Table Of Contents
fingerprint
firewall are-u-there
fqdn (ca-trustpoint)
fqdn (crypto identity)
grant auto
grant auto trustpoint
grant none
grant ra-auto
group (authentication)
group (IKE policy)
group (local RADIUS server)
group (RADIUS)
group-lock
hash (IKE policy)
heading
identity
identity policy
identity profile
identity profile eapoudp
idle-timeout
include-local-lan
incoming
initiate-mode
interface (RITE)
ip-address (ca-trustpoint)
ip admission
ip admission name
ip auth-proxy (global configuration)
ip auth-proxy (interface configuration)
ip auth-proxy auth-proxy-banner
ip auth-proxy name
ip http ezvpn
ip inspect
ip inspect alert-off
ip inspect audit-trail
ip inspect dns-timeout
ip inspect hashtable
ip inspect L2-transparent dhcp-passthrough
ip inspect max-incomplete high
ip inspect max-incomplete low
ip inspect name
ip inspect one-minute high
ip inspect one-minute low
ip inspect tcp finwait-time
ip inspect tcp idle-time
ip inspect tcp max-incomplete host
ip inspect tcp synwait-time
ip inspect udp idle-time
ip ips
ip ips deny-action ips-interface
ip ips fail closed
ip ips name
ip ips notify
ip ips po local
ip ips po max-events
ip ips po protected
ip ips po remote
ip ips sdf location
ip ips signature
ip ips signature disable
fingerprint
To preenter a fingerprint that can be matched against the fingerprint of a certification authority (CA) certificate during authentication, use the fingerprint command in ca-trustpoint configuration mode. To remove the preentered fingerprint, use the no form of this command.
fingerprint ca-fingerprint
no fingerprint ca-fingerprint
Syntax Description
ca-fingerprint
|
Certificate fingerprint.
|
Defaults
A fingerprint is not preentered for a trustpoint, and if the authentication request is interactive, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the authentication request is noninteractive, the certificate will be rejected without a preentered fingerprint.
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.3(12)
|
This command was introduced. This release supports only Message Digest 5 (MD5) fingerprints.
|
12.3(13)T
|
Support was added for Secure Hash Algorithm 1 (SHA1), but only for Cisco IOS T releases.
|
Usage Guidelines
Note
If the authentication request is made using the CLI, it is considered an interactive request. If the authentication request is made using HTTP or another management tool, it is considered a noninteractive request.
Preenter the fingerprint if you want to avoid responding to the verify question during CA certificate authentication or if you will be requesting authentication noninteractively. The preentered fingerprint may be either the MD5 fingerprint or the SHA1 fingerprint of the CA certificate.
If you are authenticating a CA certificate and the fingerprint was preentered, if the fingerprint matches that of the certificate, the certificate is accepted. If the preentered fingerprint does not match, the certificate is rejected.
If requesting authentication noninteractively, the fingerprint must be preentered or the certificate will be rejected. The verify question will not be asked when requesting authentication noninteractively.
If you are requesting authentication interactively without preentering the fingerprint, the fingerprint of the certificate will be displayed, and you will be asked to verify it.
Examples
The following example shows how to preenter an MD5 fingerprint before authenticating a CA certificate:
Router (config)# crypto pki trustpoint myTrustpoint
Router (ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510B
Router (ca-trustpoint) exit
Router (config)# crypto pki authenticate myTrustpoint
Certificate has the following attributes:
Fingerprint MD5: 6513D537 7AEA61B7 29B7E8CD BBAA510B
Fingerprint SHA1: 998CCFAA 5816ECDE 38FC217F 04C11F1D DA06667E
Trustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510B
Certificate validated - fingerprints matched.
Trustpoint CA certificate accepted.
The following is an example for Cisco Release 12.3(12). Note that the SHA1 fingerprint is not displayed because it is not supported by this release.
Router (config)# crypto ca trustpoint myTrustpoint
Router (ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510B
Router (ca-trustpoint)# exit
Router (config)# crypto ca authenticate myTrustpoint
Certificate has the following attributes:
Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510B
Trustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510B
Certificate validated - fingerprints matched.
Trustpoint CA certificate accepted.
Related Commands
Command
|
Description
|
crypto ca authenticate
|
Authenticates the CA (by getting the certificate of the CA).
