Cisco IOS Security Command Reference, Release 12.3 T
Security Commands: save-password through show crypto ipsec transform-set

Table Of Contents

save-password

secondary-color

secondary-text-color

secret

secure boot-config

secure boot-image

security authentication failure rate

security ipsec

security passwords min-length

self-identity

serial-number (ca-trustpoint)

serial-number (pubkey)

server (RADIUS)

server (TACACS+)

server-private (RADIUS)

server-private (TACACS+)

service password-encryption

set aggressive-mode client-endpoint

set aggressive-mode password

set ip access-group

set isakmp-profile

set peer (IPSec)

set pfs

set security-association idle-time

set security-association level per-host

set security-association lifetime

set security-association replay disable

set security-association replay window-size

set session-key

set transform-set

sgbp aaa authentication

show aaa attributes

show aaa cache filterserver

show aaa dead-criteria

show aaa local user locked

show aaa server-private

show aaa servers

show aaa user

show accounting

show appfw

show auto secure config

show call admission statistics

show crypto ca certificates

show crypto ca crls

show crypto ca roots

show crypto ca timers

show crypto ca trustpoints

show crypto call admission statistics

show crypto debug-condition

show crypto dynamic-map

show crypto eng qos

show crypto engine

show crypto engine accelerator logs

show crypto engine accelerator ring

show crypto engine accelerator sa-database

show crypto engine accelerator statistic

show crypto ha

show crypto ipsec client ezvpn

show crypto ipsec sa

show crypto ipsec security-association lifetime

show crypto ipsec transform-set


save-password

To save your extended authentication (Xauth) password locally on your PC, use the save-password command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Save-Password attribute, use the no form of this command.

save-password

no save-password

Syntax Description

This command has no arguments or keywords.

Defaults

Your Xauth password is not saved locally on your PC, and the Save-Password attribute is not added to the server group profile.

Command Modes

ISAKMP group configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.


Usage Guidelines

Save password control allows you to save your Xauth password locally on your PC so that after you have initially entered the password, the Save-Password attribute is pushed from the server to the client. On subsequent authentications, you can activate the password by using the tick box on the software client or by adding the username and password to the Cisco IOS hardware client profile. The password setting remains until the Save-Password attribute is removed from the server group profile. After the password has been activated, the username and password are sent automatically to the server during Xauth without your intervention.

The save-password option is useful only if your password is static, that is, if it is not a one-time password such as one that is generated by a token.

The Save-Password attribute is configured on a Cisco IOS router or in the RADIUS profile.

To configure save password control, use the save-password command.

An example of an attribute-value (AV) pair for the Save-Password attribute is as follows:

ipsec:save-password=1

You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the save-password command.


NoteThe Save-Password attribute can be applied only by a RADIUS user.

The attribute can be applied on a per-user basis after the user has been authenticated.

The attribute can override any similar group attributes.

User-based attributes are available only if RADIUS is used as the database.


Examples

The following example shows that the Save-Password attribute has been configured:

crypto isakmp client configuration group cisco
 save-password

Related Commands

Command
Description

acl

Configures split tunneling.

crypto isakmp client configuration group

Specifies the DNS domain to which a group belongs.


secondary-color

To specify the color of the secondary title bars on the login and portal pages of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the secondary-color command in Web VPN configuration mode. To remove the color, use the no form of this command.

secondary-color color

no secondary-color color

Syntax Description

color

The value can be a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a "#"), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):

\#/x{6}

\d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)

\w+

The default is purple.


Defaults

Purple

Command Modes

Web VPN configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

If a new color is configured, it will override the color that was already configured.

Examples

The following examples show three ways that a secondary color may be configured:

secondary-color darkseagreen

secondary-color #8FBC8F

secondary-color 143,188,143

Related Commands

Command
Description

webvpn

Enters Web VPN configuration mode.


secondary-text-color

To specify the color of the text on the secondary bars of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the secondary-text-color command in Web VPN configuration mode. To revert to the default color, use the no form of this command.

secondary-text-color [black | white]

no secondary-text-color [black | white]

Syntax Description

black

(Optional) Color of the text is black. This is the default value.

white

(Optional) Color of the text is white.


Defaults

Color of the text is black.

