-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
ip auth-proxy (global configuration)
ip auth-proxy (interface configuration)
ip auth-proxy auth-proxy-banner
ip inspect L2-transparent dhcp-passthrough
ip inspect max-incomplete high
ip inspect tcp max-incomplete host
ip ips deny-action ips-interface
fingerprint
To preenter a fingerprint that can be matched against the fingerprint of a certification authority (CA) certificate during authentication, use the fingerprint command in ca-trustpoint configuration mode. To remove the preentered fingerprint, use the no form of this command.
fingerprint ca-fingerprint
no fingerprint ca-fingerprint
Syntax Description
Defaults
A fingerprint is not preentered for a trustpoint, and if the authentication request is interactive, you must verify the fingerprint that is displayed during authentication of the CA certificate. If the authentication request is noninteractive, the certificate will be rejected without a preentered fingerprint.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Note
If the authentication request is made using the CLI, it is considered an interactive request. If the authentication request is made using HTTP or another management tool, it is considered a noninteractive request.
Preenter the fingerprint if you want to avoid responding to the verify question during CA certificate authentication or if you will be requesting authentication noninteractively. The preentered fingerprint may be either the MD5 fingerprint or the SHA1 fingerprint of the CA certificate.
If you are authenticating a CA certificate and the fingerprint was preentered, if the fingerprint matches that of the certificate, the certificate is accepted. If the preentered fingerprint does not match, the certificate is rejected.
If requesting authentication noninteractively, the fingerprint must be preentered or the certificate will be rejected. The verify question will not be asked when requesting authentication noninteractively.
If you are requesting authentication interactively without preentering the fingerprint, the fingerprint of the certificate will be displayed, and you will be asked to verify it.
Examples
The following example shows how to preenter an MD5 fingerprint before authenticating a CA certificate:
Router (config)# crypto pki trustpoint myTrustpointRouter (ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510BRouter (ca-trustpoint) exitRouter (config)# crypto pki authenticate myTrustpointCertificate has the following attributes:Fingerprint MD5: 6513D537 7AEA61B7 29B7E8CD BBAA510BFingerprint SHA1: 998CCFAA 5816ECDE 38FC217F 04C11F1D DA06667ETrustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510BCertificate validated - fingerprints matched.Trustpoint CA certificate accepted.Router (config)#The following is an example for Cisco Release 12.3(12). Note that the SHA1 fingerprint is not displayed because it is not supported by this release.
Router (config)# crypto ca trustpoint myTrustpointRouter (ca-trustpoint)# fingerprint 6513D537 7AEA61B7 29B7E8CD BBAA510BRouter (ca-trustpoint)# exitRouter (config)# crypto ca authenticate myTrustpointCertificate has the following attributes:Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510BTrustpoint Fingerprint: 6513D537 7AEA61B7 29B7E8CD BBAA510BCertificate validated - fingerprints matched.Trustpoint CA certificate accepted.Router (config)#Related Commands
crypto ca authenticate
Authenticates the CA (by getting the certificate of the CA).
crypto ca trustpoint
Declares the CA that your router should use.
firewall are-u-there
To add the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls, use the firewall are-u-there command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Firewall-Are-U-There attribute, use the no form of this command.
firewall are-u-there
no firewall are-u-there
Syntax Description
This command has no arguments or keywords.
Defaults
The server will not send the Firewall-Are-U-There attribute to the client.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if they are prompted by the server. If connections to the Virtual Private Network (VPN) are for protected devices only, that is, if a PC is running one of these personal firewalls, you should add the attribute to the server group. Devices that do not have a personal firewall will not respond with their capabilities, and their connections will be dropped.
The Firewall-Are-U-There attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure the Firewall-Are-U-There attribute, use the firewall are-u-there command.
An example of an attribute-value (AV) pair for the Firewall-Are-U-There attribute is as follows:
ipsec:firewall=1
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the firewall are-u-there command.
Note
•
•
•
Examples
The following example shows that the Firewall-Are-U-There attribute has been configured:
crypto isakmp client configuration group group1firewall are-u-thereSyntax Description
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
fqdn (ca-trustpoint)
To specify a fully qualified domain name (FQDN) that will be included as "unstructuredName" in the certificate request, use the fqdn command in ca-trustpoint configuration mode. To remove the FQDN, use the no form of this command.
fqdn {name | none}
no fqdn {name | none}
Syntax Description
name
FQDN that will be included as "unstructuredName" in the certificate request.
none
Router FQDN will not be included in the certificate request.