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
firewall are-u-there
To add the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls, use the firewall are-u-there command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Firewall-Are-U-There attribute, use the no form of this command.
firewall are-u-there
no firewall are-u-there
Syntax Description
This command has no arguments or keywords.
Defaults
The server will not send the Firewall-Are-U-There attribute to the client.
Command Modes
ISAKMP group configuration
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
Usage Guidelines
The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if they are prompted by the server. If connections to the Virtual Private Network (VPN) are for protected devices only, that is, if a PC is running one of these personal firewalls, you should add the attribute to the server group. Devices that do not have a personal firewall will not respond with their capabilities, and their connections will be dropped.
The Firewall-Are-U-There attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure the Firewall-Are-U-There attribute, use the firewall are-u-there command.
An example of an attribute-value (AV) pair for the Firewall-Are-U-There attribute is as follows:
ipsec:firewall=1
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the firewall are-u-there command.
Note
•
The Firewall-Are-U-There attribute can be applied only by a RADIUS user.
•
The attribute can be applied on a per-user basis after the user has been authenticated.
•
The attribute can override any similar group attributes.
•
User-based attributes are available only if RADIUS is used as the database.
Examples
The following example shows that the Firewall-Are-U-There attribute has been configured:
crypto isakmp client configuration group group1
Syntax Description
Command
|
Description
|
acl
|
Configures split tunneling.
|
crypto isakmp client configuration group
|
Specifies the DNS domain to which a group belongs.
|
fqdn (ca-trustpoint)
To specify a fully qualified domain name (FQDN) that will be included as "unstructuredName" in the certificate request, use the fqdn command in ca-trustpoint configuration mode. To remove the FQDN, use the no form of this command.
fqdn {name | none}
no fqdn {name | none}
Syntax Description
name
|
FQDN that will be included as "unstructuredName" in the certificate request.
|
none
|
Router FQDN will not be included in the certificate request.
|
Defaults
The FQDN is not configured. The router FQDN will be included as "unstructuredName" in the certificate request.
Command Modes
Ca-trustpoint configuration
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced.
|
Usage Guidelines
Before you can issue this command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode. The fqdn command is a subcommand that allows you to specify a certificate enrollment parameter. Use the fqdn command to include a different FQDN from that of the router in the certificate request or to specify that a FQDN should not be included in the certificate request.
Examples
The following example shows that the FQDN "jack.cisco.com" will be included in the certificate request instead of the router FQDN:
crypto ca trustpoint root
enrollment url http://10.3.0.7:80
subject-name CN=jack, OU=PKI, O=Cisco Systems, C=US
crypto ca trustpoint root
enrollment url http://10.3.0.7:80
Related Commands
Command
|
Description
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
fqdn (crypto identity)
To associate the identity of the router with the host name that the peer used to authenticate itself, use the fqdn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
fqdn name
no fqdn name
Syntax Description
name
|
Identity used to restrict access to peers with specific certificates.
|
Defaults
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
Usage Guidelines
Use the fqdn command to associate the identity of the router, which is defined in the crypto identity command, with the distinguished name (DN) in the certificate of the router. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
The name argument defined in the crypto identity command must match the name argument defined in the fqdn command. That is, the identity of the peer must be the same as the identity in the exchanged certificate.
Examples
The following example shows how to configure a crypto map that can be used only by peers that have been authenticated by hostname and if the certificate belongs to "little.com":
crypto map map-to-little-com 10 ipsec-isakmp
set transform-set my-transformset
crypto identity to-little-com
Related Commands
Command
|
Description
|
crypto identity
|
Configures the identity of the router with a given list of DNs in the certificate of the router.
|
crypto mib ipsec flowmib history failure size
|
Associates the identity of the router with the DN in the certificate of the router.
|
grant auto
To specify automatic certificate enrollment, use the grant auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
grant auto
no grant auto
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
The grant auto command should be used only when testing and building simple networks. This command must be disabled before the network is accessible by the Internet.
Note
This command can be used for testing and building simple networks; however, it is recommended that you do not issue this command if your network is generally accessible.
Examples
The following example shows how to enable automatic certificate enrollment for the certificate server "myserver":
Router#(config) ip http server
Router#(config) crypto pki server myserver
Router#(cs-server) database level minimum
Router#(cs-server)# grant auto
% This will cause all certificate requests to be automatically granted.
