-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
deadtime (server-group configuration)
description (identity profile)
dnis bypass (AAA preauthentication configuration)
dnsix-nat authorized-redirection
dot1x re-authenticate (EtherSwitch)
dot1x re-authenticate (privileged EXEC)
dot1x re-authentication (EtherSwitch)
enrollment terminal (ca-profile-enroll)
enrollment terminal (ca-trustpoint)
enrollment url (ca-trustpoint)
database (certificate server)
To require a username or password to be issued when accessing a database storage location, use the database command in certificate server configuration mode. To return to the default value, use the no form of this command.
database username username [password password]
no database username username [password password]
Syntax Description
username username
When prompted, a username will be used to access a storage location.
password password
(Optional) When prompted, a password will be used to access a storage location.
Defaults
This command is not enabled.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
All information stored in the remote database is public: there are no private keys stored in the database location. Using a password helps to protect against a potential attacker who can change the contents of the .ser or .crl file. If the contents of the files are changed, the certificate server may shut down, refusing to either issue new certificates or respond to simple certificate enrollment protocol (SCEP) requests until the files are restored.
It is good security practice to protect all information exchanges with the database server using IP Security (IPSec). To protect your information, use a remote database to obtain the appropriate certificates and setup the necessary IPSec connections to protect all future access to the database server.
Examples
The following example shows how to specify the username "mystorage" when accessing the complete database that is stored on an external TFTP server:
Router (config)# ip http serverRouter (config)# crypto pki server myserverRouter (cs-server)# database level completeRouter (cs-server)# database url tftp://mytftpRouter (cs-server)# database username mystorageRelated Commands
database archive
To set the certification authority (CA) certificate and CA key archive format—and the password—to encrypt this CA certificate and CA key archive file, use the database archive command in certificate server configuration mode. To disable the autoarchive feature, use the no form of this command.
database archive {pkcs12 | pem} [password password]
no database archive {pkcs12 | pem} [password password]
Syntax Description
Defaults
The archive format is PKCS (that is, the CA certificate and CA key are exported into a PKCS12 file, and you will be prompted for the password when the certificate server is turned on the first time).
Command Modes
Certificate server configuration
Command History
Usage Guidelines
Use this command to configure the autoarchive format for the CA certificate and CA key. The archive can later be used to restore your certificate server.
If autoarchiving is not explicitly turned off when the certificate server is first enabled (using the no shutdown command), the CA certificate and CA key will be archived automatically, applying the following rule:
•
The CA key must be (1) manually generated and marked "exportable" or (2) automatically generated by the certificate server (it will be marked nonexportable).
Note
Examples
The following example shows that certificate server autoarchiving has been enabled. The CA certificate and CA key format has been set to PEM, and the password has been set as cisco123.
Router (config)# crypto pki server myserverRouter (cs-server)# database archive pem password cisco123Related Commands
database level
To control what type of data is stored in the certificate enrollment database, use the database level command in certificate server configuration mode. To return to the default functionality, use the no form of this command.
database level {minimal | names | complete}
no database level {minimal | names | complete}
Syntax Description
Defaults
minimal
Command Modes
Certificate server configuration
Command History
Usage Guidelines
The database level command is used to describe the database of certificates and certification authority (CA) states. After the user downgrades the database level, the old data stays the same and the new data is logged at the new level.
minimum Level
The ca-label.ser file is always available. It contains the previously issued certificate's serial number, which is always 1. If the .ser file is unavailable and the CA server has a self-signed certificate in the local configuration, the CA server will refuse to issue new certificates.
The file format is as follows:
last_serial = serial-numbernames Level
The serial-number.cnm file, which is written for each issued certificate, contains the "human readable decoded subject name" of the issued certificate and the "der encoded" values. This file can also include a certificate expiration date and the current status. (The minimum level files are also written out.)
The file format is as follows:
subjectname_der = <base64 encoded der value>subjectname_str = <human readable decode subjectname>expiration = <expiration date>status = valid | revokedcomplete Level
The serial-number.cer file, which is written for each issued certificate, is the binary certificate without additional encoding. (The minimum and names level files are also written out.)
The complete level produces a large amount of information, so you may want to store all database entries on an external TFTP server via the database url command unless your router does one of the following:
•
•
Examples
The following example shows how configure a minimum database to be stored on the local system:
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level minimumRouter#(cs-server) database url nvram:Router#(cs-server) issuer-name CN=ipsec_cs,L=Santa Cruz,C=USRelated Commands
database url
To specify the location where all database entries for the certificate server will be written out, use the database url command in certificate server configuration mode. To return to the default location, use the no form of this command.
database url root-url
no database url root-url
Syntax Description
root-url
Location where database entries will be written out. The URL can be any URL that is supported by the Cisco IOS file system (IFS).
Defaults
The default location is flash.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After you create a certificate server via the crypto pki server command, use the database url command if you want to specify a combined list of all the certificates that have been issued and the current command revocation list (CRL). The CRL is written to the certificate enrollment database as ca-label.crl (where ca-label is the name of the certificate server).
