-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
deadtime (server-group configuration)
description (identity profile)
dnis bypass (AAA preauthentication configuration)
dnsix-nat authorized-redirection
dot1x re-authenticate (EtherSwitch)
dot1x re-authenticate (privileged EXEC)
dot1x re-authentication (EtherSwitch)
enrollment terminal (ca-profile-enroll)
enrollment terminal (ca-trustpoint)
enrollment url (ca-trustpoint)
database (certificate server)
To require a username or password to be issued when accessing a database storage location, use the database command in certificate server configuration mode. To return to the default value, use the no form of this command.
database username username [password password]
no database username username [password password]
Syntax Description
username username
When prompted, a username will be used to access a storage location.
password password
(Optional) When prompted, a password will be used to access a storage location.
Defaults
This command is not enabled.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
All information stored in the remote database is public: there are no private keys stored in the database location. Using a password helps to protect against a potential attacker who can change the contents of the .ser or .crl file. If the contents of the files are changed, the certificate server may shut down, refusing to either issue new certificates or respond to simple certificate enrollment protocol (SCEP) requests until the files are restored.
It is good security practice to protect all information exchanges with the database server using IP Security (IPSec). To protect your information, use a remote database to obtain the appropriate certificates and setup the necessary IPSec connections to protect all future access to the database server.
Examples
The following example shows how to specify the username "mystorage" when accessing the complete database that is stored on an external TFTP server:
Router (config)# ip http serverRouter (config)# crypto pki server myserverRouter (cs-server)# database level completeRouter (cs-server)# database url tftp://mytftpRouter (cs-server)# database username mystorageRelated Commands
database archive
To set the certification authority (CA) certificate and CA key archive format—and the password—to encrypt this CA certificate and CA key archive file, use the database archive command in certificate server configuration mode. To disable the autoarchive feature, use the no form of this command.
database archive {pkcs12 | pem} [password password]
no database archive {pkcs12 | pem} [password password]
Syntax Description
Defaults
The archive format is PKCS (that is, the CA certificate and CA key are exported into a PKCS12 file, and you will be prompted for the password when the certificate server is turned on the first time).
Command Modes
Certificate server configuration
Command History
Usage Guidelines
Use this command to configure the autoarchive format for the CA certificate and CA key. The archive can later be used to restore your certificate server.
If autoarchiving is not explicitly turned off when the certificate server is first enabled (using the no shutdown command), the CA certificate and CA key will be archived automatically, applying the following rule:
•
The CA key must be (1) manually generated and marked "exportable" or (2) automatically generated by the certificate server (it will be marked nonexportable).
Note
Examples
The following example shows that certificate server autoarchiving has been enabled. The CA certificate and CA key format has been set to PEM, and the password has been set as cisco123.
Router (config)# crypto pki server myserverRouter (cs-server)# database archive pem password cisco123Related Commands
database level
To control what type of data is stored in the certificate enrollment database, use the database level command in certificate server configuration mode. To return to the default functionality, use the no form of this command.
database level {minimal | names | complete}
no database level {minimal | names | complete}
Syntax Description
Defaults
minimal
Command Modes
Certificate server configuration
Command History
Usage Guidelines
The database level command is used to describe the database of certificates and certification authority (CA) states. After the user downgrades the database level, the old data stays the same and the new data is logged at the new level.
minimum Level
The ca-label.ser file is always available. It contains the previously issued certificate's serial number, which is always 1. If the .ser file is unavailable and the CA server has a self-signed certificate in the local configuration, the CA server will refuse to issue new certificates.
The file format is as follows:
last_serial = serial-numbernames Level
The serial-number.cnm file, which is written for each issued certificate, contains the "human readable decoded subject name" of the issued certificate and the "der encoded" values. This file can also include a certificate expiration date and the current status. (The minimum level files are also written out.)
The file format is as follows:
subjectname_der = <base64 encoded der value>subjectname_str = <human readable decode subjectname>expiration = <expiration date>status = valid | revokedcomplete Level
The serial-number.cer file, which is written for each issued certificate, is the binary certificate without additional encoding. (The minimum and names level files are also written out.)
The complete level produces a large amount of information, so you may want to store all database entries on an external TFTP server via the database url command unless your router does one of the following:
•
•
Examples
The following example shows how configure a minimum database to be stored on the local system:
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level minimumRouter#(cs-server) database url nvram:Router#(cs-server) issuer-name CN=ipsec_cs,L=Santa Cruz,C=USRelated Commands
database url
To specify the location where all database entries for the certificate server will be written out, use the database url command in certificate server configuration mode. To return to the default location, use the no form of this command.
database url root-url
no database url root-url
Syntax Description
root-url
Location where database entries will be written out. The URL can be any URL that is supported by the Cisco IOS file system (IFS).
Defaults
The default location is flash.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After you create a certificate server via the crypto pki server command, use the database url command if you want to specify a combined list of all the certificates that have been issued and the current command revocation list (CRL). The CRL is written to the certificate enrollment database as ca-label.crl (where ca-label is the name of the certificate server).
Note
Cisco IOS File System
The router uses any file system that is supported by your version of Cisco IOS software (such as TFTP, FTP, flash, and NVRAM) to send a certificate request and to receive the issued certificate. A user may wish to enable IFS certificate enrollment when his or her certification authority (CA) does not support Simple Certificate Enrollment Protocol (SCEP).
Examples
The following example shows how to configure all database entries to be written out to a TFTP server:
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level completeRouter#(cs-server) database url tftp://mytftpVerifying the Database URL
To ensure that the specified URL is working correctly, configure the database url command before you issue the no shutdown command on the certificate server for the first time. If the URL is broken, you will see output as follows:
Router(config)# crypto pki server mycsRouter(cs-server)# database url ftp://myftpserverRouter(cs-server)# no shutdown% Once you start the server, you can no longer change some of% the configuration.Are you sure you want to do this? [yes/no]: yesTranslating "myftpserver"% Failed to generate CA certificate - 0xFFFFFFFF% The Certificate Server has been disabled.Related Commands
crypto pki server
Enables a Cisco IOS certificate server and enters PKI configuration mode.
database level
Controls what type of data is stored in the database.
deadtime (server-group configuration)
To configure deadtime within the context of RADIUS server groups, use the deadtime command in server group configuration mode. To set deadtime to 0, use the no form of this command.
deadtime minutes
no deadtime
Syntax Description
minutes
Length of time, in minutes, for which a RADIUS server is skipped over by transaction requests, up to a maximum of 1440 minutes (24 hours).
Defaults
Deadtime is set to 0.
