollment
To define an enrollment profile, use the crypto pki profile enrollment command in global configuration mode. To delete all information associated with this enrollment profile, use the no form of this command.
crypto pki profile enrollment label
no crypto pki profile enrollment label
Syntax Description
label
Name for the enrollment profile; the enrollment profile name must match the name specified in the enrollment profile command.
Defaults
An enrollment profile does not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
Before entering this command, you must specify a named enrollment profile using the enrollment profile in ca-trustpoint configuration mode.
After entering the crypto pki profile enrollment command, you can use any of the following commands to define the profile parameters:
•
•
•
•
•
•
•
Note
Examples
The following example shows how to define the enrollment profile named "E" and associated profile parameters:
crypto pki trustpoint Entrustenrollment profile Eserialcrypto pki profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
crypto pki server
To enable a Cisco IOS certificate server and enter certificate server configuration mode, use the crypto pki server command in global configuration mode. To disable a certificate server (which is the default functionality), use the no form of this command.
crypto pki server cs-label
no crypto pki server cs-label
Syntax Description
cs-label
Name of the certificate server.
Note
Defaults
A certificate server is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
A certificate server allows you to more easily deploy public key infrastructure (PKI) by defining default behavior, which limits user interface complexity. To define the functionality of the certificate server, you can use any of the following certificate server configuration mode commands:
•
•
•
•
Note
•
•
•
•
Note
Examples
The following example shows how to enable the certificate server "mycertserver":
Router(config)# ip http serverRouter(config)# crypto pki server mycertserverRouter(cs-server)# database url tftp://mytftp/johndoe/mycertserverThe following example shows how to disable the certificate server "mycertserver":
Router(config)# no crypto pki server mycertserver% This will stop the Certificate Server process and delete the serverconfigurationAre you sure you want to do this? [yes/no]: yes% Do you also want to remove the associated trustpoint andsigning certificate and key? [yes/no]: no% Certificate Server Process stoppedRelated Commands
crypto pki server info requests
Displays all outstanding certificate enrollment requests.
ip http server
Enables an HTTP server on your network.
crypto pki server grant
To grant all or certain simple certificate enrollment protocol (SCEP) requests, use the crypto pki server grant command in privileged EXEC mode.
crypto pki server cs-label grant {all | req-id}
Syntax Description
Defaults
If this command is not issued, the certificate server keeps the requests in a pending state.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
After you enable the crypto pki server grant command, your certificate server will immediately grant all specified certificate requests. Certificate requests that are not granted will expire after the time that was specified using the lifetime enrollment-request command.
Examples
The following example shows to grant all manual enrollment requests for the certificate server "mycs":
Router# crypto pki server mycs grant allRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
crypto pki server reject
Rejects all or certain SCEP requests.
crypto pki server info crl
To display information regarding the status of the current certificate revocation list (CRL), use the crypto pki server info crl command in privileged EXEC mode.
crypto pki server cs-label info crl
Syntax Description
cs-label
Name of the certificate server. The name must match the name specified via the crypto pki server command.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
CRLs are issued once every specified time period via the lifetime crl command. It is the responsibility of the network administrator to ensure that the CRL is available from the location that is specified via the cdp-url command. To access information, such as the lifetime and location of the CRL, use the crypto pki server info crl command.
Examples
The following example shows how to access CRL information for the certificate server "mycs":
Router# crypto pki server mycs info crlRelated Commands
crypto pki server info requests
To display all outstanding certificate enrollment requests, use the crypto pki server info requests command in privileged EXEC mode.
crypto pki server cs-label info requests
Syntax Description
cs-label
Name of the certificate server. The name must match the name specified via the crypto pki server command.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
A certificate enrollment request functions as follows:
•
–
–
•
–
–
If the connection of the client has closed, the certificate server will wait for client user to request another certificate.
All enrollment requests transitions through the certificate enrollment states that are defined in Table 19.