Are you sure you want to do this? [yes/no]: yes
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
grant auto trustpoint
To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.
grant auto trustpoint label
Syntax Description
label
|
Name of the non-Cisco IOS CA trustpoint.
|
Defaults
No default behavior or values.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(11)T
|
This command was introduced.
|
Usage Guidelines
After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.
Note
The newly created trustpoint can only be used one time (which occurs when the router is enrolled with the Cisco IOS CA). After the initial enrollment is successfully completed, the credential information will be deleted from the enrollment profile.
The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).
Caution
The grant automatic command can be used for testing and building simple networks and should be disabled before the network is accessible by the Internet.
However, it is recommended that you do not issue this command if your network is generally accessible.
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and
! authenticate the client with the non-Cisco IOS CA.
crypto pki trustpoint msca-root
enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
ip-address FastEthernet2/0
! Configure trustpoint "cs" for Cisco IOS CA.
! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the
! enrollment credential command) that "msca-root" is being initially enrolled with the
! Cisco IOS CA.
crypto pki profile enrollment cs1
enrollment url http://cs:80
enrollment credential msca-root!
! Configure the certificate server, and issue the grant auto trustpoint command to
! instruct the certificate server to accept enrollment request only from clients who are
! already enrolled with trustpoint "msca-root."
grant auto trustpoint msca-root
crypto pki trustpoint msca-root
enrollment url http://msca-root:80/certsrv/mscep/mscep.dll
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
grant none
To specify all certificate requests to be rejected, use the grant none command in certificate server configuration mode. To disable automatic rejection of certificate enrollment, use the no form of this command.
grant none
no grant none
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Examples
The following example shows how to automatically reject all certificate enrollment requests for the certificate server "myserver":
Router#(config) ip http server
Router#(config) crypto pki server myserver
Router#(cs-server) database level minimum
Router#(cs-server)# grant none
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
grant automatic
|
Specifies automatic certificate enrollment.
|
grant ra-auto
To specify that all enrollment requests from a Registration Authority (RA) be granted automatically, use the grant ra-auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
grant ra-auto
no grant ra-auto
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
When grant ra-auto mode is configured on the issuing certificate server, ensure that the RA mode certificate server is running in manual grant mode so that enrollment requests are authorized individually by the RA.
Note
For the grant ra-auto command to work, you have to include "cn=ioscs RA" or "ou=ioscs RA" in the subject name of the RA certificate.
Examples
The following output shows that the issuing certificate server is configured to issue a certificate automatically if the request comes from an RA:
Router (config)# crypto pki server myserver
Router-ca (cs-server)# grant ra-auto
% This will cause all certificate requests that are already authorized by known RAs to be
automatically granted.
Are you sure you want to do this? [yes/no]:yes
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
group (authentication)
To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group {tacacs+ server-group}
no group {tacacs+ server-group}
Syntax Description
tacacs+
|
Uses a TACACS+ server for authentication.
|
server-group
|
Name of the server group to use for authentication.
|
Defaults
No method list is configured.
Command Modes
AAA preauthentication configuration
Command History
Release
|
Modification
|
12.1(2)T
|
This command was introduced.
|
Usage Guidelines
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:
Related Commands
Command
|
Description
|
aaa preauth
|
Enters AAA preauthentication mode.
|
dnis (authentication)
|
Enables AAA preauthentication using DNIS.
|
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2}
no group
Syntax Description
1
|
Specifies the 768-bit Diffie-Hellman group.
|
2
|
Specifies the 1024-bit Diffie-Hellman group.
|
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
Related Commands
Command
|
Description
|
authentication (IKE policy)
|
Specifies the authentication method within an IKE policy.
|
crypto isakmp policy
|
Defines an IKE policy.
|
encryption (IKE policy)
|
Specifies the encryption algorithm within an IKE policy.
|
hash (IKE policy)
|
Specifies the hash algorithm within an IKE policy.
|
lifetime (IKE policy)
|
Specifies the lifetime of an IKE SA.
|
show crypto isakmp policy
|
Displays the parameters for each IKE policy.
|
group (local RADIUS server)
To enter user group configuration mode and to configure shared settings for a user group, use the group command in local RADIUS server configuration mode. To remove the group configuration from the local RADIUS server, use the no form of this command.
group group-name
no group group-name
Syntax Description
group-name
|
Name of user group.
|
Defaults
No default behavior or values
Command Modes
Local RADIUS server configuration
Command History
Release
|
Modification
|
12.2(11)JA
|
This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
|
12.3(11)T
|
This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.