Command Modes
Server-group configuration
Command History
Usage Guidelines
Use this command to configure the deadtime value of any RADIUS server group. The value of deadtime set in the server groups will override the server that is configured globally. If deadtime is omitted from the server group configuration, the value will be inherited from the master list. If the server group is not configured, the default value (0) will apply to all servers in the group.
When the RADIUS Server Is Marked As Dead
For Cisco IOS versions prior to 12.2(13.7)T, the RADIUS server will be marked as dead if a transaction is transmitted for the configured number of retransmits and a valid response is not received from the server within the configured timeout for any of the RADIUS packet transmissions.
For Cisco IOS versions 12.2(13.7)T and later, the RADIUS server will be marked as dead if both of the following conditions are met:
1.
2.
Examples
The following example specifies a one-minute deadtime for RADIUS server group group1 once it has failed to respond to authentication requests:
aaa group server radius group1server 1.1.1.1 auth-port 1645 acct-port 1646server 2.2.2.2 auth-port 2000 acct-port 2001deadtime 1Related Commands
default (ca-trustpoint)
To reset the value of a ca-trustpoint configuration subcommand to its default, use the default command in ca-trustpoint configuration mode.
default command-name
Syntax Description
Defaults
No default behavior or values.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can configure this command, you must enable the crypto ca trustpoint command, which enters ca-trustpoint configuration mode.
Use this command to reset the value of a ca-trustpoint configuration mode subcommand to its default.
Examples
The following example shows how to remove the crl optional command from your configuration; the default of crl optional is off.
default crl optionalRelated Commands
description (identity policy)
To enter a description for an identity policy, use the description command in identity policy configuration mode. To remove the description, use the no form of this command.
description line-of-description
no description line-of-description
Syntax Description
Defaults
A description is not entered for the identity policy.
Command Modes
Identity policy configuration
Command History
Examples
The following example shows that a default identity policy and its description ("bluemoon") have been specified:
Router (config)# identity policy bluemoonRouter (config-identity-policy)# description policyABCRelated Commands
description (identity profile)
To enter a description for an identity profile, use the description command in identity profile configuration mode. To remove the description of the identity profile, use the no form of this command.
description line-of-description
no description line-of-description
Syntax Description
Defaults
A description is not entered for the identity profile.
Command Modes
Identity profile configuration
Command History
Usage Guidelines
The identity profile command and one of its keywords (default, dot1x, or eapoudp) must be entered in global configuration mode before the description command can be used.
Examples
The following example shows that a default identity profile and its description ("ourdefaultpolicy") have been specified:
Router (config)# identity profile defaultRouter (config-identity-prof)# description ourdefaultpolicyRelated Commands
description (identity policy)
Enters a description for an identity policy.
identity profile
Creates an identity profile and enters identity profile configuration mode.
description (isakmp peer)
To add the description of an Internet Key Exchange (IKE) peer, use the description command in ISAKMP peer configuration mode. To delete the description, use the no form of this command.
description line-of-description
no description line-of-description
Syntax Description
Defaults
No default behavior or values
Command Modes
ISAKMP peer configuration
Command History
Usage Guidelines
IKE peers that "sit" behind a Network Address Translation (NAT) device cannot be uniquely identified; therefore, they have to share the same peer description.
Examples
The following example shows that the description "connection from site A" has been added for an IKE peer:
Router# crypto isakmp peer address 10.2.2.9Router (config-isakmp-peer)# description connection from site ARelated Commands
device (identity profile)
To statically authorize or reject individual devices, use the device command in identity profile configuration mode. To disable the authorization or rejection, use the no form of this command.
device {authorize {ip address ip-address {policy policy-name} | mac-address mac-address | type {cisco | ip | phone}} | not-authorize}
no device {authorize {ip address ip-address {policy policy-name} | mac-address mac-address | type {cisco | ip | phone}} | not-authorize}
Syntax Description
Defaults
A device is not statically authorized or rejected.
Command Modes
Identity profile configuration
Command History
Usage Guidelines
The identity profile command and default, dot1x, or eapoudp keywords must be entered in global configuration mode before the device command can be used.
Examples
The following configuration example defines an identity profile for Extensible Authentication Protocol over UDP (EAPoUDP) to statically authorize host 192.168.1.3 with "greentree" as the associated identity policy:
Router(config)# identity profile eapoudpRouter(config-identity-prof)# device authorize ip-address 192.168.1.3 policy greentreeRelated Commands
dialer aaa
To allow a dialer to access the authentication, authorization, and accounting (AAA) server for dialing information, use the dialer aaa command in interface configuration mode. To disable this function, use the no form of this command.
dialer aaa [password string | suffix string]
no dialer aaa [password string | suffix string]
Syntax Description
Defaults
This feature is not enabled by default.
Command Modes
Interface configuration
Command History
12.0(3)T
This command was introduced.
12.1(5)T
The password and suffix keywords were added.
Usage Guidelines
This command is required for large scale dial-out and Layer 2 Tunneling Protocol (L2TP) dial-out functionality. With this command, you can specify a suffix, a password, or both. If you do not specify a password, the default password will be "cisco."
Note
Examples
This example shows a user sending out packets from interface Dialer1 with a destination IP address of 1.1.1.1. The username in the access-request message is "1.1.1.1@ciscoDoD" and the password is "cisco."
interface dialer1dialer aaadialer aaa suffix @ciscoDoD password ciscoRelated Commands
disconnect ssh
To terminate a Secure Shell (SSH) connection on your router, use the disconnect ssh command in privileged EXEC mode.
disconnect ssh [vty] session-id
Syntax Description
vty
(Optional) Virtual terminal for remote console access.
session-id
The session-id is the number of connection displayed in the show ip ssh command output.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
12.0(5)S
This command was introduced.
12.1(1)T
This command was integrated into Cisco IOS Release 12.1 T.
Usage Guidelines
The clear line vty n command, where n is the connection number displayed in the show ip ssh command output, may be used instead of the disconnect ssh command.
When the EXEC connection ends, whether normally or abnormally, the SSH connection also ends.
Examples
The following example terminates SSH connection number 1:
disconnect ssh 1Related Commands
clear line vty
Returns a terminal line to idle state using the privileged EXEC command.
dn
To associate the identity of a router with the distinguished name (DN) in the certificate of the router, use the dn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
dn name=string [, name=string]
no dn name=string [, name=string]
Syntax Description
name=string
Identity used to restrict access to peers with specific certificates. Optionally, you can associate more than one identity.
Command Default
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the dn command to associate the identity of the router, which is defined in the crypto identity command, with the DN that the peer used to authenticate itself.
Note
This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
An encrypting peer matches this list if it contains the attributes listed in any one line defined within the name=string.