Examples
The following example shows output for the certificate server "certsrv1," which has a pending certificate enrollment request:
Router# crypto pki server certsrv1 info requestsEnrollment Request Database:ReqID State Fingerprint SubjectName--------------------------------------------------------------1 pending 0A71820219260E526D250ECC59857C2D serialNumber=2326115A+hostname=831.Related Commands
crypto pki server
Enables a Cisco IOS certificate server and enters PKI configuration mode.
crypto pki server password generate
To generate a password for simple certificate enrollment protocol (SCEP) requests that can be used only one time, use the crypto pki server password generate command in privileged EXEC mode.
crypto pki server cs-label password generate [minutes]
Syntax Description
Defaults
If this command is not enabled, no password is created.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
SCEP, which is the only supported enrollment protocol, supports two client authentication mechanisms—manual and preshared key. Manual enrollment requires the administrator at the certification authority (CA) server to specifically authorize the enrollment requests; enrollment using preshared keys allows the administrator to preauthorize enrollment requests by generating a one-time password.
Note
Examples
The following example shows how to generate a one-time password that is valid for 75 minutes for the certificate server "mycs":
Router# crypto pki server mycs password generate 75Related Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
crypto pki server reject
To reject all or certain Simple Certificate Enrollment Protocol (SCEP) requests, use the crypto pki server reject command in privileged EXEC mode.
crypto pki server cs-label reject {all | req-id}
Syntax Description
Defaults
If this command is not issued, the certificate server keeps the requests in a pending state.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
After you enable the crypto pki server reject command, your certificate server will immediately reject all certificate requests.
SCEP, which is the only supported enrollment protocol, supports two client authentication mechanisms—manual and preshared key. Manual enrollment requires the administrator at the certification authority (CA) server to specifically authorize the enrollment requests. The administrator can become overloaded if there are numerous enrollment requests. Thus, the crypto pki server reject command can be reduce user interaction by automatically rejecting all or specific enrollment requests.
Examples
The following example shows how reject all manual enrollment requests for the certificate server "mycs":
Router# crypto pki server mycs reject allRelated Commands
crypto pki server remove
To remove enrollment requests that are in the certificate server Enrollment Request Database, use the crypto pki server remove command in privileged EXEC mode . This command does not have a no form.
crypto pki server cs-label remove {all | req-id}
Syntax Description
cs-label
Name of the certificate server.
all
Removes all enrollment requests.
req-id
Removes the specified enrollment request.
Defaults
Enrollment requests will remain in the certificate server database.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
After the certificate server receives an enrollment request, it can leave the request in pending, reject it, or grant it. Before this command was added, the request would be left in the Enrollment Request Database for 1 hour until the client polled the certficiate server for the result of the request. This command allows you to remove individual or all requests from the database, especially useful if the client leaves and never polls the certificate server.
In addition, the use of this command also allows the server to be returned to a clean slate with respect to the keys and transaction IDs. Thus, it is a useful command to use during troubleshooting with a Simple Certificate Enrollment Protocol (SCEP) client that may be behaving badly.
Examples
The following example shows that all enrollment requests are to be removed from the certificate server:
Router# enableRouter# crypto pki server server1 remove allRelated Commands
crypto pki server request pkcs10
To manually add a certificate request to the request database, use the crypto pki server request pkcs10 command in privileged EXEC mode.
crypto pki server cs-label request pkcs10 {url | terminal} [pem]
Syntax Description
cs-label
Name of the certificate server. The name must match the name specified via the crypto pki server command.
url
URL of the file systems from which the certificate server should retrieve the PKCS10 enrollment request and to which it should post the granted certificate. For a list of available options, see Table 20.
Note
terminal
Certificate requests will be manually pasted from the console terminal, and the granted certificate will be displayed on the console.
pem
(Optional) Privacy-enhanced mail (PEM) headers are automatically added to the certificate after the certificate is granted.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the crypto pki server request pkcs10 command to manually add either a base64-encoded or PEM-formatted PKCS10 certificate enrollment request. This command is especially useful when the client does not have a network connection with the certificate server so that it can do Simple Certificate Enrollment Protocol (SCEP) enrollment. After the certificate is granted, the certificate will be displayed on the console terminal using base64 encoding if the terminal keyword is specified, or it will be sent to the file system that is specified using the url argument. If the pem keyword is specified, PEM headers are also added to the certificate.
The url argument allows you to specify or change the location in which the certificate server retrieves the new certificate request and posts the granted certificate. Table 20 lists available file system options.