|
Examples
The following example shows that shared settings are being configured for group "team1":
Related Commands
Command
|
Description
|
block count
|
Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
|
clear radius local-server
|
Clears the statistics display or unblocks a user.
|
debug radius local-server
|
Displays the debug information for the local server.
|
nas
|
Adds an access point or router to the list of devices that use the local authentication server.
|
radius-server host
|
Specifies the remote RADIUS server host.
|
radius-server local
|
Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
|
reauthentication time
|
Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
|
show radius local-server statistics
|
Displays statistics for a local network access server.
|
ssid
|
Specifies up to 20 SSIDs to be used by a user group.
|
user
|
Authorizes a user to authenticate using the local authentication server.
|
vlan
|
Specifies a VLAN to be used by members of a user group.
|
group (RADIUS)
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group server-group
no group server-group
Syntax Description
server-group
|
Specifies a AAA RADIUS server group.
|
Defaults
No default behavior or values.
Command Modes
AAA preauthentication configuration
Command History
Release
|
Modification
|
12.1(2)T
|
This command was introduced.
|
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called "maestro" and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestro
Related Commands
Command
|
Description
|
aaa group server radius
|
Groups different RADIUS server hosts into distinct lists and distinct methods.
|
clid
|
Preauthenticates calls on the basis of the CLID number.
|
ctype
|
Preauthenticates calls on the basis of the call type.
|
dnis (RADIUS)
|
Preauthenticates calls on the basis of the DNIS number.
|
dnis bypass (AAA preauthentication configuration)
|
Specifies a group of DNIS numbers that will be bypassed for preauthentication.
|
group-lock
The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.
To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.
Note
Preshared keys are supported only. Certificates are not supported.
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Release
|
Modification
|
12.2(13)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
|
Usage Guidelines
The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:
name/group
name\group
name@group
name%group
where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
Caution 
Do not use the Group-Lock attribute if you are using RSA signature authentication mechanisms such as certificates. Use the User-VPN-Group attribute instead.
The Group-Lock attribute is configured on a Cisco IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
Note
If local authentication is used, then the Group-Lock attribute is the only option.
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.
Examples
The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:
Note
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the group-lock command.
crypto isakmp client configuration group cisco
The following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:
Note
If RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.
Related Commands
Command
|
Description
|
acl
|
Configures split tunneling.
|
crypto isakmp client configuration group
|
Specifies the DNS domain to which a group belongs.
|
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
|
Specifies SHA-1 (HMAC variant) as the hash algorithm.
|
md5
|
Specifies MD5 (HMAC variant) as the hash algorithm.
|
Defaults
The SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
Related Commands
Command
|
Description
|
authentication (IKE policy)
|
Specifies the authentication method within an IKE policy.
|
crypto isakmp policy
|
Defines an IKE policy.
|
encryption (IKE policy)
|
Specifies the encryption algorithm within an IKE policy.
|
group (IKE policy)
|
Specifies the Diffie-Hellman group identifier within an IKE policy.
|
lifetime (IKE policy)
|
Specifies the lifetime of an IKE SA.
|
show crypto isakmp policy
|
Displays the parameters for each IKE policy.
|
heading
To set the heading that is displayed above all URLs on the portal page of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the heading command in Web VPN URL configuration mode. To remove the heading, use the no form of this command.
heading heading-name
no heading heading-name
Syntax Description
heading-name
|
Name of the heading.
|
Defaults
A URL list is not configured.
Command Modes
Web VPN URL configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
This command sets the headings that are displayed above all URLs on the portal page.
Examples
The following example shows that the heading has been set to "Engineering":
Router (config-webvpn)# url-list englist
Router (config-webvpn-url)# heading Engineering
Related Commands
Command
|
Description
|
url-list
|
Configures the list of URLs to which a user has access on the portal page of a SSLVPN and enters URL configuration mode
|
webvpn
|
Enters Web VPN configuration mode.
|
identity
To set the identity to the crypto map, use the identity command in crypto map configuration mode.
identity name
Syntax Description
name
|
Identity used to permit or restrict access for a host to a crypto map.
|
Defaults
If this command is not enabled, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.
Command Modes
Crypto map configuration
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
Usage Guidelines
Use the identity command to set the identity to the configured crypto maps. When this command is applied, only the hosts that match a configuration listed within the name argument can use that crypto map.