Command Modes

Web VPN configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

The color of the text on the secondary bars must be aligned with the color of the text on the title bar.

Examples

The following example shows that the secondary text color has been set to white:

secondary-text-color white

Related Commands

Command
Description

webvpn

Enters Web VPN configuration mode.


secret

To associate a command-line interface (CLI) view or a superview with a password, use the secret command in view configuration mode.

secret {unencrypted-password | 0 unencrypted-password | 5 encrypted-password}

Syntax Description

unencrypted-password

Nonencrypted password. A password can contain any combination of alphanumeric characters. The password is case sensitive. This clear-text password will be encrypted using the Message Digest 5 (MD5) method.

0

Specifes that an unencrypted password will follow.

5

Specifes that an encrypted password will follow.

encrypted-password

Encrypted password that you enter and that is copied from another router configuration.


Defaults

User cannot access a CLI view or superview.

Command Modes

View configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

A user cannot access any commands within the CLI view or superview until the secret command has been issued.


Note The password cannot be removed, but you can overwrite it.


Examples

The following examples show how to configure two CLI views, "first" and "second," and associate each view with a password:

CLI View "first"

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# parser view first
Router(config-view)# 
*Dec  9 05:20:03.039: %PARSER-6-VIEW_CREATED: view 'first' successfully created.
Router(config-view)# secret firstpassword
Router(config-view)# secret secondpassword
% Overwriting existing secret for the current view
Router(config-view)# secret 0 thirdpassword
% Overwriting existing secret for the current view
Router(config-view)# secret 5 $1$jj1e$vmYyRbmj5UoU96tT1x7eP1
% Overwriting existing secret for the current view
Router(config-view)# secret 5 invalidpassword
ERROR: The secret you entered is not a valid encrypted secret.
To enter an UNENCRYPTED secret, do not specify type 5 encryption.
When you properly enter an UNENCRYPTED secret, it will be encrypted.

Router(config-view)# command exec include show version
Router(config-view)# command exec include configure terminal
Router(config-view)# command configure include all ip
Router(config-view)# exit

CLI View "second"

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# parser view second
Router(config-view)#
*Dec 30 06:11:52.915: %PARSER-6-VIEW_CREATED: view 'second' successfully created.
Router(config-view)# secret mypasswd 
Router(config-view)# commands exec include ping
Router(config-view)# end

Router# show running-config

parser view second
 secret 5 $1$PWs8$lz3lSx6OqAnFrUx2hkI0w0
 commands exec include ping
!
The following is an example of show running-config output for a situation in which the 
secret command has been configured using a level 5 encrypted password:

Router: show running-config

parser view first
 secret 5 $1$jj1e$vmYyRbmj5UoU96tT1x7eP1
 commands configure include all ip
 commands exec include configure terminal
 commands exec include configure
 commands exec include show version
 commands exec include show
!

Related Commands

Command
Description

parser view

Creates or changes a CLI view and enters view configuration mode.


secure boot-config

To take a snapshot of the router running configuration and securely archive it in persistent storage, use the secure boot-config command in global configuration mode. To remove the secure configuration archive and disable configuration resilience, use the no form of this command.

secure boot-config [restore filename]

no secure boot-config

Syntax Description

restore filename

(Optional) Reproduces a copy of the secure configuration archive as the supplied filename.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

Without any parameters, this command takes a snapshot of the router running configuration and securely archives it in persistent storage. Like the image, the configuration archive is hidden and cannot be viewed or removed directly from the command-line interface (CLI) prompt . It is recommended that you run this command after the router has been fully configured to reach a steady state of operation and the running configuration is considered complete for a restoration, if required. A syslog message is printed on the console notifying the user of configuration resilience activation. The secure archive uses the time of creation as its filename. For example, .runcfg-20020616-081702.ar was created July 16 2002 at 8:17:02.

The restore option reproduces a copy of the secure configuration archive as the supplied filename (disk0:running-config, slot1:runcfg, and so on). The restore operation will work only if configuration resilience is enabled. The number of restored copies that can be created is unlimited.

The no form of this command removes the secure configuration archive and disables configuration resilience. An enable, disable, enable sequence has the effect of upgrading the configuration archive if any changes were made to the running configuration since the last time the feature was disabled.