Note
Cisco IOS File System
The router uses any file system that is supported by your version of Cisco IOS software (such as TFTP, FTP, flash, and NVRAM) to send a certificate request and to receive the issued certificate. A user may wish to enable IFS certificate enrollment when his or her certification authority (CA) does not support Simple Certificate Enrollment Protocol (SCEP).
Examples
The following example shows how to configure all database entries to be written out to a TFTP server:
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level completeRouter#(cs-server) database url tftp://mytftpVerifying the Database URL
To ensure that the specified URL is working correctly, configure the database url command before you issue the no shutdown command on the certificate server for the first time. If the URL is broken, you will see output as follows:
Router(config)# crypto pki server mycsRouter(cs-server)# database url ftp://myftpserverRouter(cs-server)# no shutdown% Once you start the server, you can no longer change some of% the configuration.Are you sure you want to do this? [yes/no]: yesTranslating "myftpserver"% Failed to generate CA certificate - 0xFFFFFFFF% The Certificate Server has been disabled.Related Commands
crypto pki server
Enables a Cisco IOS certificate server and enters PKI configuration mode.
database level
Controls what type of data is stored in the database.
deadtime (server-group configuration)
To configure deadtime within the context of RADIUS server groups, use the deadtime command in server group configuration mode. To set deadtime to 0, use the no form of this command.
deadtime minutes
no deadtime
Syntax Description
minutes
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Deadtime is set to 0.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.
When the RADIUS Server Is Marked As Dead
For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a transaction is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.
For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server will be marked as dead if both of the following conditions are met:
1.
2.
Examples
The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:
aaa group server radius group1server 1.1.1.1 auth-port 1645 acct-port 1646server 2.2.2.2 auth-port 2000 acct-port 2001deadtime 1Related Commands
default (ca-trustpoint)
To reset the value of a ca-trustpoint configuration subcommand to its default, use the default command in ca-trustpoint configuration mode.
default command-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can configure this command, you must enable the crypto ca trustpoint command, which enters ca-trustpoint configuration mode.
Use this command to reset the value of a ca-trustpoint configuration mode subcommand to its default.
Examples
The following example shows how to remove the crl optional command from your configuration; the default of crl optional is off.
default crl optionalRelated Commands
description (identity policy)
To enter a description for an identity policy, use the description command in identity policy configuration mode. To remove the description, use the no form of this command.
description line-of-description
no description line-of-description
Syntax Description
Defaults
A description is not entered for the identity policy.
Command Modes
Identity policy configuration
Command History
Examples
The following example shows that a default identity policy and its description ("bluemoon") have been specified:
Router (config)# identity policy bluemoonRouter (config-identity-policy)# description policyABCRelated Commands
description (identity profile)
To enter a description for an identity profile, use the description command in identity profile configuration mode. To remove the description of the identity profile, use the no form of this command.
description line-of-description
no description line-of-description
Syntax Description
Defaults
A description is not entered for the identity profile.
Command Modes
Identity profile configuration
Command History
Usage Guidelines
The identity profile command and one of its keywords (default, dot1x, or eapoudp) must be entered in global configuration mode before the description command can be used.
Examples
The following example shows that a default identity profile and its description ("ourdefaultpolicy") have been specified:
Router (config)# identity profile defaultRouter (config-identity-prof)# description ourdefaultpolicyRelated Commands
description (identity policy)
Enters a description for an identity policy.
identity profile
Creates an identity profile and enters identity profile configuration mode.
description (isakmp peer)
To add the description of an Internet Key Exchange (IKE) peer, use the description command in ISAKMP peer configuration mode. To delete the description, use the no form of this command.
description line-of-description
no description line-of-description
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP peer configuration
Command History
Usage Guidelines
IKE peers that "sit" behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.
Examples
The following example shows that the description "connection from site A" has been added for an IKE peer:
Router# crypto isakmp peer address 10.2.2.9Router (config-isakmp-peer)# description connection from site ARelated Commands
device (identity profile)
To statically authorize or reject individual devices, use the device command in identity profile configuration mode. To disable the authorization or rejection, use the no form of this command.
device {authorize {ip address ip-address {policy policy-name} | mac-address mac-address | type {cisco | ip | phone}} | not-authorize}
no device {authorize {ip address ip-address {policy policy-name} | mac-address mac-address | type {cisco | ip | phone}} | not-authorize}
Syntax Description
Defaults
A device is not statically authorized or rejected.
Command Modes
Identity profile configuration
Command History
Usage Guidelines
The identity profile command and default, dot1x, or eapoudp keywords must be entered in global configuration mode before the device command can be used.
