Table Of Contents
keepalive (isakmp profile)
kerberos clients mandatory
kerberos credentials forward
kerberos instance map
kerberos local-realm
kerberos preauth
kerberos realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote
key (isakmp-group)
key config-key
key config-key password-encryption
keyring
key-string (IKE)
lifetime (certificate server)
lifetime (IKE policy)
lifetime crl
lifetime enrollment-request
li-view
local-address
login authentication
login block-for
login delay
login on-failure
login on-success
login quiet-mode access-class
login-message
logo
mac-address (RITE)
match address (IPSec)
match certificate (ca-trustpoint)
match certificate (ISAKMP)
match certificate override cdp
match identity
max-header-length
max-logins
max-uri-length
max-users
mode (IPSec)
mode ra
mode sub-cs
name (view)
named-key
nas
no crypto engine software ipsec
no crypto xauth
no ip inspect
no ip ips sdf builtin
ocsp url
outgoing
keepalive (isakmp profile)
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in Internet Security Association Key Management Protocol (ISAKMP) profile configuration mode. To return to the default, use the no form of this command.
keepalive seconds retry retry-seconds
no keepalive seconds retry retry-seconds
Syntax Description
seconds
|
Number of seconds between DPD messages. The range is from 10 to 3600 seconds.
|
retry retry-seconds
|
Number of seconds between retries if DPD message fails. The range is from 2 to 60 seconds.
|
Defaults
If this command is not configured, a DPD message is not sent to the client.
Command Modes
ISAKMP profile configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
Use this command to enable the gateway (instead of the client) to send DPD messages to the client. Internet Key Exchange (IKE) DPD is a new keepalive scheme that sends messages to let the router know that the client is still connected.
Examples
The following example shows that DPD messages have been configured to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp profile vpnprofile
kerberos clients mandatory
To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory command in global configuration mode. To make Kerberos optional, use the no form of this command.
kerberos clients mandatory
no kerberos clients mandatory
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
Usage Guidelines
If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the non-Kerberized protocols if unsuccessful.
If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate.
Examples
The following example causes the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server:
kerberos clients mandatory
Related Commands
Command
|
Description
|
connect
|
Logs in to a host that supports Telnet, rlogin, or LAT.
|
kerberos credentials forward
|
Forces all network application clients on the router to forward the Kerberos credentials of users upon successful Kerberos authentication.
|
rlogin
|
Logs in to a UNIX host using rlogin.
|
rsh
|
Executes a command remotely on a remote rsh host.
|
telnet
|
Logs in to a host that supports Telnet.
|
kerberos credentials forward
To force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward command in global configuration mode. To turn off forwarding of Kerberos credentials, use the no form of this command.
kerberos credentials forward
no kerberos credentials forward
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
Usage Guidelines
Enable credentials forwarding to have users' ticket granting tickets (TGTs) forwarded to the host on which they authenticate. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.
Examples
The following example forces all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication:
kerberos credentials forward
Related Commands
Command
|
Description
|
connect
|
Logs in to a host that supports Telnet, rlogin, or LAT.
|
rlogin
|
Logs in to a UNIX host using rlogin.
|
rsh
|
Executes a command remotely on a remote rsh host.
|
telnet
|
Logs in to a host that supports Telnet.
|
kerberos instance map
To map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map command in global configuration mode. To remove a Kerberos instance map, use the no form of this command.
kerberos instance map instance privilege-level
no kerberos instance map instance
Syntax Description
instance
|
Name of a Kerberos instance.
|
privilege-level
|
The privilege level at which a user is set if the user's Kerberos principal contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.
|
Defaults
Privilege level 1
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
Usage Guidelines
Use this command to create user instances with access to administrative commands.
Examples
The following example sets the privilege level to 15 for authenticated Kerberos users with the admin instance in Kerberos realm:
kerberos instance map admin 15
Related Commands
Command
|
Description
|
aaa authorization
|
Sets parameters that restrict user access to a network.
|
kerberos local-realm
To specify the Kerberos realm in which the router is located, use the kerberos local-realm command in global configuration mode. To remove the specified Kerberos realm from this router, use the no form of this command.
kerberos local-realm kerberos-realm
no kerberos local-realm
Syntax Description
kerberos-realm
|
The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
Usage Guidelines
The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.