Examples
The following example shows how to configure an IPsec crypto map that can be used only by peers that have been authenticated by the DN and if the certificate belongs to "green":
crypto map map-to-green 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-green!crypto identity to-greendn ou=greenRelated Commands
dnis (authentication)
To preauthenticate calls on the basis of the Dialed Number Identification Service (DNIS) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password string]
no dnis [if-avail | required] [accept-stop] [password string]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the AAA preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example enables DNIS preauthentication using a RADIUS server and the password Ascend-DNIS:
aaa preauthgroup radiusdnis password Ascend-DNISRelated Commands
dnis (RADIUS)
To preauthenticate calls on the basis of the DNIS (Dialed Number Identification Service) number, use the dnis command in AAA preauthentication configuration mode. To remove the dnis command from your configuration, use the no form of this command.
dnis [if-avail | required] [accept-stop] [password password]
no dnis [if-avail | required] [accept-stop] [password password]
Syntax Description
Defaults
The if-avail and required keywords are mutually exclusive. If the if-avail keyword is not configured, the preauthentication setting defaults to required.
The default password string is cisco.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You may configure more than one of the authentication, authorization, and accounting (AAA) preauthentication commands (clid, ctype, dnis) to set conditions for preauthentication. The sequence of the command configuration decides the sequence of the preauthentication conditions. For example, if you configure dnis, then clid, then ctype, in this order, then this is the order of the conditions considered in the preauthentication process.
In addition to using the preauthentication commands to configure preauthentication on the Cisco router, you must set up the preauthentication profiles on the RADIUS server.
Examples
The following example specifies that incoming calls be preauthenticated on the basis of the DNIS number:
aaa preauthgroup radiusdnis requiredRelated Commands
dnis bypass (AAA preauthentication configuration)
To specify a group of DNIS (Dialed Number Identification Service) numbers that will be bypassed for preauthentication, use the dnis bypass command in AAA preauthentication configuration mode. To remove the dnis bypass command from your configuration, use the no form of this command.
dnis bypass {dnis-group-name}
no dnis bypass {dnis-group-name}
Syntax Description
Defaults
No DNIS numbers are bypassed for preauthentication.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
Before using this command, you must first create a DNIS group with the dialer dnis group command.
Examples
The following example specifies that preauthentication be performed on all DNIS numbers except for two DNIS numbers (12345 and 12346), which have been defined in the DNIS group called hawaii:
aaa preauthgroup radiusdnis requireddnis bypass hawaiidialer dnis group hawaiinumber 12345number 12346Related Commands
dialer dnis group
Creates a DNIS group.
dnis (RADIUS)
Preauthenticates calls on the basis of the DNIS number.
dns
To specify the primary and secondary Domain Name Service (DNS) servers, use the dns command in (Internet Security Association Key Management Protocol) ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.
dns primary-server secondary-server
no dns primary-server secondary-server
Syntax Description
Defaults
A DNS server is not specified.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Use the dns command to specify the primary and secondary DNS servers for the group.
You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the dns command.
Examples
The following example shows how to define a primary and secondary DNS server for the default group name:
crypto isakmp client configuration group defaultkey ciscodns 2.2.2.2 2.3.2.3pool dogacl 199Related Commands
dnsix-dmdp retries
To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries command in global configuration mode. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count
no dnsix-dmdp retries count
Syntax Description
count
Number of times DMDP will retransmit a message. It can be an integer from 0 to 200. The default is 4 retries, or until acknowledged.
Defaults
Retransmits messages up to 4 times, or until acknowledged.
Command Modes
Global configuration
Command History
Examples
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150Related Commands
dnsix-nat authorized-redirection
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection command in global configuration mode. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-address
Syntax Description
Defaults
An empty list of addresses.
Command Modes
Global configuration
Command History
Usage Guidelines
Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.
Examples
The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 192.168.1.1:
dnsix-nat authorization-redirection 192.168.1.1dnsix-nat primary
To specify the IP address of the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat primary command in global configuration mode. To delete an entry, use the no form of this command.
dnsix-nat primary ip-address
no dnsix-nat primary ip-address
Syntax Description
Defaults
Messages are not sent.
Command Modes
Global configuration
Command History
Usage Guidelines
An IP address must be configured before audit messages can be sent.
Examples
The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:
dnsix-nat primary 172.1.1.1dnsix-nat secondary
To specify an alternate IP address for the host to which Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit messages are sent, use the dnsix-nat secondary command in global configuration mode. To delete an entry, use the no form of this command.
dnsix-nat secondary ip-address
no dnsix-nat secondary ip-address
Syntax Description
Defaults
No alternate IP address is known.
Command Modes
Global configuration
Command History
Usage Guidelines
When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.
Examples
The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:
dnsix-nat secondary 192.168.1.1dnsix-nat source
To start the audit-writing module and to define the audit trail source address, use the dnsix-nat source command in global configuration mode. To disable the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) audit trail writing module, use the no form of this command.
dnsix-nat source ip-address
no dnsix-nat source ip-address
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.
Examples
The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0:
dnsix-nat source 192.168.2.5 interface ethernet 0 ip address 192.168.2.5 255.255.255.0dnsix-nat transmit-count
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count command in global configuration mode. To revert to the default audit message count, use the no form of this command.
dnsix-nat transmit-count count
no dnsix-nat transmit-count count
Syntax Description
count
Number of audit messages to buffer before transmitting to the server. It can be an integer from 1 to 200.
Defaults
One message is sent at a time.
Command Modes
Global configuration
Command History
Usage Guidelines
An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.
Examples
The following example configures the system to buffer five audit messages before transmitting them to a collection center:
dnsix-nat transmit-count 5domain (isakmp-group)
To specify the Domain Name Service (DNS) domain to which a group belongs, use the domain command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.
domain name
no domain name
Syntax Description
Defaults
A DNS domain is not specified.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Use the domain command to specify group domain membership.
You must enable the crypto isakmp configuration group command, which specifies group policy information that has to be defined or changed, before enabling the domain command.
Examples
The following example shows that members of the group "cisco" also belong to the domain "cisco.com":
crypto isakmp client configuration group ciscokey ciscodns 10.2.2.2 10.3.2.3pool dogacl 199domain cisco.comRelated Commands
dot1x default
To reset the global 802.1X parameters to their default values, use the dot1x default command in global configuration mode.
dot1x default
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default setting.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the show dot1x privileged EXEC command to verify your current 802.1X settings.