The configuration upgrade scenario is similar to an image upgrade. The feature detects a different version of Cisco IOS and notifies the user of a version mismatch. The same command can be run to upgrade the configuration archive to a newer version after new configuration commands corresponding to features in the new image have been issued.

The correct sequence of steps to upgrade the configuration archive after an image upgrade is as follows:

Configure new commands

Issue the secure boot-config command

Examples

The following example shows the command used to securely archive a snapshot of the router running configuration:

secure boot-config

The following example shows the command used to restore an archived image to the file slot0:rescue-cfg:

Router(config)# secure boot-config restore slot0:rescue-cfg
ios resilience:configuration successfully restored as slot0:rescue-cfg

Related Commands

Command
Description

secure boot-image

Enables Cisco IOS image resilience.

show secure bootset

Displays the status of image and configuration resilience.


secure boot-image

To enable Cisco IOS image resilience, use the secure boot-image command in global configuration mode. To disable Cisco IOS image resilience and release the secured image so that it can be safely removed, use the no form of this command.

secure boot-image

no secure boot-image

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

This command enables or disables the securing of the running Cisco IOS image. The following two possible scenarios exist with this command.

When turned on for the first time, the running image (as displayed in the show version command output) is secured, and a syslog entry is generated. This command will function properly only when the system is configured to run an image from a disk with an Advanced Technology Attachment (ATA) interface. Images booted from a TFTP server cannot be secured. Because this command has the effect of "hiding" the running image, the image file will not be included in any directory listing of the disk. The no form of this command releases the image so that it can be safely removed.

If the router is configured to boot up with Cisco IOS resilience and an image with a different version of Cisco IOS is detected, a message similar to the following is displayed at bootup:

ios resilience :Archived image and configuration version 12.2 differs from running 
version 12.3.
Run secure boot-config and image commands to upgrade archives to running version.

To upgrade the image archive to the new running image, reenter this command from the console. A message will be displayed about the upgraded image. The old image is released and will be visible in the dir command output.


Caution Be careful when copying new images to persistent storage because the existing secure image name might conflict with the new image. To verify the name of the secured archive, run the show secure bootset command and resolve any name conflicts with the currently secured hidden image.


Note After the Cisco IOS image is secured, the resilient configuration feature will deny any requests to copy, modify, or delete the secure archive and will even survive a disk format operation.


Examples

The following example shows the activation of image resilience.

Router(config)# secure boot-image

Related Commands

Command
Description

dir

Displays a list of files on a file system.

secure boot-config

Saves a secure copy of the router running configuration in persistent storage.

show secure bootset

Displays the status of image and configuration resilience.

show version

Displays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images.


security authentication failure rate

To configure the number of allowable unsuccessful login attempts, use the security authentication failure rate command in global configuration mode. To disable this functionality, use the no form of this command.

security authentication failure rate threshold-rate log

no security authentication failure rate threshold-rate log

Syntax Description

threshold-rate

Number of allowable unsuccessful login attempts. The valid value range for the threshold-rate argument is 2 to 1024. The default is 10.

log

Syslog authentication failures if the rate exceeds the threshold.


Defaults

The default number of failed login attempts before a 15-second delay is 10.

Command Modes

Global configuration

Command History

Release
Modification

12.3(1)

This command was introduced.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.

12.3(7)T

The range of the threshold-rate value was changed from 1 through 1024 to 2 through 1024.


Usage Guidelines

The security authentication failure rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are not any continuous failures to access the router.


Note Previous to the Cisco IOS software release 12.3(7)T the threshold-rate value range was 1 through 1024. Unsuccessful login attempts will not be logged if a value of 1 is configured. As of Cisco ISO release 12.3(7)T, use a value between 2 and 1024.


Examples

The following example shows how to configure your router to generate a syslog message after eight failed login attempts:

security authentication failure rate 8 log

Related Commands

Command
Description

security passwords min-length

Ensures that all configured passwords are at least a specified length.


security ipsec

To apply a previously configured IP Security (IPSec) profile to the redundancy group communications, use the security ipsec command in inter-device configuration mode. To remove the IPSec profile from the configuration, use the no form of this command.

security ipsec profile-name

no security [ipsec [profile-name]]

Syntax Description

profile-name

Profile name, which was specified via the crypto ipsec profile command.