Examples
The following example specify the Kerberos realm in which the router is located as EXAMPLE.COM:
kerberos local-realm EXAMPLE.COM
Related Commands
Command
|
Description
|
kerberos preauth
|
Specifies a preauthentication method to use to communicate with the KDC.
|
kerberos realm
|
Maps a host name or DNS domain to a Kerberos realm.
|
kerberos server
|
Specifies the location of the Kerberos server for a given Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration.
|
kerberos preauth
To specify a preauthentication method to use to communicate with the key distribution center (KDC), use the kerberos preauth command in global configuration mode. To disable Kerberos preauthentication, use the no form of this command.
kerberos preauth [encrypted-unix-timestamp | encrypted-kerberos-timestamp | none]
no kerberos preauth
Syntax Description
encrypted-unix-timestamp
|
(Optional) Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.
|
encrypted-kerberos-timestamp
|
(Optional) Use the RFC1510 kerberos timestamp as a quick authentication method when communicating with the KDC.
|
none
|
(Optional) Do not use Kerberos preauthentication.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
Usage Guidelines
It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.
The no form of this command is equivalent to using the none keyword.
Examples
The following example enables Kerberos preauthentication:
kerberos preauth encrypted-unix-timestamp
The following example disables Kerberos preauthentication:
Related Commands
Command
|
Description
|
kerberos local-realm
|
Specifies the Kerberos realm in which the router is located.
|
kerberos server
|
Specifies the location of the Kerberos server for a given Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration.
|
kerberos realm
To map a host name or Domain Name System (DNS) domain to a Kerberos realm, use the kerberos realm command in global configuration mode. To remove a Kerberos realm map, use the no form of this command.
kerberos realm {dns-domain | host} kerberos-realm
no kerberos realm {dns-domain | host} kerberos-realm
Syntax Description
dns-domain
|
Name of a DNS domain or host.
|
host
|
Name of a DNS host.
|
kerberos-realm
|
Name of the Kerberos realm to which the specified domain or host belongs.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
Usage Guidelines
DNS domains are specified with a leading dot (.) character; host names cannot begin with a dot (.) character. There can be multiple entries of this line.
A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters.
Examples
The following example maps the domain name "example.com" to the Kerberos realm, EXAMPLE.COM:
kerberos realm .example.com EXAMPLE.COM
Related Commands
Command
|
Description
|
kerberos local-realm
|
Specifies the Kerberos realm in which the router is located.
|
kerberos server
|
Specifies the location of the Kerberos server for a given Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generates a Kerberos SRVTAB entry configuration.
|
kerberos server
To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server command in global configuration mode. To remove a Kerberos server for a specified Kerberos realm, use the no form of this command.
kerberos server kerberos-realm {host-name | ip-address} [port-number]
no kerberos server kerberos-realm {host-name | ip-address}
Syntax Description
kerberos-realm
|
Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.
|
host-name
|
Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).
|
ip-address
|
IP address of the host functioning as the Kerberos server for the specified Kerberos realm.
|
port-number
|
(Optional) Port that the key distribution center (KDC) monitors (defaults to 88).
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
Usage Guidelines
Use the kerberos server command to specify the location of the Kerberos server for a given realm.
Examples
The following example specifies 192.168.47.66 as the Kerberos server for the Kerberos realm EXAMPLE.COM:
kerberos server EXAMPLE.COM 192.168.47.66
Related Commands
Command
|
Description
|
kerberos local-realm
|
Specifies the Kerberos realm in which the router is located.
|
kerberos realm
|
Maps a host name or DNS domain to a Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generates a Kerberos SRVTAB entry configuration.
|
kerberos srvtab entry
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab entry command in global configuration mode. To remove a SRVTAB entry from the router's configuration, use the no form of this command.
kerberos srvtab entry kerberos-principal principal-type timestamp key-version number key-type
key-length encrypted-keytab
no kerberos srvtab entry kerberos-principal principal-type
Syntax Description
kerberos-principal
|
A service on the router.
|
principal-type
|
Version of the Kerberos SRVTAB.
|
timestamp
|
Number representing the date and time the SRVTAB entry was created.
|
key-version number
|
Version of the encryption key format.
|
key-type
|
Type of encryption used.
|
key-length
|
Length, in bytes, of the encryption key.
|
encrypted-keytab
|
Secret key the router shares with the key distribution center (KDC). It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.
