-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
parameter
To specify parameters for an enrollment profile, use the parameter command in ca-profile-enroll configuration mode. To disable specified parameters, use the no form of this command.
parameter number {value value | prompt string}
no parameter number {value value | prompt string}
Syntax Description
Defaults
No enrollment profile paramters are specified.
Command Modes
Ca-profile-enroll configuration
Command History
12.2(13)ZH
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
The parameter command can be used within an enrollment profile after the authentication command command or the enrollment command has been enabled.
Examples
The following example shows how to specify parameters for the enrollment profile named "E":
crypto ca trustpoint Entrustenrollment profile Eserialcrypto ca profile enrollment Eauthentication url http://entrust:81authentication command GET /certs/cacert.derenrollment url http://entrust:81/cda-cgi/clientcgi.exeenrollment command POST reference_number=$P2&authcode=$P1&retrievedAs=rawDER&action=getServerCert&pkcs10Request=$REQparameter 1 value aaaa-bbbb-ccccparameter 2 value 5001Related Commands
parser view
To create or change a command-line interface (CLI) view and enter view configuration mode, use the parser view command in global configuration mode. To delete a view, use the no form of this command.
parser view view-name
no parser view view-name
Syntax Description
Defaults
A CLI view does not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
A CLI view is a set of operational commands and configuration capabilities that restrict user access to the CLI and configuration information; that is, a view allows users to define what commands are accepted and what configuration information is visible.
After you have issued the parser view command, you can configure the view via the password 5 command and the commands command.
To use the parser view command, the system of the user must be set to root view. The root view can be enabled via the enable view command.
Examples
The following example show how to configure two CLI views, "first" and "second."
Router(config)# parser view first00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created.Router(config-view)# password 5 firstpassRouter(config-view)# command exec include show versionRouter(config-view)# command exec include configure terminalRouter(config-view)# command exec include all show ipRouter(config-view)# exitRouter(config)# parser view second00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.Router(config-view)# password 5 secondpassRouter(config-view)# command exec include-exclusive show ip interfaceRouter(config-view)# command exec include logoutRouter(config-view)# exitAfter you have successfully created a view, a system message such as the following will be displayed:
%PARSER-6-VIEW_CREATED: view `first' successfully created.After you have successfully deleted a view, a system message such as the following will be displayed:
%PARSER-6-VIEW_DELETED: view `first' successfully deleted.Related Commands
commands (view)
Adds commands to a CLI view.
password 5
Associates a CLI view or a superview with a password.
parser view superview
To create a superview and enter view configuration mode, use the parser view superview command in global configuration mode. To delete a superview, use the no form of this command.
parser view superview-name superview
no parser view superview-name superview
Syntax Description
superview-name
Superview name, which can include 1 to 30 alphanumeric characters.
The superview-name argument must not have a number as the first character.
Defaults
A superview does not exist.
Command Modes
Global configuration
Command History
Usage Guidelines
A superview consists of one or more command-line interface (CLI) views, which allow users to define what commands are accepted and what configuration information is visible. Superviews allow a network administrator to easily assign all users within configured CLI views to a superview instead of having to assign multiple CLI views to a group of users.
Superviews contain the following characteristics:
•
A CLI view can be shared among multiple superviews.
•
•
•
Adding CLI Views to a Superview
You can add a view to a superview only after a password has been configured for the superview (via the password 5 command). Thereafter, issue the view command in view configuration mode to add at least one CLI view to the superview.
Note
Examples
The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":
!parser view su_view1 superviewpassword5 <encoded password>view view_oneview view_two!parser view su_view2 superviewpassword5 <encoded password>view view_threeview view_four!Related Commands
password (ca-trustpoint)
To specify the revocation password for the certificate, use the password command in ca-trustpoint configuration mode. To erase any stored passwords, use the no form of this command.
password string
no password
Syntax Description
Defaults
You are prompted for the password during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Before you can issue the password command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
This command allows you to specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the router.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example shows how to specify the password "revokme" for the certificate request:
crypto ca trustpoint frogenrollment url http://frog.phoobin.com/subject-name OU=Spiral Dept., O=tiedye.comip-address ethernet-0auto-enroll regeneratepassword revokmeRelated Commands
password (line configuration)
To specify a password on a line, use the password command in line configuration mode. To remove the password, use the no form of this command.
password password
no password
Syntax Description
Defaults
No password is specified.