Defaults

The redundancy group is not secured.

Command Modes

Inter-device configuration

Command History

Release
Modification

12.3(11)T

This command was introduced.


Usage Guidelines

The security ipsec command allows you to secure a redundancy group via a previously configured IPSec profile. If you are certain that the Stateful Switchover (SSO) traffic between the redundancy group runs on a physically secure interface, you do not have to configure this command.


Note If you configure SSO traffic protection via the security ipsec command, the active and standby devices must be directly connected to each other via Ethernet networks.


Examples

The following example shows how to configure SSO traffic protection:

crypto ipsec transform-set trans2 ah-md5-hmac esp-aes 
!         
crypto ipsec profile sso-secure
 set transform-set trans2 
!
redundancy inter-device
 scheme standby HA-in
 security ipsec sso-secure

Related Commands

Command
Description

crypto ipsec profile

Defines the IPSec parameters that are to be used for IPSec encryption between two IPSec routers.

redundancy inter-device

Enters inter-device configuration mode.


security passwords min-length

To ensure that all configured passwords are at least a specified length, use the security passwords min-length command in global configuration mode. To disable this functionality, use the no form of this command.

security passwords min-length length

no security passwords min-length length

Syntax Description

length

Minimum length of a configured password. The default is six characters.


Defaults

Six characters

Command Modes

Global configuration

Command History

Release
Modification

12.3(1)

This command was introduced.


Usage Guidelines

The security passwords min-length command provides enhanced security access to the router by allowing you to specify a minimum password length, eliminating common passwords that are prevalent on most networks, such as "lab" and "cisco." This command affects user passwords, enable passwords and secrets, and line passwords. After this command is enabled, any password that is less than the specified length will fail.

Examples

The following example shows both how to specify a minimum password length of six characters and what happens when the password does not adhere to the minimum length:

security password min-length 6
enable password lab
% Password too short - must be at least 6 characters. Password not configured.

Related Commands

Command
Description

enable password

Sets a local password to control access to various privilege levels.

security authentication failure rate

Configures the number of allowable unsuccessful login attempts.


self-identity

To define the identity that the local Internet Key Exchange (IKE) uses to identify itself to the remote peer, use the self-identity command in ISAKMP profile configuration mode. To remove the Internet Security Association and Key Management Protocol (ISAKMP) identity that was defined for the IKE, use the no form of this command.

self-identity {address | fqdn | user-fqdn user-fqdn}

no self-identity {address | fqdn | user-fqdn user-fqdn}

Syntax Description

address

The IP address of the local endpoint.

fqdn

The fully qualified domain name (FQDN) of the host.

user-fqdn user-fqdn

The user FQDN that is sent to the remote endpoint.


Defaults

If no ISAKMP identity is defined in the ISAKMP profile configuration, global configuration is the default.

Command Modes

ISAKMP profile configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following example shows that the IKE identity is the user FQDN "user@vpn.com":

crypto isakmp profile vpnprofile
 self-identity user-fqdn user@vpn.com

serial-number (ca-trustpoint)

To specify whether the router serial number should be included in the certificate request, use the serial-number command in ca-trustpoint configuration mode. To restore the default behavior, use the no form of this command.

serial-number [none]

no serial-number

Syntax Description

none

(Optional) Specifies that a serial number will not be included in the certificate request.


Defaults

Not configured. You will be prompted for the serial number during certificate enrollment.

Command Modes

Ca-trustpoint configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

Before you can issue the serial-number command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.

Use this command to specify the router serial number in the certificate request, or use the none keyword to specify that a serial number should not be included in the certificate request.

Examples

The following example shows how to omit a serial number from the "root" certificate request:

crypto ca trustpoint root
 enrollment url http://10.3.0.7:80
 ip-address none
 fqdn none
 serial-number none
 subject-name CN=jack, OU=PKI, O=Cisco Systems, C=US
 
crypto ca trustpoint root
 enrollment url http://10.3.0.7:80
 serial-number

Related Commands

Command
Description

crypto ca trustpoint

Declares the CA that your router should use.


serial-number (pubkey)

To define the serial number for the Rivest, Shamir, and Adelman (RSA) manual key to be used for encryption or signatures during Internet Key Exchange (IKE) authentication, use the serial-number command in pubkey configuration mode. To remove the manual key that was defined, use the no form of this command.

serial-number serial-number

no serial-number serial-number

Syntax Description

serial-number

Device serial number. The value is from 0 through infinity.