Examples
The following example shows how to manually add a base64-encoded certificate request with PEM boundaries to the request database:
Router# crypto pki server mycs request pkcs10 terminal pem% Enter Base64 encoded or PEM formatted PKCS10 enrollment request.% End with a blank line or "quit" on a line by itself.-----BEGIN CERTIFICATE REQUEST-----MIIBdTCB3wIBADA2MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNQ2lzY28gU3lzdGVtczEPMA0GA1UEAxMGdGVzdCAxMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFEFukc2lCFSHtDJn6HFR2n8rpdhlAYwcs0m68N3iRYHonv847h0/H6utTHVd2qEEorNw97jMRZk6BLhVDc05TKGHvUlBlHQWwc/BqpVI8WiHzZdskUH/DUM8kd67Vkjlbe+FF7WrWT4FIO4vR4rF1V2p3FZ+A29UNc9Pi1s98nQIDAQABoAAwDQYJKoZIhvcNAQEEBQADgYEAUQCGNzzNJwBOCwmEmG8XEGFSZWDmFlctm8VWvaZYMPOt+vl6iwFkRmtD1Kg91Vw/qT5FJN8LmGUopOWIrwH4rUWON+TqtRmv2dgsdL5T4dx0sgG5E0s4T302paxEHiHVRJpe8OD7FJgOvdsKRziCpyD4/Jfb1WnSVQZmvIYAxVQ=-----END CERTIFICATE REQUEST-----% Enrollment request pending, reqId=2Router# crypto pki server mycs grant 2% Granted certificate:-----BEGIN CERTIFICATE-----MIIB/TCCAWagAwIBAgIBAzANBgkqhkiG9w0BAQQFADAPMQ0wCwYDVQQDEwRteWNzMB4XDTA0MDgyODAxMTcyOVoXDTA1MDgyODAxMTcyOVowNjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUNpc2NvIFN5c3RlbXMxDzANBgNVBAMTBnRlc3QgMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxRBbpHNpQhUh7QyZ+hxUdp/K6XYZQGMHLNJuvDd4kWB6J7/OO4dPx+rrUx1XdqhBKKzcPe4zEWZOgS4VQ3NOUyhh71JQZR0FsHPwaqVSPFoh82XbJFB/w1DPJHeu1ZI5W3vhRe1q1k+BSDuL0eKxdVdqdxWfgNvVDXPT4tbPfJ0CAwEAAaNCMEAwHwYDVR0jBBgwFoAUggWpVwokbUtGIwGZGavh6C8Bq6UwHQYDVR0OBBYEFFD3jZ/d960qzCGKwKNtFvq85Xt6MA0GCSqGSIb3DQEBBAUAA4GBAAE4MqerwbM/nO8BCyZAiDzTqwLGnNvzS4H+u3JCsm0LaxY+E3d8NbSY+HruXWaR7QyjprDGFd9bftRoqGYuiQkupU13sIHEyf3C2KnXJB6imySvAiuaQrGdSuUSIhBOXfh/xdWo3XL1e3vtWiYUa4X6jPUMpn74HoNfB4/gHO7g-----END CERTIFICATE-----The following example shows how to retrieve a certificate request and add it to the request database (using the url argument).
Note
Router# crypto pki server mycs request pkcs10 tftp://172.69.1.129/router5% Retrieving Base64 encoded or PEM formatted PKCS10 enrollment request...Reading file from tftp://172.69.1.129/router5.reqLoading router5.req from 172.69.1.129 (via Ethernet0): ![OK - 582 bytes]% Enrollment request pending, reqId=1Router# crypto pki server mycs grant 1% Writing out the granted certificate...!Writing file to tftp://172.69.1.129/router5.crt!Related Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
crypto pki server grant
Grants all or certain SCEP requests.
crypto pki server revoke
To revoke a certificate on the basis of its serial number, use the crypto pki server revoke command in privileged EXEC mode.
crypto pki server cs-label revoke certificate-serial-number
Syntax Description
Defaults
Certificates are revoked on the basis of their name.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When a new certificate revocation list (CRL) is issued, the certificate server obtains the previous CRL, makes the appropriate changes, and resigns the new CRL. A new CRL is issued after a certificate is revoked from the CLI. If this process negatively affects router performance, the crypto pki server revoke command can be used to revoke a list or range of certificates.