Examples
The following example shows how to reset the global 802.1X parameters:
Router(config)# dot1x defaultRelated Commands
dot1x initialize
To initialize an interface, use the dot1x initialize command in privileged EXEC mode. This command does not have a no form.
dot1x initialize [interface interface-name]
Syntax Description
interface interface-name
(Optional) Specifies an interface to be initialized. If this keyword is not entered, all enterfaces are initialized.
Defaults
An interface is not initialized.
Command Modes
Privileged EXEC
Command History
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Examples
The following example shows that Ethernet 0 is to be initialized:
Router# dot1x initialize interface ethernet 0dot1x max-req
To set the maximum number of times that a router or Ethernet switch network module can send an Extensible Authentication Protocol (EAP) request/identity frame to a client (assuming that a response is not received) before restarting the authentication process, use the dot1x max-req command in interface configuration or global configuration mode. To disable the number of times that were set, use the no form of this command.
dot1x max-req number-of-retries
no dot1x max-req number-of-retries
Syntax Description
number-of-retries
Maximum number of retries. The value is from 1 through 10. The default value is 2.
Defaults
The default number of retries is 2.
Command Modes
Interface configuration (router)
Global configuration (EtherSwitch)Command History
Usage Guidelines
You should change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.
Examples
The following example shows that the maximum number of times that the router will send an EAP request/identity message to the client PC is 6:
Router (config) configure terminalRouter (config)# interface ethernet 0Router (config-if)# dot1x max-req 6The following example shows how to set the number of times that the switch sends an EAP-request/identity frame to 5 before restarting the authentication process:
Router (config)# dot1x max-req 5Related Commands
dot1x max-start
To set the maximum number of times that a router sends an Extensible Authentication Protocol (EAP) start frame to the client before concluding that there are no other authenticators present in the network, use the dot1x max-start command in interface configuration mode. To remove the maximum number-of-times setting, use the no form of this command.
dot1x max-start number
no dot1x max-start number
Syntax Description
number
Maximum number of times that the router sends an EAP start frame. The value is from 1 to 65535. The default is 3.
Defaults
The default maximum number setting is 3.
Command Modes
Interface configuration
Command History
Examples
The following example shows that the maximum number of EAP over LAN- (EAPOL-) Start requests has been set to 5:
Router (config)# interface Ethernet1Router (config-if)# dot1x pae supplicantRouter (config-if)# dot1x max-start 5Related Commands
dot1x multiple-hosts
To allow multiple hosts (clients) on an 802.1X-authorized port that has the dot1x port-control interface configuration command set to auto, use the dot1x multiple-hosts command in interface configuration mode. To return to the default setting, use the no form of this command.
dot1x multiple-hosts
no dot1x multiple-hosts
Syntax Description
This command has no arguments or keywords.
Defaults
Multiple hosts are disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command enables you to attach multiple clients to a single 802.1X-enabled port. In this mode, only one of the attached hosts must be successfully authorized for all hosts to be granted network access. If the port becomes unauthorized (reauthentication fails or an Extensible Authentication Protocol over LAN [EAPOL]-logoff message is received), all attached clients are denied access to the network.
Use the show dot1x (EtherSwitch) privileged EXEC command with the interface keyword to verify your current 802.1X multiple host settings.
Examples
The following example shows how to enable 802.1X on Fast Ethernet interface 0/1 and to allow multiple hosts:
Router(config)# interface fastethernet0/1Router(config-if)# dot1x port-control autoRouter(config-if)# dot1x multiple-hostsRelated Commands
dot1x pae
To set the Port Access Entity (PAE) type, use the dot1x pae command in interface configuration mode. To disable the PAE type that was set, use the no form of this command.
dot1x pae [supplicant | authenticator | both]
no dot1x pae [supplicant | authenticator | both]
Syntax Description
Defaults
PAE type is not set.
Command Modes
Interface configuration
Command History
Usage Guidelines
If the dot1x system-auth-control command has not been configured, the supplicant keyword will be the only keyword available for use with this command. (That is, if the dot1x system-auth-control command has not been configured, you cannot configure the interface as an authenticator.)
Examples
The following example shows that the interface has been set to act as a supplicant:
Router (config)# interface Ethernet1Router (config-if)# dot1x pae supplicantRelated Commands
dot1x system-auth-control
Enables 802.1X SystemAuthControl (port-based authentication).
interface
Configures an interface type.
dot1x port-control
To set an 802.1X port control value, use the dot1x port-control command in interface configuration mode. To disable the port-control value, use the no form of this command.
dot1x port-control {auto | force-authorized | force-unauthorized}
no dot1x port-control {auto | force-authorized | force-unauthorized}
Syntax Description
Defaults
The default is force-authorized.
Command Modes
Interface configuration
Command History
Usage Guidelines
For Ethernet Switch Network Modules
The following guidelines apply to Ethernet switch network modules:
The 802.1X protocol is supported on Layer 2 static-access ports.
You can use the auto keyword only if the port is not configured as one of these types:
•
•
•
To globally disable 802.1X on the device, you must disable it on each port. There is no global configuration command for this task.
You can verify your settings by entering the show dot1x (EtherSwitch) privileged EXEC command and checking the Status column in the 802.1X Port Summary section of the display. An enabled status means that the port-control value is set to auto or to force-unauthorized.
Examples
The following example shows that the authentication status of the client PC will be determined by the authentication process:
Router (config)# configure terminalRouter (config)# interface ethernet 0Router (config-if)# dot1x port-control autoRelated Commands
dot1x re-authenticate (EtherSwitch)
To manually initiate a reauthentication of all 802.1X-enabled ports or the specified 802.1X-enabled port on a router with an Ethernet switch network module installed, use the dot1x re-authenticate command in privileged EXEC mode.
dot1x re-authenticate [interface interface-type interface-number]
Syntax Description
interface interface-type interface-number
(Optional) Specifies the slot and port number of the interface to reauthenticate.
Defaults
There is no default setting.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can use this command to reauthenticate a client without waiting for the configured number of seconds between reauthentication attempts (reauthperiod) and automatic reauthentication.
Examples
The following example shows how to manually reauthenticate the device connected to Fast Ethernet interface 0/1:
Router# dot1x re-authenticate interface fastethernet 0/1Starting reauthentication on FastEthernet0/1.dot1x re-authenticate (privileged EXEC)
To reauthenticate all the authenticated devices that are attached to the specified interface, use the dot1x re-authenticate command in privileged EXEC mode. This command does not have a no form.
dot1x re-authenticate interface-type interface-number
Syntax Description
interface-type interface-name
Specifies an interface to be reauthenticated.
•
Defaults
An interface is not reauthenticated.