Defaults
The FQDN is not configured. The router FQDN will be included as "unstructuredName" in the certificate request.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue this command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode. The fqdn command is a subcommand that allows you to specify a certificate enrollment parameter. Use the fqdn command to include a different FQDN from that of the router in the certificate request or to specify that a FQDN should not be included in the certificate request.
Examples
The following example shows that the FQDN "jack.cisco.com" will be included in the certificate request instead of the router FQDN:
crypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn nonesubject-name CN=jack, OU=PKI, O=Cisco Systems, C=UScrypto ca trustpoint rootenrollment url http://10.3.0.7:80fqdn jack.cisco.comRelated Commands
fqdn (crypto identity)
To associate the identity of the router with the host name that the peer used to authenticate itself, use the fqdn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
fqdn name
no fqdn name
Syntax Description
Defaults
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the fqdn command to associate the identity of the router, which is defined in the crypto identity command, with the distinguished name (DN) in the certificate of the router. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
Examples
The following example shows how to configure a crypto map that can be used only by peers that have been authenticated by hostname and if the certificate belongs to "little.com":
crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.comRelated Commands
grant auto
To specify automatic certificate enrollment, use the grant auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
grant auto
no grant auto
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
The grant auto command should be used only when testing and building simple networks. This command must be disabled before the network is accessible by the Internet.
Note
Examples
The following example shows how to enable automatic certificate enrollment for the certificate server "myserver":
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level minimumRouter#(cs-server)# grant auto% This will cause all certificate requests to be automatically granted.Are you sure you want to do this? [yes/no]: yesRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant auto trustpoint
To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.
grant auto trustpoint label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.
Note
The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).
Caution
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant none
To specify all certificate requests to be rejected, use the grant none command in certificate server configuration mode. To disable automatic rejection of certificate enrollment, use the no form of this command.
grant none
no grant none
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Examples
The following example shows how to automatically reject all certificate enrollment requests for the certificate server "myserver":
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level minimumRouter#(cs-server)# grant noneRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant automatic
Specifies automatic certificate enrollment.
grant ra-auto
To specify that all enrollment requests from a Registration Authority (RA) be granted automatically, use the grant ra-auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
grant ra-auto
no grant ra-auto
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
When grant ra-auto mode is configured on the issuing certificate server, ensure that the RA mode certificate server is running in manual grant mode so that enrollment requests are authorized individually by the RA.
Note
Examples
The following output shows that the issuing certificate server is configured to issue a certificate automatically if the request comes from an RA:
Router (config)# crypto pki server myserverRouter-ca (cs-server)# grant ra-auto% This will cause all certificate requests that are already authorized by known RAs to be automatically granted.Are you sure you want to do this? [yes/no]:yesRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
group (authentication)
To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group {tacacs+ server-group}
no group {tacacs+ server-group}
Syntax Description
tacacs+
Uses a TACACS+ server for authentication.
server-group
Name of the server group to use for authentication.
Defaults
No method list is configured.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:
aaa preauthgroup abc123dnis password aaa-DNISRelated Commands
aaa preauth
Enters AAA preauthentication mode.
dnis (authentication)
Enables AAA preauthentication using DNIS.
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2}
no group
Syntax Description
Defaults
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
crypto isakmp policy 15group 2exitRelated Commands
group (local RADIUS server)
To enter user group configuration mode and to configure shared settings for a user group, use the group command in local RADIUS server configuration mode. To remove the group configuration from the local RADIUS server, use the no form of this command.
group group-name
no group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server configuration
Command History
Examples
The following example shows that shared settings are being configured for group "team1":
group team1Related Commands
group (RADIUS)
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group server-group
no group server-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called "maestro" and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestroserver 1.1.1.1server 2.2.2.2server 3.3.3.3aaa preauthgroup maestrodnis requiredRelated Commands
group-lock
The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.
To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.
Note
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Usage Guidelines
The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:
name/group
name\group
name@group
name%group
where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
Caution
The Group-Lock attribute is configured on a Cisco IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
Note
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.
Examples
The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:
Note
crypto isakmp client configuration group ciscogroup-lockThe following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:
Note
ipsec:group-lock=1Related Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Defaults
The SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
crypto isakmp policy 15hash md5exitRelated Commands
heading
To set the heading that is displayed above all URLs on the portal page of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the heading command in Web VPN URL configuration mode. To remove the heading, use the no form of this command.
heading heading-name
no heading heading-name
Syntax Description
Defaults
A URL list is not configured.