Note
Examples
The following examples show how to revoke a certificate with the serial number 76 (for example, 0x4c in hexidecimal) from the certificate server "mycs":
Router# crypto pki server mycs revoke 76Router# crypto pki server mycs revoke 0x4cRelated Commands
crypto pki trustpoint
To declare the trustpoint that your router should use, use the crypto pki trustpoint command in global configuration mode. To delete all identity information and certificates associated with the trustpoint, use the no form of this command.
crypto pki trustpoint name
no crypto pki trustpoint name
Syntax Description
name
Creates a name for the trustpoint. (If you previously declared the trustpoint and just want to update its characteristics, specify the name you previously created.)
Defaults
Your router does not recognize any trustpoints until you declare a trustpoint using this command.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the crypto pki trustpoint command to declare a trustpoint, which can be a self-signed root CA or a subordinate CA. Issuing the crypto pki trustpoint command puts you in ca-trustpoint configuration mode.
You can specify characteristics for the trustpoint using the following subcommands:
•
•
•
•
•
•
•
The following example shows how to declare the CA named "ka" and specify enrollment and CRL parameters:
crypto pki trustpoint kaenrollment url http://kahului:80The following example shows a certificate-based access control list (ACL) with the label "Group" defined in a crypto pki certificate map command and included in the match certificate subcommand of the crypto pki trustpoint command:
crypto pki certificate map Group 10subject-name co ou=WANsubject-name co o=Cisco!crypto pki trustpoint pki1match certificate GroupRelated Commands
crypto provisioning petitioner
To configure a device to become an easy secure device provisioning (SDP) petitioner and enter tti-petitioner configuration mode, use the crypto provisioning petitioner command in global configuration mode. To disable petitioner support, use the no form of this command.
crypto provisioning petitioner
no crypto provisioning petitioner
Syntax Description
This command has no arguments or keywords.
Defaults
A device (with a crypto image) is configured to be an SDP petitioner.
Command Modes
Global configuration
Command History
12.3(8)T
The crypto wui tti petitioner command was introduced.
12.3(14)T
This command replaced the crypto wui tti petitioner command.
Usage Guidelines
SDP uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
•
•
Note
Examples
After the SDP exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration at the petitioner.
Note
crypto pki trustpoint tti! Enrollment url contains the registrar CS detailsenrollment url http://pki1-36a.cisco.com:80revocation-check crlrsakeypair tti 1024auto-enroll 70Related Commands
crypto provisioning registrar
To configure a device to become an easy secure device provisioning (SDP) registrar and enter tti-registrar configuration mode, use the crypto provisioning registrar command in global configuration mode. To disable registrar support, use the no form of this command.
crypto provisioning registrar
no crypto provisioning registrar
Syntax Description
This command has no arguments or keywords.
Defaults
The registrar is not enabled.
Command Modes
Global configuration
Command History
12.3(8)T
The crypto wui tti registrar command was introduced.
12.3(14)T
This command replaced the crypto wui tti registrar command.
Usage Guidelines
SDP uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
•
•
Although any device that contains a crypto image can be the registrar, it is recommended that the registrar be either a Cisco IOS certificate server registration authority (RA) or a Cisco IOS certificate server root.