If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.
If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.
Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.
Examples
In the following example, host/new-router.example.com@EXAMPLE.COM is the host, 0 is the type, 817680774 is the timestamp, 1 is the version of the key, 1 indicates the DES is the encryption type, 8 is the number of bytes, and .cCN.YoU.okK is the encrypted key:
kerberos srvtab entry host/new-router.example.com@EXAMPLE.COM 0 817680774 1 1 8
.cCN.YoU.okK
Related Commands
Command
|
Description
|
kerberos srvtab remote
|
Retrieves a krb5 SRVTAB file from the specified host.
|
key config-key
|
Defines a private DES key for the router.
|
kerberos srvtab remote
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab remote command in global configuration mode.
kerberos srvtab remote {boot_device:URL}
Syntax Description
URL
|
Machine that has the Kerberos SRVTAB file.
|
ip-address
|
IP address of the machine that has the Kerberos SRVTAB file.
|
filename
|
Name of the SRVTAB file.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from the remote host (generally the key distribution center [KDC]), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with the private Data Encryption Standard (DES) key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory configuration command to write the router's running configuration to NVRAM.
Examples
The following example copies the SRVTAB file residing on b1.example.com to a router named s1.example.com:
kerberos srvtab remote tftp://b1.example.com/s1.example.com-new-srvtab
Related Commands
Command
|
Description
|
kerberos srvtab entry
|
Retrieves a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration.
|
key config-key
|
Defines a private DES key for the router.
|
key (isakmp-group)
To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove a preshared key, use the no form of this command.
key name
no key name
Syntax Description
name
|
IKE preshared key that matches the password entered on the client.
Note This value must match the "password" field that is defined in the Cisco VPN Client 3.x configuration GUI.
|
Defaults
No default behavior or values.
Command Modes
ISAKMP group configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
Usage Guidelines
Use the key command to specify the IKE preshared key when defining group policy information for Mode Configuration push. (It follows the crypto isakmp client configuration group command.) You must configure this command if the client identifies itself to the router with a preshared key. (You do not have to enable this command if the client uses a certificate for identification.)
Examples
The following example shows how to specify the preshared key "cisco":
crypto isakmp client configuration group default
Related Commands
Command
|
Description
|
acl
|
Configures split tunneling.
|
crypto isakmp client configuration group
|
Specifies the DNS domain to which a group belongs.
|
key config-key
To define a private DES key for the router, use the key config-key command in global configuration mode. To delete a private Data Encryption Standard (DES) key from the router, use the no form of this command.
key config-key 1 string
no key config-key 1 string
Syntax Description
1
|
Key number. This number is always 1.
|
string
|
Private DES key (can be up to eight alphanumeric characters).
|
Defaults
No DES-key defined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was released.
|
Usage Guidelines
This command defines a private DES key for the router that will not show up in the router configuration. This private DES key can be used to DES-encrypt certain parts of the router's configuration.
Caution 
The private DES key is unrecoverable. If you encrypt part of your configuration with the private DES key and lose or forget the key, you will not be able to recover the encrypted data.
Examples
The following example sets keyxx as the private DES key on the router:
Related Commands
Command
|
Description
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generates a Kerberos SRVTAB entry configuration.
|
key config-key password-encryption
To store a type 6 encryption key in private NVRAM, use the key config-key password-encryption command in global configuration mode. To disable the encryption, use the no form of this command.
key config-key password-encryption [text]
no key config-key password-encryption [text]
Syntax Description
text
|
(Optional) Password or master key.
Note It is recommended that you do not use the text argument but instead use interactive mode (using the enter key after you enter the key config-key password-encryption command) so that the preshared key will not be printed anywhere and, therefore, cannot be seen.
|
Defaults
No type 6 password encryption
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
Usage Guidelines
You can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryption command with the password encryption aes command to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) configured using the key config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.