Command Modes
Privileged EXEC
Command History
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Examples
The following example shows that Ethernet 0 is to be reauthenticated:
Router# dot1x re-authenticate ethernet 0Related Commands
dot1x reauthentication
To enable periodic reauthentication of the client PCs on the 802.1X interface, use the dot1x reauthentication command in interface configuration mode. To disable periodic reauthentication, use the no form of this command.
dot1x reauthentication
no dot1x reauthentication
Syntax Description
This command has no arguments or keywords.
Defaults
Periodic reauthentication is not set.
Command Modes
Interface configuration
Command History
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
The reauthentication period can be set using the dot1x timeout command.
Examples
The following example shows that reauthentication has been set for 1800 seconds:
Router (config)# configure terminalRouter (config)# interface ethernet 0Router (config-if)# dot1x reauthenticationRouter (config-if)# dot1x timeout reauth-period 1800Related Commands
dot1x re-authentication (EtherSwitch)
To enable periodic reauthentication of the client for an Ethernet switch network module, use the dot1x re-authentication command in global configuration mode. To disable periodic reauthentication, use the no form of this command.
dot1x re-authentication
no dot1x re-authentication
Syntax Description
This command has no arguments or keywords.
Defaults
Periodic reauthentication is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
You configure the amount of time between periodic reauthentication attempts by using the dot1x timeout re-authperiod global configuration command.
Examples
The following example shows how to disable periodic reauthentication of the client:
Router(config)# no dot1x re-authenticationThe following example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 seconds:
Router(config)# dot1x re-authenticationRouter(config)# dot1x timeout re-authperiod 4000Related Commands
dot1x system-auth-control
To enable 802.1X SystemAuthControl (port-based authentication), use the dot1x system-auth-control command in global configuration mode. To disable SystemAuthControl, use the no form of this command.
dot1x system-auth-control
no dot1x system-auth-control
Syntax Description
This command has no arguments or keywords.
Defaults
System authentication is set to disabled by default. If this command is disabled, all ports behave as if they are force authorized.
Command Modes
Global configuration
Command History
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Examples
The following example shows that system authentication has been enabled:
Router (config)# dot1x system-auth-controlRelated Commands
dot1x timeout
To set retry timeouts, use the dot1x timeout command in interface configuration mode. To remove the retry timeouts, use the no form of this command.
dot1x timeout {auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | reauth-period seconds | server-timeout seconds | start-period seconds | tx-period seconds}
no dot1x timeout {auth-period seconds | held-period seconds | quiet-period seconds | ratelimit-period seconds | reauth-period seconds | server-timeout seconds | start-period seconds | tx-period seconds}
Syntax Description
Defaults
Periodic reauthentication and periodic rate-limiting are not done.
Command Modes
Interface configuration
Command History
Examples
The following example shows that various 802.1X retransmission and timeout periods have been set:
Router (config)# configure terminalRouter (config)# interface ethernet 0Router (config-if)# dot1x port-control autoRouter (config-if)# dot1x reauthenticationRouter (config-if)# dot1x timeout auth-period 2000Router (config-if# dot1x timeout held-period 2400Router (config-if)# dot1x timeout reauth-period 1800Router (config-if)# dot1x timeout quiet-period 600Router (config-if# dot1x timeout start-period 90Router (config-if)# dot1x timeout tx-period 60Router (config-if)# dot1x timeout server-timeout 60Related Commands
dot1x timeout (EtherSwitch)
To set the number of retry seconds between 802.1X authentication exchanges when an Ethernet switch network module is installed in the router, use the dot1x timeout command in global configuration mode. To return to the default setting, use the no form of this command.
dot1x timeout {quiet-period seconds | re-authperiod seconds | tx-period seconds}
no dot1x timeout {quiet-period seconds | re-authperiod seconds | tx-period seconds}
Syntax Description
Defaults
quiet-period: 60 seconds
re-authperiod: 3660 seconds
tx-period: 30 secondsCommand Modes
Global configuration
Command History
Usage Guidelines
You should change the default values of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients or authentication servers.
quiet-period Keyword
During the quiet period, the Ethernet switch network module does not accept or initiate any authentication requests. If you want to provide a faster response time to the user, enter a smaller number than the default.
re-authperiod Keyword
The re-authperiod keyword affects the behavior of the the Ethernet switch network module only if you have enabled periodic reauthentication by using the dot1x re-authentication global configuration command.
Examples
The following example shows how to set the quiet time on the switch to 30 seconds:
Router(config)# dot1x timeout quiet-period 30The following example shows how to enable periodic reauthentication and set the number of seconds between reauthentication attempts to 4000 seconds:
Router(config)# dot1x re-authenticationRouter(config)# dot1x timeout re-authperiod 4000The following example shows how to set 60 seconds as the amount of time that the switch waits for a response to an EAP-request/identity frame from the client before retransmitting the request:
Router(config)# dot1x timeout tx-period 60Related Commands
eap
To specify Extensible Authentication Protocol- (EAP-) specific parameters, use the eap command in identity profile configuration mode. To disable the parameters that were set, use the no form of this command.
eap {username name | password password}
no eap {username name | password password}
Syntax Description
username name
Username that will be sent to Request-Id packets.
password password
Password that should be used when replying to an Message Digest 5 (MD5) challenge.
Defaults
EAP parameters are not set.
Command Modes
Identity profile configuration
Command History
Usage Guidelines
Use this command if your router is configured as a supplicant. This command provides the means for configuring the identity and the EAP MD5 password that will be used by 802.1X to authenticate.
Examples
The following example shows that the EAP username "user1" has been configured:
Router (config)# identity profile dot1xRouter (config-identity-prof)# eap username user1Related Commands
enable password
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
enable password [level level] {password | [encryption-type] encrypted-password}
no enable password [level level]
Syntax Description
Defaults
No password is defined. The default is level 15.
Command Modes
Global configuration
Command History
10.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
Usage Guidelines
Caution
Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level configuration command to specify commands accessible at various levels.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.
Caution
If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a more nvram:startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
•
•
•
•
–
–
–
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example enables the password "pswd2" for privilege level 2:
enable password level 2 pswd2The following example sets the encrypted password "$1$i5Rkls3LoyxzS8t9", which has been copied from a router configuration file, for privilege level 2 using encryption type 7:
enable password level 2 5 $1$i5Rkls3LoyxzS8t9Related Commands
enable secret
To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command.
enable secret [level level] {password | [encryption-type] encrypted-password}
no enable secret [level level]
Syntax Description
Defaults
No password is defined. The default level is 15.
Command Modes
Global configuration
Command History
Usage Guidelines
Caution
Use this command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.
Caution
If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.