Examples
The following sample output from the show running-config command verifies that the certificate server "cs1" was configured and associated with the TTI exchange between the registrar and petitioner:
crypto pki server cs1issuer-name CN = ioscs,L = Santa Cruz,C =USlifetime crl 336lifetime certificate 730!crypto pki trustpoint pki-36aenrollment url http://pki-36a:80ip-address FastEthernet0/0revocation-check none!crypto pki trustpoint cs1revocation-check crlrsakeypair cs1!!crypto pki certificate chain pki-36acertificate 03308201D0 30820139 A0030201 02020103 300D0609 2A864886 F70D0101 0405003034310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E7461204372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 3133313039333334 345A170D 30363031 33303039 33333434 5A303A31 38301606 092A864886F70D01 09081309 31302E32 332E322E 32301E06 092A8648 86F70D01 09021611706B692D 3336612E 63697363 6F2E636F 6D305C30 0D06092A 864886F7 0D0101010500034B 00304802 4100AFFA 8F429618 112FAB9D 01F3352E 59DD3D2D AE67E31D370AC4DA 619735DF 9CF4EA13 64E4B563 C239C5F0 1578B773 07BED641 A18CA629191884B5 61B66ECF 4D110203 010001A3 30302E30 0B060355 1D0F0404 030205A0301F0603 551D2304 18301680 141DA8B1 71652961 3F7D69F0 02903AC3 2BADB137C6300D06 092A8648 86F70D01 01040500 03818100 67BAE186 327CED31 D642CB39AD585731 95868683 B950DF14 3BCB155A 2B63CFAD B34B579C 79128AD9 296922E94DEDFCAF A7B5A412 AB1FC081 09951CE3 08BFFDD9 9FB1B9DA E9AA42C8 D1049268C524E58F 11C6BA7F C750320C 03DFB6D4 CBB3E739 C8C76359 CE939A97 B51B3F7F3FF;A9D82 9CFDB6CF E2503A14 36D0A236 A1CCFEAEquitcertificate ca 0130820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 0405003034310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E7461204372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 3133313039333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 0355040613025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D060355040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 0530030101FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B171652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 0101040500038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F597653463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E039DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A0F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C108A7BCFB0 FBquitcrypto pki certificate chain cs1certificate ca 0130820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 0405003034310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E7461204372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 3133313039333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 0355040613025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D060355040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 0530030101FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B171652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 0101040500038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F597653463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E039DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A02;F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C108A7BCFB0 FBquit!crypto provisioning registrarpki-server cs1!!!crypto isakmp policy 1hash md5!!crypto ipsec transform-set test_transformset esp-3des!crypto map test_cryptomap 10 ipsec-isakmpset peer 10.23.1.10set security-association lifetime seconds 1800set transform-set test_transformsetmatch address 170Related Commands
crypto wui tti petitioner
Note
To configure a device to become an easy secure device deployment (EzSDD) petitioner and enter tti-petitioner configuration mode, use the crypto wui tti petitioner command in global configuration mode. To disable petitioner support, use the no form of this command.
crypto wui tti petitioner
no crypto wui tti petitioner
Syntax Description
This command has no arguments or keywords.
Defaults
A device (with a crypto image) is configured to be an EzSDD petitioner.
Command Modes
Global configuration
Command History
Usage Guidelines
EzSDD uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
•
•
Note
Examples
After the EzSDD exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration at the petitioner. (Note that petitioner will not have any TTI-specific configuration in the beginning except that the http server will be turned on and the Domain Name System (DNS) server needs to be properly configured.)
crypto pki trustpoint tti! Enrollment url contains the registrar CS detailsenrollment url http://pki1-36a.cisco.com:80revocation-check crlrsakeypair tti 1024auto-enroll 70Related Commands
crypto wui tti registrar
Note
To configure a device to become an easy secure device deployment (EzSDD) registrar and enter tti-registrar configuration mode, use the crypto wui tti registrar command in global configuration mode. To disable registrar support, use the no form of this command.
crypto wui tti registrar
no crypto wui tti registrar
Syntax Description
This command has no arguments or keywords.
Defaults
The registrar is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
EzSDD uses Trusted Transitive Introduction (TTI) to easily deploy public key infrastructure (PKI) between two end devices. TTI, which is a communication protocol that provides a bidirectional introduction between two end entities, involves the following three entities:
•
•
•
Although any device that contains a crypto image can be the registrar, it is recommended that the registrar be either a Cisco IOS certificate server registration authority (RA) or a Cisco IOS certificate server root.