Defaults

No default behavior or values

Command Modes

Pubkey configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following example shows that the public key of an IP Security (IPSec) peer has been specified:

Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey-key)# serial-number 1000000
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit

Related Commands

Command
Description

address

Specifies the IP address of the remote RSA public key of the remote peer that you will manually configure.

key-string (IKE)

Specifies the RSA public key of a remote peer.


server (RADIUS)

To configure the IP address of the RADIUS server for the group server, use the server command in server-group configuration mode. To remove the associated server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.

server ip-address [auth-port port-number] [acct-port port-number]

no server ip-address [auth-port port-number] [acct-port port-number]

Syntax Description

ip-address

IP address of the RADIUS server host.

auth-port port-number

(Optional) Specifies the User Datagram Protocol (UDP) destination port for authentication requests. The port-number argument specifies the port number for authentication requests. The host is not used for authentication if this value is set to 0.

acct-port port-number

(Optional) Specifies the UDP destination port for accounting requests. The port number argument specifies the port number for accounting requests. The host is not used for accounting services if this value is set to 0.


Defaults

If no port attributes are defined, the defaults are as follows:

Authentication port: 1645

Accounting port: 1646

Command Modes

Server-group configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.

12.0(7)T

The following new keywords/arguments were added:

auth-port port-number

acct-port port-number


Usage Guidelines

Use the server command to associate a particular server with a defined group server. There are two different ways in which you can identify a server, depending on the way you want to offer AAA services. You can identify the server simply by using its IP address, or you can identify multiple host instances or entries using the optional auth-port and acct-port keywords.

When you use the optional keywords, the network access server identifies RADIUS security servers and host instances associated with a group server on the basis of their IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as failover backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry configured on the same device for accounting services. (The RADIUS host entries will be tried in the order they are configured.)

Examples

Configuring Multiple Entries for the Same Server IP Address

The following example shows the network access server configured to recognize several RADIUS host entries with the same IP address. Two different host entries on the same RADIUS server are configured for the same services—authentication and accounting. The second host entry configured acts as fail-over backup to the first one. (The RADIUS host entries are tried in the order in which they are configured.)

! This command enables AAA.
aaa new-model
! The next command configures default RADIUS parameters.
aaa authentication ppp default radius
! The next set of commands configures multiple host entries for the same IP address.
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.20.0.1 auth-port 2000 acct-port 2000

Configuring Multiple Entries Using AAA Group Servers

In this example, the network access server is configured to recognize two different RADIUS group servers. One of these groups, group1, has two different host entries on the same RADIUS server configured for the same services. The second host entry configured acts as failover backup to the first one.

! This command enables AAA.
aaa new-model
! The next command configures default RADIUS parameters.
aaa authentication ppp default group group1
! The following commands define the group1 RADIUS group server and associates servers 
! with it. 
aaa group server radius group1
   server 172.20.0.1 auth-port 1000 acct-port 1001
! The following commands define the group2 RADIUS group server and associates servers 
! with it. 
aaa group server radius group2
   server 172.20.0.1 auth-port 2000 acct-port 2001
! The following set of commands configures the RADIUS attributes for each host entry 
! associated with one of the defined group servers.
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

Related Commands

Command
Description

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.


server (TACACS+)

To configure the IP address of the TACACS+ server for the group server, use the server command in TACACS+ group server configuration mode. To remove the IP address of the RADIUS server, use the no form of this command.

server ip-address

no server ip-address

Syntax Description

ip-address

IP address of the selected server.


Defaults

No default behavior or values.

Command Modes

TACACS+ group server configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Usage Guidelines

You must configure the aaa group server tacacs command before configuring this command.

Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.