Note
If service password-encryption is set, the encrypted form of the password you create here is displayed when a more nvram:startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
•
•
•
•
–
–
–
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example specifies the enable secret password of "greentree":
enable secret greentreeAfter specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.
Password: greentreeThe following example enables the encrypted password "$1$FaD0$Xyti5Rkls3LoyxzS8", which has been copied from a router configuration file, for privilege level 2 using encryption type 5:
enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8Related Commands
enable
Enters privileged EXEC mode.
enable password
Sets a local password to control access to various privilege levels.
encryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des | aes | aes 192 | aes 256}
no encryption
Syntax Description
Defaults
The 56-bit DES-CBC encryption algorithm
Command Modes
ISAKMP policy configuration
Command History
11.3 T
This command was introduced.
12.0(2)T
The 3des option was added.
12.2(13)T
The following keywords were added: aes, aes 192, and aes 256.
Usage Guidelines
Use this command to specify the encryption algorithm to be used in an IKE policy.
If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed immediately after the encryption command is entered.
Examples
The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):
crypto isakmp policyencryption 3desexitThe following example is a sample warning message that is displayed when a user enters an IKE encryption method that the hardware does not support:
encryption aes 256WARNING:encryption hardware does not support the configuredencryption method for ISAKMP policy 1Related Commands
enrollment command
To specify the HTTP command that is sent to the certification authority (CA) for enrollment, use the enrollment command command in ca-profile-enroll configuration mode.
enrollment command
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
After enabling this command, you can use the parameter command to specify enrollment parameters for your enrollment profile.
Examples
The following example shows how to configure the enrollment profile name "E" for certificate enrollment:
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
crypto ca profile enrollment
Defines an enrollment profile.
parameter
Specifies parameters for an enrollment profile.
enrollment credential
To specify an existing trustpoint from another vendor that is to be enrolled with the Cisco IOS certificate server, use the enrollment credential command in ca-profile-enroll configuration mode.
enrollment credential label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Ca-profile-enroll configuration
Command History
Usage Guidelines
To configure a router that is already enrolled with a CA of another vendor that is to be enrolled with a Cisco IOS certificate server, you must configure a certificate enrollment profile (via the crypto pki profile enrollment command). Thereafter, you should issue the enrollment credential command, which specifies the trustpoint of another vendor that has to be enrolled with a Cisco IOS certificate server.
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue and the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
enrollment http-proxy
To access the certification authority (CA) by HTTP through the proxy server, use the enrollment http-proxy command in ca-trustpoint configuration mode.
enrollment http-proxy host-name port-num
Syntax Description
host-name
Defines the proxy server used to get the CA.
port-num
Specifies the port number used to access the CA.
Defaults
If this command is not enabled, the CA will not be accessed via HTTP.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
The enrollment http-proxy command must be used in conjunction with the enrollment command, which specifies the enrollment parameters for the CA.
Examples
The following example shows how to access the CA named "ka" by HTTP through the bomborra proxy server:
crypto ca trustpoint kaenrollment url http://kahuluienrollment http-proxy bomborra 8080crl optionalRelated Commands
crypto ca trustpoint
Declares the CA that your router should use.
enrollment
Specifies the enrollment parameters of your CA.
enrollment mode ra
The enrollment mode ra command is replaced by the enrollment command. See the enrollment command for more information.
enrollment profile
To specify that an enrollment profile can be used for certificate authentication and enrollment, use the enrollment profile command in ca-trustpoint configuration mode. To delete an enrollment profile from your configuration, use the no form of this command.
enrollment profile label
no enrollment profile label
Syntax Description
Defaults
Your router does not recognize any enrollment profiles until you declare one using this command.
Command Modes
Ca-trustpoint configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
Before you can enable this command, you must enter the crypto ca trustpoint command.
The enrollment profile command enables your router to accept an enrollment profile, which can be configured via the crypto ca profile enrollment command. The enrollment profile, which consists of two templates, can be used to specify different URLs or methods for certificate authentication and enrollment.
Examples
The following example shows how to declare the enrollment profile named "E":
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
crypto ca profile enrollment
Defines an enrollment profile.
crypto ca trustpoint
Declares the CA that your router should use.
enrollment retry count
The enrollment retry count command is replaced by the enrollment command. See the enrollment command for more information.
enrollment retry period
The enrollment retry period command is replaced by the enrollment command. See the enrollment command for more information.
enrollment selfsigned
To specify self-signed enrollment for a trustpoint, use the enrollment selfsigned command in ca-trustpoint configuration mode. To delete self-signed enrollment from a trustpoint, use the no form of this command.
enrollment selfsigned
no enrollment selfsigned
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
ca-trustpoint configuration
Command History
Usage Guidelines
Before you can use the enrollment selfsigned command, you must enable the crypto pki trustpoint command, which defines the trustpoint and enters ca-trustpoint configuration mode.
If you do not use this command, you should specify another enrollment method for the router by using an enrollment command such as enrollment url or enrollment terminal.
Examples
The following example shows a self-signed certificate being designated for a trustpoint named local:
crypto pki trustpoint localenrollment selfsignedRelated Commands
enrollment terminal (ca-profile-enroll)
To specify manual cut-and-paste certificate enrollment, use the enrollment terminal command in ca-profile-enroll configuration mode. To delete a current enrollment request, use the no form of this command.
enrollment terminal
no enrollment terminal
Syntax Description
This command has no arguments or keywords.
Defaults
A certificate enrollment request is not specified.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
A user may manually cut-and-paste certificate authentication requests and certificates when a network connection between the router and certification authority (CA) is unavailable. After this command is enabled, the certificate request is printed on the console terminal so that it can be manually copied (cut) by the user.
Note
Examples
The following example shows how to configure the enrollment profile named "E" to perform certificate authentication via HTTP and manual certificate enrollment:
crypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment terminalparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
enrollment terminal (ca-trustpoint)
To specify manual cut-and-paste certificate enrollment, use the enrollment terminal command in ca-trustpoint configuration mode. To delete a current enrollment request, use the no form of this command.
enrollment terminal [pem]
no enrollment terminal [pem]
Syntax Description
Defaults
No default behavior or values
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
A user may want to manually cut-and-paste certificate requests and certificates when he or she does not have a network connection between the router and certification authority (CA). When this command is enabled, the router displays the certificate request on the console terminal, allowing the user to enter the issued certificate on the terminal.
The pem Keyword
Use the pem keyword to issue certificate requests (via the crypto ca enroll command) or receive issued certificates (via the crypto ca import certificate command) in PEM-formatted files through the console terminal. If the CA server does not support simple certificate enrollment protocol (SCEP), the certificate request can be presented to the CA server manually.