Examples
The following sample output from the show running-config command verifies that the certificate server "cs1" was configured and associated with the TTI exchange between the registrar and petitioner:
crypto pki server cs1issuer-name CN = ioscs,L = Santa Cruz,C =USlifetime crl 336lifetime certificate 730!crypto pki trustpoint pki-36aenrollment url http://pki-36a:80ip-address FastEthernet0/0revocation-check none!crypto pki trustpoint cs1revocation-check crlrsakeypair cs1!!crypto pki certificate chain pki-36acertificate 03308201D0 30820139 A0030201 02020103 300D0609 2A864886 F70D0101 0405003034310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E7461204372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 3133313039333334 345A170D 30363031 33303039 33333434 5A303A31 38301606 092A864886F70D01 09081309 31302E32 332E322E 32301E06 092A8648 86F70D01 09021611706B692D 3336612E 63697363 6F2E636F 6D305C30 0D06092A 864886F7 0D0101010500034B 00304802 4100AFFA 8F429618 112FAB9D 01F3352E 59DD3D2D AE67E31D370AC4DA 619735DF 9CF4EA13 64E4B563 C239C5F0 1578B773 07BED641 A18CA629191884B5 61B66ECF 4D110203 010001A3 30302E30 0B060355 1D0F0404 030205A0301F0603 551D2304 18301680 141DA8B1 71652961 3F7D69F0 02903AC3 2BADB137C6300D06 092A8648 86F70D01 01040500 03818100 67BAE186 327CED31 D642CB39AD585731 95868683 B950DF14 3BCB155A 2B63CFAD B34B579C 79128AD9 296922E94DEDFCAF A7B5A412 AB1FC081 09951CE3 08BFFDD9 9FB1B9DA E9AA42C8 D1049268C524E58F 11C6BA7F C750320C 03DFB6D4 CBB3E739 C8C76359 CE939A97 B51B3F7F3FF;A9D82 9CFDB6CF E2503A14 36D0A236 A1CCFEAEquitcertificate ca 0130820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 0405003034310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E7461204372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 3133313039333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 0355040613025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D060355040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 0530030101FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B171652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 0101040500038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F597653463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E039DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A0F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C108A7BCFB0 FBquitcrypto pki certificate chain cs1certificate ca 0130820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 0405003034310B30 09060355 04061302 55533114 30120603 55040713 0B205361 6E7461204372757A 310F300D 06035504 03130620 696F7363 73301E17 0D303430 3133313039333132 315A170D 30373031 33303039 33313231 5A303431 0B300906 0355040613025553 31143012 06035504 07130B20 53616E74 61204372 757A310F 300D060355040313 0620696F 73637330 819F300D 06092A86 4886F70D 01010105 0003818D00308189 02818100 FC0695AF 181CE90A 1B34B348 BA957178 680C8B51 07802AC3BF77B9C6 CB45092E 3C22292D C7D5FFC1 899185A1 FD8F37D5 C44FC206 6D1FA581E2264C83 1CC7453E 548C89C6 F3CD25BC 9BFFE7C5 E6653A06 62133950 78BED51B49128428 AB237F80 83A530EA 6F896193 F2134B54 D181F059 348AA84B 21EE6D80727BF668 EB004341 02030100 01A36330 61300F06 03551D13 0101FF04 0530030101FF300E 0603551D 0F0101FF 04040302 0186301D 0603551D 0E041604 141DA8B171652961 3F7D69F0 02903AC3 2BADB137 C6301F06 03551D23 04183016 80141DA8B1716529 613F7D69 F002903A C32BADB1 37C6300D 06092A86 4886F70D 0101040500038181 00885895 A0141169 3D754EB2 E6FEC293 5BF0A80B E424AA2F A3F597653463AAD1 55E71F0F B5D1A35B 9EA79DAC DDB40721 1344C01E 015BAB73 1E148E039DD01431 A5E2887B 4AEC8EF4 48ACDB66 A6F9401E 8F7CA588 8A4199BB F8A437A02;F25064E7 112805D3 074A154F 650D09B9 8FA19347 ED359EAD 4181D9ED 0C667C108A7BCFB0 FBquit!crypto wui tti registrarpki-server cs1!!!crypto isakmp policy 1hash md5!!crypto ipsec transform-set test_transformset esp-3des!crypto map test_cryptomap 10 ipsec-isakmpset peer 10.23.1.10set security-association lifetime seconds 1800set transform-set test_transformsetmatch address 170Related Commands
ctype
To preauthenticate calls on the basis of the call type, use the ctype command in AAA preauthentication configuration mode. To remove the ctype command from your configuration, use the no form of this command.
ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
no ctype [if-avail | required] [accept-stop] [password password] [digital | speech | v.110 | v.120]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Set up the RADIUS preauthentication profile with the call type string as the username and with the password that is defined in the ctype command as the password. Table 21 shows the call types that you may use in the preauthentication profile.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the call type:
aaa preauthgroup radiusctype requiredRelated Commands