Examples

The following example shows server host entries configured for the RADIUS server:

aaa new-model
aaa authentication ppp default group g1
aaa group server tacacs+ g1
 server 1.0.0.1
 server 2.0.0.1
tacacs-server host 1.0.0.1 
tacacs-server host 2.0.0.1 

Related Commands

Command
Description

aaa new-model

Enables the AAA access control model.

aaa server group

Groups different server hosts into distinct lists and distinct methods.

tacacs-server host

Specifies a RADIUS server host.


server-private (RADIUS)

To configure the IP address of the private RADIUS server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.

server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

no server-private ip-address [auth-port port-number | acct-port port-number] [non-standard] [timeout seconds] [retransmit retries] [key string]

Syntax Description

ip-address

IP address of the private RADIUS server host.

auth-port port-number

(Optional) User Datagram Protocol (UDP) destination port for authentication requests. The default value is 1645.

acct-port port-number

Optional) UDP destination port for accounting requests. The default value is 1646.

non-standard

(Optional) RADIUS server is using vendor-proprietary RADIUS attributes.

timeout seconds

(Optional) Time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting. This setting overrides the global value of the radius-server timeout command. If no timeout value is specified, the global value is used.

retransmit retries

(Optional) Number of times a RADIUS request is resent to a server, if that server is not responding or responding slowly. This setting overrides the global setting of the radius-server retransmit command.

key string

(Optional) Authentication and encryption key used between the router and the RADIUS daemon running on the RADIUS server. This key overrides the global setting of the radius-server key command. If no key string is specified, the global value is used.


Defaults

If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.

Command Modes

Server-group configuration

Command History

Release
Modification

12.2(1)DX

This command was introduced on the Cisco 7200 series and Cisco 7401ASR.

12.2(2)DD

This command was integrated into Cisco IOS Release 12.2(2)DD.

12.2(4)B

This command was integrated into Cisco IOS Release 12.2(4)B.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.


Usage Guidelines

Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between Virtual Route Forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "radius" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.

Examples

The following example shows how to define the sg_water RADIUS group server and associate private servers with it:

aaa group server radius sg_water
 server-private 10.1.1.1 timeout 5 retransmit 3 key coke
 server-private 10.2.2.2 timeout 5 retransmit 3 key coke

Related Commands

Command
Description

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

radius-server host

Specifies a RADIUS server host.


server-private (TACACS+)

To configure the IP address of the private TACACS+ server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.

server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]

no server-private

Syntax Description

ip-address

IP address of the private RADIUS or TACACS+ server host.

name

Name of the private RADIUS or TACACS+ server host.

nat

(Optional) Port Network Address Translation (NAT) address of the remote device. This address is sent to the TACACS+ server.

single-connection

(Optional) Maintains a single open connection between the router and the TACACS+ server.

port port-number

(Optional) Specifies a server port number. This option overrides the default, which is port 49.

timeout seconds

(Optional) Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.

key [0 | 7]

(Optional) Specifies an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.

If no number or 0 is entered, the string that is entered is considered to be plain text. If 7 is entered, the string that is entered is considered to be encrypted text.

string

(Optional) Character string specifying the authentication and encryption key.


Defaults

If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.

Command Modes

Server-group configuration

Command History

Release
Modification

12.3(7)T

This command was introduced.


Usage Guidelines

Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between virtual route forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "TACACS+" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.

Examples

The following example shows how to define the tacacs1 TACACS+ group server and associate private servers with it:

aaa group server tacacs+ tacacs1
    server-private 10.1.1.1 port 19 key cisco

  ip vrf cisco
   rd 100:1

  interface Loopback0
   ip address 10.0.0.2 255.0.0.0
   ip vrf forwarding cisco

Related Commands

Command
Description

aaa group server

Groups different server hosts into distinct lists and distinct methods.

aaa new-model

Enables the AAA access control model.

ip tacacs source-interface

Uses the IP address of a specified interface for all outgoing TACACS+ packets.

ip vrf forwarding (server-group)

Configures the VRF reference of an AAA RADIUS or TACACS+ server group.

tacacs-server host

Specifies a TACACS+ server host.


service password-encryption

To encrypt passwords, use the service password-encryption command in global configuration mode. To restore the default, use the no form of this command.

service password-encryption

no service password-encryption

Syntax Description

This command has no arguments or keywords.

Defaults

No encryption

Command Modes

Global configuration

Command History

Release
Modification

10.