Command Modes
Line configuration
Command History
Usage Guidelines
When an EXEC process is started on a line with password protection, the EXEC prompts for the password. If the user enters the correct password, the EXEC prints its normal privileged prompt. The user can try three times to enter a password before the EXEC exits and returns the terminal to the idle state.
Examples
The following example removes the password from virtual terminal lines 1 to 4:
line vty 1 4 no passwordRelated Commands
enable password
Sets a local password to control access to various privilege levels.
password 5
Note
To associate a command-line interface (CLI) view or a superview with a password, use the password 5 command in view configuration mode.
password 5 password
Syntax Description
password
Password for users to enter the CLI view or superview. A password can contain any combination of alphanumeric characters.
Note
Defaults
A user cannot access a CLI view or superview.
Command Modes
View configuration
Command History
12.3(7)T
This command was introduced.
12.3(11)T
This command was enhanced to support superviews.
12.3(14)T
This command was replaced by the secret command.
Usage Guidelines
A user cannot access any commands within the CLI view or superview until the password 5 command has been issued.
Examples
The following example show how to configure two CLI views, "first" and "second" and associate each view with a password:
Router(config)# parser view first00:11:40:%PARSER-6-VIEW_CREATED:view 'first' successfully created.Router(config-view)# password 5 firstpassRouter(config-view)# command exec include show versionRouter(config-view)# command exec include configure terminalRouter(config-view)# command exec include all show ipRouter(config-view)# exitRouter(config)# parser view second00:13:42:%PARSER-6-VIEW_CREATED:view 'second' successfully created.Router(config-view)# password 5 secondpassRouter(config-view)# command exec include-exclusive show ip interfaceRouter(config-view)# command exec include logoutRouter(config-view)# exitRelated Commands
password encryption aes
To enable a type 6 encrypted preshared key, use the password encryption aes command in global configuration mode. To disable password encryption, use the no form of this command.
password encryption aes
no password encryption aes
Syntax Description
This command has no arguments or keywords.
Defaults
Preshared keys are not encrypted.
Command Modes
Global configuration
Command History
Usage Guidelines
You can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryption command with the password encryption aes command to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) configured using the key config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.
If you configure the password encryption aes command without configuring the key config-key password-encryption command, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured:
"Can not encrypt password. Please configure a configuration-key with `key config-key'"
Note
Changing a Password
If the password (master key) is changed, or reencrypted, using the key config-key password-encryption command), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.
Deleting a Password
If the master key that was configured using the key config-key password-encryption command is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.
Caution
Unconfiguring Password Encryption
If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryption command exists, the type 6 passwords will be decrypted as and when required by the application.
Storing Passwords
Because no one can "read" the password (configured using the key config-key password-encryption command), there is no way that the password can be retrieved from the router. Existing management stations cannot "know" what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryption command). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.
Configuring New or Unknown Passwords
If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:
"ciphertext>[for username bar>] is incompatible with the configured master key."If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.
If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryption command. Deleting the master key using the no key config-key password-encryption command causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.
Examples
The following example shows that a type 6 encrypted preshared key has been enabled:
Router (config)# password encryption aesRelated Commands
key config-key password-encryption
Stores a type 6 encryption key in private NVRAM.
password logging
Provides a log of debugging output for a type 6 password operation.
password logging
To get a log of debugging output for a type 6 password operation, use the password logging command in privileged EXEC mode. To disable the debugging, use the no form of this command.
password logging
no password logging
Syntax Description
This command has no arguments or keywords.