Note
Examples
The following example shows how to manually specify certificate enrollment via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto ca trustpoint MSenrollment terminalcrypto ca authenticate MS!crypto ca enroll MScrypto ca import MS certificateRelated Commands
enrollment url (ca-identity)
The enrollment url (ca-identity) command is replaced by the enrollment url (ca-trustpoint) command. See the enrollment url (ca-trustpoint) command for more information.
enrollment url (ca-trustpoint)
To specify the enrollment parameters of a certification authority (CA), use the enrollment command in ca-trustpoint configuration mode. To remove any of the configured parameters, use the no form of this command.
enrollment [mode] [retry period minutes] [retry count number] url url [pem]
no enrollment [mode] [retry period minutes] [retry count number] url url [pem]
Syntax Description
mode
(Optional) Registration authority (RA) mode, if your CA system provides an RA. By default, RA mode is disabled.
retry period minutes
(Optional) Specifies the period in which the router will wait before sending the CA another certificate request. The default is 1 minute between retries. (Specify from 1 through 60 minutes.)
retry count number
(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. The default is 10 retries. (Specify from 1 through 100 retries.)
url url
URL of the file system where your router should send certificate requests. For enrollment method options, see Table 22.
pem
(Optional) Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
Defaults
Your router does not know the CA URL until you specify it using url url.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the mode keyword to specify the mode supported by the CA. This keyword is required if your CA system provides an RA.
Use the retry period minutes option to change the retry period from the default of 1 minute between retries. After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. By default, the router will send a maximum of 10 requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (specified via the retry count number option) is exceeded.
Use the pem keyword to issue certificate requests (using the crypto pki enroll command) or receive issued certificates (using the crypto pki import certificate command) in PEM-formatted files.
Note
Use the url url option to specify or change the URL of the CA. Table 22 lists the available enrollment methods.
Table 22 Certificate Enrollment Methods
bootflash
Enroll via bootflash: file system
cns
Enroll via Cisco Networking Services (CNS): file system
flash
Enroll via flash: file system
ftp
Enroll via FTP: file system
SCEP1
Enroll via Simple Certificate Enrollment Protocol (SCEP) (an HTTP URL)
null
Enroll via null: file system
nvram
Enroll via NVRAM: file system
rcp
Enroll via remote copy protocol (rcp): file system
scp
Enroll via secure copy protocol (scp): file system
system
Enroll via system: file system
TFTP2
Enroll via TFTP: file system
1 If you are using SCEP for enrollment, the URL must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA.
2 If you are using TFTP for enrollment, the URL must be in the form tftp://certserver/file_specification. (The file_specification is optional. See the section "TFTP Certificate Enrollment" for additional information.)
TFTP Certificate Enrollment
TFTP enrollment is used to send the enrollment request and retrieve the certificate of the CA and the certificate of the router. If the file_specification is included in the URL, the router will append an extension onto the file specification. When the crypto pki authenticate command is entered, the router will retrieve the certificate of the CA from the specified TFTP server. As appropriate, the router will append the extension ".ca" to the filename or the fully qualified domain name (FQDN). (If the url url option does not include a file specification, the FQDN of the router will be used.)
Note
Examples
The following example shows how to declare a CA named "ka" and specify the URL of the CA as "http://kahului:80":
crypto pki trustpoint kaenrollment url http://kahului:80Related Commands
eou allow
To allow additional Extensible Authentication Protocol over UDP (EAPoUDP) options, use the eou allow command in global configuration mode. To disable the options that have been set, use the no form of this command.
eou allow {clientless | ip-station-id}
no eou allow {clientless | ip-station-id}
Syntax Description
clientless
Allows authentication of clientless hosts (systems that do not run Cisco Trust Agent).
ip-station-id
Allows an IP address in the station-id field.
Defaults
No additional EAPoUDP options are allowed.
Command Modes
Global configuration
Command History
Usage Guidelines
The eou allow command used with the clientless keyword requires that a user group be configured on the Cisco Access Control Server (ACS) using the same username and password that are specified using the eou clientless command.
Examples
The following example shows that clientless hosts are allowed:
Router (config)# eou allow clientlessRelated Commands
eou clientless
To set user group credentials for clientless hosts, use the eou clientless command in global configuration mode. To remove the user group credentials, use the no form of this command.
eou clientless {password password | username username}
no eou clientless {password | username}
Syntax Description
Defaults
Username and password values are clientless.
Command Modes
Global configuration
Command History
Usage Guidelines
For this command to be effective, the eou allow command must also be enabled.
Examples
The following example shows that a clientless host with the username "user1" has been configured:
Router (config)# eou clientless username user1The following example shows that a clientless host with the password "user123" has been configured:
Router (config)# eou clientless password user123Related Commands
eou default
To set global Extensible Authentication Protocol over UDP (EAPoUDP) parameters to the default values, use the eou default command in global or interface configuration mode.
eou default
Syntax Description
This command has no arguments or keywords.
Defaults
The EAPoUDP parameters are set to their default values.
Command Modes
Global configuration
Interface configurationCommand History
Usage Guidelines
You can configure this command globally by using global configuration mode or for a specific interface by using interface configuration mode.
Using this command, you can reset existing values to their default values.
Examples
The following configuration example shows that EAPoUDP parameters have been set to their default values:
Router (config)# eou defaulteou initialize
To manually initialize Extensible Authentication Protocol over UDP (EAPoUDP) state machines, use the eou initialize command in global configuration mode. This command has no no form.
eou initialize {all | authentication {clientless | eap | static} | interface interface-name | ip ip-address | mac mac-address | posturetoken string}
Syntax Description
Defaults
No default behaviour or values
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is used, existing EAPoUDP state machines will be reset.
Examples
The following example shows that all EAPoUDP state machines have been reauthenticated:
Router (config)# eou initializeRelated Commands
eou logging
To enable Extensible Authentication Protocol over UDP (EAPoUDP) system logging events, use the eou logging command in global configuration mode. To remove EAPoUDP logging, use the no form of this command.
eou logging
no eou logging
Syntax Description
This command has no arguments or keywords.
Defaults
Logging is disabled.