If you configure the password encryption aes command without configuring the key config-key password-encryption command, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured:
"Can not encrypt password. Please configure a configuration-key with `key config-key'"
Changing a Password
If the password (master key) is changed, or reencrypted, using the key config-key password-encryption command), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.
Deleting a Password
If the master key that was configured using the key config-key password-encryption command is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.
Caution 
If the password configured using the
key config-key password-encryption command is lost, it cannot be recovered. The password should be stored in a safe location.
Unconfiguring Password Encryption
If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryption command exists, the type 6 passwords will be decrypted as and when required by the application.
Storing Passwords
Because no one can "read" the password (configured using the key config-key password-encryption command), there is no way that the password can be retrieved from the router. Existing management stations cannot "know" what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryption command). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.
Configuring New or Unknown Passwords
If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:
"ciphertext>[for username bar>] is incompatible with the configured master key."
If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.
If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryption command. Deleting the master key using the no key config-key password-encryption command causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.
Examples
The following example shows that a type 6 encryption key is to be stored in NVRAM:
Router (config)# key config-key password-encryption
Related Commands
Command
|
Description
|
password encryption aes
|
Enables a type 6 encrypted preshared key.
|
password logging
|
Provides a log of debugging output for a type 6 password operation.
|
keyring
To configure a keyring with an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the keyring command in ISAKMP profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring keyring-name
no keyring keyring-name
Syntax Description
keyring-name
|
The keyring name, which must match the keyring name that was defined in the global configuration.
|
Defaults
If this command is not used, the ISAKMP profile uses the keys defined in the global configuration.
Command Modes
ISAKMP profile configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used.
Examples
The following example shows that "vpnkeyring" is configured as the keyring name:
crypto isakmp profile vpnprofile
key-string (IKE)
To specify the Rivest, Shamir, and Adelman (RSA) public key of the remote peer, use the key-string command in public key configuration mode. To remove the RSA public key, use the no form of this command.
key-string key-string
no key-string key-string
Syntax Description
key-string
|
Enter the key in hexadecimal format. While entering the key data, you can press Return to continue entering data.
|
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Before using this command, you must enter the rsa-pubkey command in the crypto keyring mode.
If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.
Examples
The following example manually specifies the RSA public keys of an IP Security (IPSec) peer:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
Command
|
Description
|
crypto keyring
|
Defines a crypto keyring.
|
rsa-pubkey
|
Defines the RSA public key to be used for encryption or signatures during IKE authentication.
|
show crypto keyring
|
Displays keyrings on your router.
|
lifetime (certificate server)
To specify the lifetime of the certification authority (CA) or a certificate, use the lifetime command in certificate server configuration mode. To return to the default lifetime values, use the no form of this command.
lifetime {ca-certificate | certificate} time
no lifetime {ca-certificate | certificate} time
Syntax Description
ca-certificate
|
Lifetime is for the CA certificate of the certificate server.
|
certificate
|
Lifetime is for the certificate of the certificate server.
The maximum certificate lifetime is one month less than the expiration date of the CA certificate's lifetime.
|
time
|
Lifetime value in days. Valid values range from 1 day to 1825 days.
All certificates are valid on the date that they are issued.
|
Defaults
The default CA certificate lifetime is 3 years.
The default certificate lifetime is 1 year.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
After you enable a certificate server via the crypto pki server command, use the lifetime command if you wish to specify lifetime values other than the default values for the CA certificate and the certificate of the certificate server.
After the certificate generates its signed certificate, the lifetime cannot be changed.
Examples
The following example shows how to set the lifetime value for the CA to 30 days:
Router(config)# ip http server
Router(config)# crypto pki server mycertserver
Router(cs-server)# lifetime ca certificate 30
Related Commands
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
|
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
|
Number of many seconds for each each SA should exist before expiring. Use an integer from 60 to 86,400 seconds, which is the default value.
|
Defaults
86,400 seconds (one day)
Command Modes
ISAKMP policy configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
Usage Guidelines
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.