Command Modes
Web VPN URL configuration
Command History
Usage Guidelines
This command sets the headings that are displayed above all URLs on the portal page.
Examples
The following example shows that the heading has been set to "Engineering":
Router (config) webvpnRouter (config-webvpn)# url-list englistRouter (config-webvpn-url)# heading EngineeringRelated Commands
url-list
Configures the list of URLs to which a user has access on the portal page of a SSLVPN and enters URL configuration mode
webvpn
Enters Web VPN configuration mode.
identity
To set the identity to the crypto map, use the identity command in crypto map configuration mode.
identity name
Syntax Description
Defaults
If this command is not enabled, the encrypted connection does not have any restrictions other than the IP address of the encrypting peer.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
Use the identity command to set the identity to the configured crypto maps. When this command is applied, only the hosts that match a configuration listed within the name argument can use that crypto map.
Examples
The following example shows how to configure two IP Security (IPSec) crypto maps and apply the identity to each crypto map. That is, the identity is set to "to-bigbiz" for the first crypto map and "to-little-com" for the second crypto map.
! The following is an IPSec crypto map (part of IPSec configuration). It can be used only! by peers that have been authenticated by DN and if the certificate belongs to BigBiz.crypto map map-to-bigbiz 10 ipsec-isakmpset peer 172.21.114.196set transform-set my-transformsetmatch address 124identity to-bigbiz!crypto identity to-bigbizdn ou=BigBiz!!! This crypto map can be used only by peers that have been authenticated by hostname! and if the certificate belongs to little.com.crypto map map-to-little-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-little-com!crypto identity to-little-comfqdn little.com!Related Commands
identity policy
To create an identity policy and to enter identity policy configuration mode, use the identity policy command in global configuration mode. To remove the policy, use the no form of this command.
identity policy policy-name [access-group group-name | description line-of-description | redirect url | template [virtual-template interface-number]]
no identity policy policy-name [access-group name | description line-of-description | redirect url | template [virtual-template interface-number]]
Syntax Description
Defaults
An identity policy is not created.
Command Modes
Global configuration
Command History
Usage Guidelines
An identity policy has to be associated with an identity profile.
Examples
The following example shows that an access policy named "greentree" is being created. The access-group attribute is set to "allow-access." The redirect URL is set to "http://remediate-url.com." This access policy will be associated with a statically authorized device in the identity profile.
Router (config)# identity policy greentreeRouter (config-identity-policy)# access-group allow-accessRouter (config-identity-policy)# redirect url http://remediate-url.comRelated Commands
identity profile
To create an identity profile and to enter identity profile configuration mode, use the identity profile command in global configuration mode. To disable an identity profile, use the no form of this command.
identity profile {default | dot1x | eapoudp}
no identity profile {default | dot1x | eapoudp}
Syntax Description
default
Service type is default.
dot1x
Service type for 802.1X.
eapoudp
Service type for Extensible Authentication Protocol over UDP (EAPoUDP).
Defaults
An identity profile is not created.
Command Modes
Global configuration
Command History
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
12.3(8)T
The eapoudp keyword was added.
Usage Guidelines
The identity profile command and default keyword allow you to configure static MAC addresses of a client computer that does not support 802.1X and to authorize or unauthorize them statically. After you have issued the identity profile command and default keyword and are in identity profile configuration mode, you can specify the configuration of a template that can be used to create the virtual access interface to which unauthenticated supplicants (client computers) will be mapped.
The identity profile command and the dot1x keyword are used by the supplicant and authenticator. Using the dot1x keyword, you can set the username, password, or other identity-related information for an 802.1X authentication.
Using the identity profile command and the eapoudp keyword, you can statically authenticate or unauthenticate a device either on the basis of the device IP address or MAC address or on the type, and the corresponding network access policy can be specified using the identity policy command.
Examples
The following example shows that an identity profile and its description have been specified:
Router (config)# identity profile defaultRouter (config-identity-prof)# description description_entered_hereThe following example shows that an EAP username has been entered:
Router (config)# identity policy dot1xRouter (config-identity-prof)# eap username user1The following example shows that an EAPoUDP identity profile has been created:
Router (config)# identity policy eapoudpRelated Commands