Defaults
Debug logging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows that debug logging is configured:
Router# password loggingRelated Commands
key config-key password-encryption
Stores an encryption key in private NVRAM.
password encryption aes
Enables a type 6 encrypted preshared key.
permit (reflexive)
To create a reflexive access list and to enable its temporary entries to be automatically generated, use the permit command in access-list configuration mode. To delete the reflexive access list (if only one protocol was defined) or to delete protocol entries from the reflexive access list (if multiple protocols are defined), use the no form of this command.
permit protocol source source-wildcard destination destination-wildcard reflect name [timeout seconds]
no permit protocol source-wildcard destination destination-wildcard reflect name
Syntax Description
Defaults
If this command is not configured, no reflexive access lists will exist, and no session filtering will occur.
If this command is configured without specifying a timeout value, entries in this reflexive access list will expire after the global timeout period.
Command Modes
Access-list configuration
Command History
Usage Guidelines
This command is used to achieve reflexive filtering, a form of session filtering.
For this command to work, you must also nest the reflexive access list using the evaluate command.
This command creates a reflexive access list and triggers the creation of entries in the same reflexive access list. This command must be an entry (condition statement) in an extended named IP access list.
If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to outbound traffic.
If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to inbound traffic.
IP sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the extended named IP access list, the packet is also evaluated against this reflexive permit entry.
As with all access list entries, the order of entries is important, because they are evaluated in sequential order. When an IP packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs.
If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered).
The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating the packet belongs to a session in progress). The temporary entry specifies criteria that permits traffic into your network only for the same session.
Characteristics of Reflexive Access List Entries
This command enables the creation of temporary entries in the same reflexive access list that was defined by this command. The temporary entries are created when a packet exiting your network matches the protocol specified in this command. (The packet "triggers" the creation of a temporary entry.) These entries have the following characteristics:
•
•
•
•
If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: the temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).
•
•
•
•
Examples
The following example defines a reflexive access list tcptraffic, in an outbound access list that permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic and denies all ICMP traffic. This example is for an external interface (an interface connecting to an external network).
First, the interface is defined and the access list is applied to the interface for outbound traffic.
interface Serial 1description Access to the Internet via this interfaceip access-group outboundfilters outNext, the outbound access list is defined and the reflexive access list tcptraffic is created with a reflexive permit entry.
ip access-list extended outboundfilterspermit tcp any any reflect tcptrafficRelated Commands
pfs
To configure a server to notify the client of the central-site policy regarding whether PFS is required for any IP Security (IPSec) Security Association (SA), use the pfs command in global configuration mode. To restore the default behavior, use the no form of this command.
pfs
no pfs
Syntax Description
This command has no arguments or keywords.
Defaults
The server will not notify the client of the central-site policy regarding whether PFS is required for any IPSec SA.
Command Modes
Global configuration
Command History
Usage Guidelines
Before you use the pfs command, you must first configure the crypto isakmp client configuration group command.
An example of an attribute-value (AV) pair for the PFS attribute is as follows:
ipsec:pfs=1Examples
The following example shows that the server has been configured to notify the client of the central-site policy regarding whether PFS is required for any IPSec SA:
crypto isakmp client configuration grouppfsRelated Commands
crypto isakmp client configuration group
Specifies to which group a policy profile will be defined.
pki-server
To specify the certificate server that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the easy secure device deployment (EzSDD) petitioner and the EzSDD registrar, use the pki-server command in tti-registrar configuration mode. To change the specified certificate server, use the no form of this command.
pki-server label
no pki-server label
Syntax Description
Defaults
A certificate server is not associated with the TTI exchange; thus, the petitioner and registrar will not be able to communicate.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
Although any device that contains a crypto image can be the registrar, it is recommended that the registrar be either a Cisco IOS certificate server registration authority (RA) or a Cisco IOS certificate server root.
Examples
The following example shows how to associate the certificate server "cs1" with the TTI exchange:
crypto wui tti registrarpki-server cs1Related Commands
pool (isakmp-group)
To define a local pool address, use the pool command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove a local pool from your configuration, use the no form of this command.
pool name
no pool name
Syntax Description
Defaults
No default behavior or values.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
Use the pool command to refer to an IP local pool address, which defines a range of addresses that will be used to allocate an internal IP address to a client. Although a user must define at least one pool name, a separate pool may be defined for each group policy.