Examples
The following configuration example defines an identity profile for Extensible Authentication Protocol over UDP (EAPoUDP) to statically authorize host 192.168.1.3 with "greentree" as the associated identity policy:
Router(config)# identity profile eapoudpRouter(config-identity-prof)# device authorize ip-address 192.168.1.3 policy greentreeRelated Commands
dialer aaa
To allow a dialer to access the authentication, authorization, and accounting (AAA) server for dialing information, use the dialer aaa command in interface configuration mode. To disable this function, use the no form of this command.
dialer aaa [password string | suffix string]
no dialer aaa [password string | suffix string]
Syntax Description
Defaults
This feature is not enabled by default.
Command Modes
Interface configuration
Command History
12.0(3)T
This command was introduced.
12.1(5)T
The password and suffix keywords were added.
Usage Guidelines
This command is required for large scale dial-out and Layer 2 Tunneling Protocol (L2TP) dial-out functionality. With this command, you can specify a suffix, a password, or both. If you do not specify a password, the default password will be "cisco."
Note
Examples
This example shows a user sending out packets from interface Dialer1 with a destination IP address of 1.1.1.1. The username in the access-request message is "1.1.1.1@ciscoDoD" and the password is "cisco."
interface dialer1dialer aaadialer aaa suffix @ciscoDoD password ciscoRelated Commands
disconnect ssh
To terminate a Secure Shell (SSH) connection on your router, use the disconnect ssh command in privileged EXEC mode.
disconnect ssh [vty] session-id
Syntax Description
vty
(Optional) Virtual terminal for remote console access.
session-id
The session-id is the number of connection displayed in the show ip ssh command output.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.0(5)S
This command was introduced.
12.1(1)T
This command was integrated into Cisco IOS Release 12.1 T.
Usage Guidelines
The clear line vty n command, where n is the connection number displayed in the show ip ssh command output, may be used instead of the disconnect ssh command.
When the EXEC connection ends, whether normally or abnormally, the SSH connection also ends.
Examples
The following example terminates SSH connection number 1:
disconnect ssh 1Related Commands
clear line vty
Returns a terminal line to idle state using the privileged EXEC command.
dn
To associate the identity of a router with the distinguished name (DN) in the certificate of the router, use the dn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
dn name=string [, name=string]
no dn name=string [, name=string]
Syntax Description
name=string
Identity used to restrict access to peers with specific certificates. Optionally, you can associate more than one identity.
Command Default
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the dn command to associate the identity of the router, which is defined in the crypto identity command, with the DN that the peer used to authenticate itself.
Note
This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
An encrypting peer matches this list if it contains the attributes listed in any one line defined within the name=string.
Examples
The following example shows how to configure an IPsec crypto map that can be used only by peers that have been authenticated by the DN and if the certificate belongs to "green":
crypto map map-to-green 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-green!crypto identity to-greendn ou=greenRelated Commands
dnis (authentication)
To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password string]
no dnis [if-avail | required] [accept-stop] [password string]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS:
aaa preauthgroup radiusdnis password Ascend-DNISRelated Commands
dnis (RADIUS)
To preauthenticate calls on the basis of the DNIS (Dialed Number Identification Service) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password password]
no dnis [if-avail | required] [accept-stop] [password password]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the authentication, authorization, and accounting (AAA) preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the DNIS number:
aaa preauthgroup radiusdnis requiredRelated Commands
dnis bypass (AAA preauthentication configuration)
To specify a group of DNIS (Dialed Number Identification Service) numbers that will be bypassed for preauthentication, use the dnis bypass command in AAA preauthentication configuration mode. To remove the dnis bypass command from your configuration, use the no form of this command.
dnis bypass {dnis-group-name}
no dnis bypass {dnis-group-name}
Syntax Description
Defaults
No DNIS numbers are bypassed for preauthentication.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
Before using this command, you must first create a DNIS group with the dialer dnis group command.
Examples
The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii:
aaa preauthgroup radiusdnis requireddnis bypass hawaiidialer dnis group hawaiinumber 12345number 12346Related Commands
dialer dnis group
Creates a DNIS group.
dnis (RADIUS)
Preauthenticates calls on the basis of the DNIS number.
dns
To specify the primary and secondary Domain Name Service (DNS) servers, use the dns command in (Internet Security Association Key Management Protocol) ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
dns primary-server secondary-server
no dns primary-server secondary-server
Syntax Description
Defaults
A DNS server is not specified.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Use the dns command to specify the primary and secondary DNS servers for the group.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the dns command.
Examples
The following example shows how to define a primary and secondary DNS server for the default group name:
crypto isakmp client configuration group defaultkey ciscodns 2.2.2.2 2.3.2.3pool dogacl 199Related Commands
dnsix-dmdp retries
To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries command in global configuration mode. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count
no dnsix-dmdp retries count
Syntax Description
count
Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.
Defaults
Retransmits messages up to 4 times, or until acknowledged.
Command Modes
Global configuration
Command History
Examples
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150Related Commands
dnsix-nat authorized-redirection
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection command in global configuration mode. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-address
Syntax Description
Defaults
An empty list of addresses.
Command Modes
Global configuration
Command H