Examples
The following example shows how to configure two IP Security (IPSec) crypto maps and apply the identity to each crypto map. That is, the identity is set to "to-bigbiz" for the first crypto map and "to-little-com" for the second crypto map.
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only
! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.
crypto map map-to-bigbiz 10 ipsec-isakmp
set transform-set my-transformset
crypto identity to-bigbiz
! This crypto map can be used only by peers that have been authenticated by hostname
! and if the certificate belongs to little.com.
crypto map map-to-little-com 10 ipsec-isakmp
set transform-set my-transformset
crypto identity to-little-com
Related Commands
Command
|
Description
|
crypto identity
|
Configures the identity of the router with a given list of DNs in the certificate of the router.
|
crypto map (global IPSec)
|
Creates or modifies a crypto map entry and enters the crypto map configuration mode.
|
crypto mib ipsec flowmib history failure size
|
Associates the identity of the router with the DN in the certificate of the router.
|
fqdn
|
Associates the identity of the router with the hostname that the peer used to authenticate itself.
|
identity policy
To create an identity policy and to enter identity policy configuration mode, use the identity policy command in global configuration mode. To remove the policy, use the no form of this command.
identity policy policy-name [access-group group-name | description line-of-description | redirect
url | template [virtual-template interface-number]]
no identity policy policy-name [access-group name | description line-of-description | redirect url
| template [virtual-template interface-number]]
Syntax Description
policy-name
|
Name of the policy.
|
access-group group-name
|
(Optional) Access list to be applied.
|
description line-of-description
|
(Optional) Description of the policy.
|
redirect url
|
(Optional) Redirects clients to a particular URL.
|
template
|
(Optional) Virtual template interface from which commands may be cloned.
|
virtual-template interface-number
|
(Optional) Virtual template number. The values range from 1 through 200.
|
Defaults
An identity policy is not created.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
An identity policy has to be associated with an identity profile.
Examples
The following example shows that an access policy named "greentree" is being created. The access-group attribute is set to "allow-access." The redirect URL is set to "http://remediate-url.com." This access policy will be associated with a statically authorized device in the identity profile.
Router (config)# identity policy greentree
Router (config-identity-policy)# access-group allow-access
Router (config-identity-policy)# redirect url http://remediate-url.com
Related Commands
Command
|
Description
|
identity profile
|
Creates an identity profile.
|
identity profile
To create an identity profile and to enter identity profile configuration mode, use the identity profile command in global configuration mode. To disable an identity profile, use the no form of this command.
identity profile {default | dot1x | eapoudp}
no identity profile {default | dot1x | eapoudp}
Syntax Description
default
|
Service type is default.
|
dot1x
|
Service type for 802.1X.
|
eapoudp
|
Service type for Extensible Authentication Protocol over UDP (EAPoUDP).
|
Defaults
An identity profile is not created.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(2)XA
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
12.3(8)T
|
The eapoudp keyword was added.
|
Usage Guidelines
The identity profile command and default keyword allow you to configure static MAC addresses of a client computer that does not support 802.1X and to authorize or unauthorize them statically. After you have issued the identity profile command and default keyword and are in identity profile configuration mode, you can specify the configuration of a template that can be used to create the virtual access interface to which unauthenticated supplicants (client computers) will be mapped.
The identity profile command and the dot1x keyword are used by the supplicant and authenticator. Using the dot1x keyword, you can set the username, password, or other identity-related information for an 802.1X authentication.
Using the identity profile command and the eapoudp keyword, you can statically authenticate or unauthenticate a device either on the basis of the device IP address or MAC address or on the type, and the corresponding network access policy can be specified using the identity policy command.
Examples
The following example shows that an identity profile and its description have been specified:
Router (config)# identity profile default
Router (config-identity-prof)# description description_entered_here
The following example shows that an EAP username has been entered:
Router (config)# identity policy dot1x
Router (config-identity-prof)# eap username user1
The following example shows that an EAPoUDP identity profile has been created:
Router (config)# identity policy eapoudp
Related Commands
Command
|
Description
|
debug dot1x
|
Displays 802.1X debugging information.
|
description
|
Enters an 802.1X description.
|
device
|
Statically authorizes or rejects individual devices.
|
dot1x initialize
|
Initializes an interface.
|
dot1x max-req
|
Sets the maximum number of times that a router can send an EAP request/identity frame to a client PC.
|
|