Examples
The following example configures an IKE policy with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:
Related Commands
Command
|
Description
|
authentication (IKE policy)
|
Specifies the authentication method within an IKE policy.
|
crypto isakmp policy
|
Defines an IKE policy.
|
encryption (IKE policy)
|
Specifies the encryption algorithm within an IKE policy.
|
group (IKE policy)
|
Specifies the Diffie-Hellman group identifier within an IKE policy.
|
hash (IKE policy)
|
Specifies the hash algorithm within an IKE policy.
|
show crypto isakmp policy
|
Displays the parameters for each IKE policy.
|
lifetime crl
To define the lifetime of the certificate revocation list (CRL) that is used by the certificate server, use the lifetime crl command in certificate server configuration mode. To return to the default value of 1 week, use the no form of this command.
lifetime crl time
no lifetime crl time
Syntax Description
time
|
Lifetime value, in hours, of the CRL. Maximum lifetime value is 336 hours (2 weeks). The default value is 168 hours (1 week).
|
Defaults
168 hours (1 week)
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
After you create a certificate server via the crypto pki server command, use the lifetime crl command if you want to specify a value other than the default value for the CRL. The lifetime value is added to the CRL when the CRL is created.
The CRL is written to the specified database location as ca-label.crl.
Examples
The following example shows how to set the lifetime value for the CRL to 24 hours:
Router(config)# ip http server
Router(config)# crypto pki server mycertserver
Router(cs-server)# lifetime crl 24
Related Commands
Command
|
Description
|
cdp-url
|
Specifies that CDP should be used in the certificates that are issued by the certificate server.
|
crypto pki server
|
Enables a Cisco IOS certificate server and enters PKI configuration mode.
|
lifetime enrollment-request
To specify how long an enrollment request should stay in the enrollment database, use the lifetime enrollment-request command in certificate server configuration mode. To return to the default value of 1 week, use the no form of this command.
lifetime enrollment-request time
no lifetime enrollment-request
Syntax Description
time
|
Lifetime value, in hours, of an enrollment request. The maximum lifetime value is 1000 hours. The default value is 168 hours (1 week).
|
Defaults
Lifetime value default is 168 hours.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
After the certificate server receives an enrollment request, it can leave the request in pending, reject it, or grant it. The request is left in the Enrollment Request Database for the lifetime of the enrollment request until the client polls the certificate server for the result of the request.
Examples
The following example shows how to set the lifetime value for the enrollment request to 24 hours:
Router (config)# crypto pki server mycs
Router (cs-server)# lifetime enrollment-request 24
Related Commands
Related Commands*0
Command
|
Description
|
crypto pki server
|
Enables a Cisco IOS certificate server.
|
crypto pki server grant
|
Grants all or certain SCEP requests.
|
crypto pki server remove
|
Removes enrollment requests that are in the certificate server Enrollment Request Database.
|
li-view
To initialize a lawful intercept view, use the li-view command in global configuration mode.
li-view li-password user username password password
Syntax Description
li-password
|
Associates the lawful interface view with a password. The password can contain any number of alphanumeric characters.
Note The password is case sensitive.
|
user username
|
User who can access the lawful intercept view.
|
password password
|
Associates a password with the specified user username option; that is, the user must provide the specified password to access the view.
|
Defaults
A lawful intercept view cannot be accessed.
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(7)T
|
This command was introduced.
|
Usage Guidelines
Like a command-line interface (CLI) view, a lawful intercept view restricts access to specified commands and configuration information. Specifically, a lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that stores information about calls and users.
Commands available in lawful intercept view belong to one of the following categories:
•
Lawful intercept commands that should not be made available to any other view or privilege level.
•
CLI that are useful for lawful intercept users but do not need to be excluded from other views or privilege levels.
Note
Only a system administrator or a level 15 privilege user can initialize a lawful intercept view.
Examples
The following example shows how to configure a lawful intercept view, add users to the view, and verify the users that were added to the view:
Router(config-view)# li-view lipass user li_admin password li_adminpass
00:19:25:%PARSER-6-LI_VIEW_INIT:LI-View initialized.
! Enter the LI-View; that is, check to see what commands are available within the view.
Router# enable view li-view
00:22:57:%PARSER-6-VIEW_SWITCH:successfully set to view 'li-view'.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# parser view li-view