Note
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the pool command.
Examples
The following example shows how to refer to the local pool address "dog":
crypto isakmp client configuration group ciscokey ciscodns 10.2.2.2 10.3.2.3pool dogacl 199!ip local pool dog 10.1.1.1 10.1.1.254Related Commands
port-forward
To list the set of forwarded ports to which a user has access, use the port-forward command in Web VPN configuration mode. To remove ports, use the no form of this command.
port-forward {list list-name} {local-port port-number} {remote-server server-name-or-IP-address} {remote-port port-number}
no port-forward {list list-name} {local-port port-number} {remote-server server-name-or-IP-address} {remote-port port-number}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Web VPN configuration
Command History
Usage Guidelines
This command is used for TCP port forwarding.
Examples
The following example shows that the list name is POP3, the local port is 60002, the remote server is mail.youremail.com, and the remote port number is 25:
Router (config)# webvpnRouter (config-webvpn)# port-forward list POP3 local-port 60002 remote-server mail.youremail.com remote-port 25Related CommandsRout
port-misuse
To permit or deny HTTP traffic through the firewall on the basis of specified applications in the HTTP message, use the port-misuse command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
port-misuse {p2p | tunneling | im | default} action {reset | allow} [alarm]
no port-misuse {p2p | tunneling | im | default} action {reset | allow} [alarm]
Syntax Description
Defaults
If this command is not enabled, HTTP messages are permitted through the firewall if any of the applications are detected within the message.
Command Modes
appfw-policy-http configuration
Command History
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!ppp accounting
To enable authentication, authorization, and accounting (AAA) accounting services on the selected interface, use the ppp accounting command in interface configuration mode. To disable AAA accounting services, use the no form of this command.
ppp accounting default
no ppp accounting
Syntax Description
Defaults
Accounting is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.
Examples
The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie:
interface async 4encapsulation pppppp accounting charlieRelated Commands
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
ppp authentication
To enable at least one PPP authentication protocol and to specify the order in which the protocols are selected on the interface, use the ppp authentication command in interface configuration mode. To disable this authentication, use the no form of this command.
ppp authentication {protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time] [optional]
no ppp authentication
Syntax Description
protocol1 [protocol2...]
At least one of the keywords described in Table 29.
if-needed
(Optional) Used with TACACS and extended TACACS. Does not perform Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) authentication if authentication has already been provided. This option is available only on asynchronous interfaces.
list-name
(Optional) Used with authentication, authorization, and accounting (AAA). Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command.
default
(Optional) Name of the method list created with the aaa authentication ppp command.
callin
(Optional) Authentication on incoming (received) calls only.
one-time
(Optional) The username and password are accepted in the username field.
optional
(Optional) Accepts the connection even if the peer refuses to accept the authentication methods that the router has requested.
Defaults
PPP authentication is not enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
When you enable PAP, CHAP, or Extensible Authentication Protocol (EAP) authentication (or all three methods), the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and a password, which is checked against a matching entry in the local username database or in the remote security server database. CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a Response message. The local router attempts to match the name of the remote device with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match. EAP works much as CHAP does, except that identity request and response packets are exchanged when EAP starts.
You can enable CHAP, Microsoft CHAP (MS-CHAP), PAP, or EAP in any order. If you enable all four methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only one method. Base the order in which you specify methods on the ability of the remote device to correctly negotiate the appropriate method and on the level of data-line security you require. PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused.
Caution
Table 29 lists the protocols used to negotiate PPP authentication.
Enabling or disabling PPP authentication does not affect the ability of the local router to authenticate itself to the remote device.
If you are using autoselect on a tty line, you can use the ppp authentication command to turn on PPP authentication for the corresponding interface.
MS-CHAP is the Microsoft version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; authentication occurs between a personal computer using Microsoft Windows NT or Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
To configure Cisco PDSN in compliance with the TIA/EIA/IS-835-B standard, you must configure the PDSN virtual template as follows:
ppp authentication chap pap optionalExamples
The following example configures virtual-template interface 4:
interface