Command Modes
Global configuration
Command History
Examples
The following example shows that EAPoUDP logging has been enabled:
Router (config)# eou loggingThe following is sample EAPoUDP logging output:
Apr 9 10:04:09.824: %EOU-6-SESSION: IP=10.0.0.1| HOST=DETECTED| Interface=FastEthernet0/0*Apr 9 10:04:09.900: %EOU-6-CTA: IP=10.0.0.1| CiscoTrustAgent=DETECTED*Apr 9 10:06:19.576: %EOU-6-POLICY: IP=10.0.0.1| TOKEN=Healthy*Apr 9 10:06:19.576: %EOU-6-POLICY: IP=10.0.0.1| ACLNAME=#ACSACL#-IP-HealthyACL-40921e54*Apr 9 10:06:19.576: %EOU-6-POSTURE: IP=10.0.0.1| HOST=AUTHORIZED| Interface=FastEthernet0/0.420*Apr 9 10:06:19.580: %EOU-6-AUTHTYPE: IP=10.0.0.1| AuthType=EAP*Apr 9 10:06:04.424: %EOU-6-SESSION: IP=192.43.2.1| HOST=REMOVED| Interface=FastEthernet0/0.420eou max-retry
To set the number of maximum retry attempts for Extensible Authentication Protocol over UDP (EAPoUDP), use the eou max-retry command in global or interface configuration mode. To remove the number of retries that were entered, use the no form of this command.
eou max-retry number-of-retries
no eou max-retry number-of-retries
Syntax Description
number-of-retries
Number of maximum retries that may be attempted. The value ranges from 1 through 3. The default is 3.
Defaults
The default number of retries is 3.
Command Modes
Global configuration
Interface ConfigurationCommand History
Usage Guidelines
You can configure this command globally by using global configuration mode or for a specific interface by using interface configuration mode.
Examples
The following example shows that the maximum number of retries for an EAPoUDP session has been set for 2:
Router (config)# eou max-retry 2Related Commands
show eou
Displays information about EAPoUDP global values or EAPoUDP session cache entries.
eou port
To set the UDP port for Extensible Authentication Protocol over UDP (EAPoUDP), use the eou port command in global configuration mode. This command has no no form.
eou port port-number
Syntax Description
Defaults
The default port-number value is 27186.
Command Modes
Global configuration
Command History
Usage Guidelines
Ensure that the port you set does not conflict with other UDP applications.
Examples
The following example shows that the port for an EAPoUDP session has been set to 200:
Router (config)# eou port 200Related Commands
eou rate-limit
To set the number of simultaneous posture validations for Extensible Authentication Protocol over UDP (EAPoUDP), use the eou rate-limit command in global configuration mode. This command has no no form.
eou rate-limit number-of-validations
Syntax Description
number-of-validations
Number of clients that can be simultaneously validated. The value ranges from 1 through 200. The default value is 20.
Defaults
No default behaviors or values
Command Modes
Global configuration
Command History
Usage Guidelines
If you set the rate limit to 0 (zero), rate limiting will be turned off.
If the rate limit is set to 100 and there are 101 clients, validation will not occur until one drops off.
To return to the default value, use the eou default command.
Examples
The following example shows that the number of posture validations has been set to 100:
Router (config)# eou rate-limit 100Related Commands
eou default
Sets global EAPoUDP parameters to the default values.
show eou
Displays information about EAPoUDP.
eou revalidate
To revalidate an Extensible Authentication Protocol over UDP (EAPoUDP) association, use the eou revalidate command in privileged EXEC mode. To disable the revalidation, use the no form of this command.
eou revalidate {all | authentication {clientless | eap | static} | interface interface-name | ip ip-address | mac mac-address | posturetoken string}
no eou revalidate {all | authentication {clientless | eap | static} | interface interface-name | ip ip-address | mac mac-address | posturetoken string}
Syntax Description
all
Enables revalidation of all EAPoUDP clients. This keyword option is the default.
authentication
Specifies the authentication type.
clientless
Clientless authentication type.
eap
EAP authentication type.
static
Static authentication type.
interface interface-name
Name of the interface. (See Table 23 for the types of interface that may be shown.)
ip ip-address
IP address of the client.
mac mac-address
The 48-bit hardware address of the client.
posturetoken string
Name of the posture token.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If you use this command, existing EAPoUDP sessions will be revalidated.
Table 23 lists the interface types that may be used with the interface keyword.
Examples
The following example shows that all EAPoUDP clients are to be revalidated:
Router# eou revalidate allRelated Commands
eou timeout
To set the Extensible Authentication Protocol over UDP (EAPoUDP) timeout values, use the eou timeout command in global or interface configuration mode. To remove the value that was set, use the no form of this command.
eou timeout {aaa seconds | hold-period seconds | retransmit seconds | revalidation seconds | status query seconds}
no timeout {aaa seconds | hold-period seconds | retransmit seconds | revalidation seconds | status query seconds}
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Interface configurationCommand History
Usage Guidelines
You can configure this command globally by using global configuration mode or for a specific interface by using interface configuration mode.
Examples
The following example shows that the status query period after revalidation is set to 30:
Router (config)# eou timeout status query 30Related Commands
evaluate
To nest a reflexive access list within an access list, use the evaluate command in access-list configuration mode. To remove a nested reflexive access list from the access list, use the no form of this command.
evaluate name
no evaluate name
Syntax Description
name
The name of the reflexive access list that you want evaluated for IP traffic entering your internal network. This is the name defined in the permit (reflexive) command.
Defaults
Reflexive access lists are not evaluated.
Command Modes
Access-list configuration
Command History
Usage Guidelines
This command is used to achieve reflexive filtering, a form of session filtering.
Before this command will work, you must define the reflexive access list using the permit (reflexive) command.
This command nests a reflexive access list within an extended named IP access list.
If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to inbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to outbound traffic. (In other words, use the access list opposite of the one used to define the reflexive access list.)
This command allows IP traffic entering your internal network to be evaluated against the reflexive access list. Use this command as an entry (condition statement) in the IP access list; the entry "points" to the reflexive access list to be evaluated.
As with all access list entries, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a reflexive access list nested in an extended access list, the extended access list entries are evaluated sequentially up to the nested entry, then the reflexive access list entries are evaluated sequentially, and then the remaining entries in the extended access list are evaluated sequentially. As usual, after a packet matches any of these entries, no more entries will be evaluated.
Examples
The following example shows reflexive filtering at an external interface. This example defines an extended named IP access list inboundfilters, and applies it to inbound traffic at the interface. The access list definition permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic, denies all Internet Control Message Protocol traffic, and causes all Transmission Control Protocol traffic to be evaluated against the reflexive access list tcptraffic.
If the reflexive access list tcptraffic has an entry that matches an inbound packet, the packet will be permitted into the network. tcptraffic only has entries that permit inbound traffic for existing TCP sessions.
interface Serial 1description Access to the Internet via this interfaceip access-group inboundfilters in!ip access-list extended inboundfilterspermit 190 any anypermit eigrp any anydeny icmp any anyevaluate tcptrafficRelated Commands
