Cisco IOS Security Command Reference, Release 12.3 T
Security Commands: tacacs-server administration through xauth userid mode
Download this chapter
Security Commands: tacacs-server administration through xauth userid modeSecurity Commands: tacacs-server administration through xauth userid mode
Download the complete book
Book-level PDF: Cisco IOS Security Command Reference, Release 12.3 TBook-level PDF: Cisco IOS Security Command Reference, Release 12.3 T (PDF - 8 MB)
give_us_feedback

Table Of Contents

tacacs-server administration

tacacs-server directed-request

tacacs-server dns-alias-lookup

tacacs-server host

tacacs-server key

tacacs-server packet

tacacs-server timeout

template (identity policy)

template (identity profile)

template config

template username

test aaa group

text-color

timeout

timeout login response

title

title-color

transfer-encoding type

trustpoint (tti-petitioner)

trustpoint signing

tunnel mode

tunnel protection

url-list

url-text

user

username

username secret

view

vlan (local RADIUS server group)

vpdn aaa attribute

vrf (isakmp profile)

webvpn

webvpn enable

wins

wlccp authentication-server client

wlccp authentication-server infrastructure

wlccp wds priority interface

xauth userid mode


tacacs-server administration

To enable the handling of administrative messages by the TACACS+ daemon, use the tacacs-server administration command in global configuration mode. To disable the handling of administrative messages by the TACACS+ daemon, use the no form of this command.

tacacs-server administration

no tacacs-server administration

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Global configuration

Command History

Release
Modification

Prior to 12.0

This command was introduced.


Examples

The following example shows that the TACACS+ daemon is enabled to handle administrative messages: 

tacacs-server administration

tacacs-server directed-request

To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request command in global configuration mode. To send the entire string to the TACACS+ server, use the no form of this command.

tacacs-server directed-request [restricted] [no-truncate]

no tacacs-server directed-request

Syntax Description

restricted

(Optional) Restrict queries to directed request servers only.

no-truncate

(Optional) Do not truncate the @hostname from the username.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

11.1

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS release 12.(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.


Usage Guidelines

This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.

Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it.

With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected.

Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.

Examples

The following example disables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server: 

no tacacs-server directed-request

tacacs-server dns-alias-lookup

To enable IP Domain Name System (DNS) alias lookup for TACACS+ servers, use the command in global configuration mode. To disable IP DNS alias lookup, use the no form of this command.

tacacs-server dns-alias-lookup

no tacacs-server dns-alias-lookup

Syntax Description

This command has no arguments or keywords.

Command Default

IP DNS alias lookup is disabled.

Command Modes

global configuration

Command History

Release
Modification

Prior to 12.0

This command was introduced.


Examples

The following example shows that IP DNS alias lookup has been enabled: 

tacacs-server dns-alias-lookup

tacacs-server host

To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.

tacacs-server host {host-name | host-ip-address} [key string] [nat] [port [integer]] [single-connection] [timeout [integer]]

no tacacs-server host {host-name | host-ip-address}

Syntax Description

host-name

Name of the host.

host-ip-address

IP address of the host.

key

(Optional) Specifies an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.

string

(Optional) Character string specifying authentication and encryption key.

nat

(Optional) Port Network Address Translation (NAT) address of the client is sent to the TACACS+ server.

port

(Optional) Specifies a TACACS+ server port number. This option overrides the default, which is port 49.

integer

(Optional) Port number of the server. Valid port numbers range from 1 through 65535.

single-connection

(Optional) Maintains a single open connection between the router and the TACACS+ server.

timeout

(Optional) Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.

integer

(Optional) Integer value, in seconds, of the timeout interval. The value is from 1 through 1000.


Defaults

No TACACS+ host is specified.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.

12.1(11), 12.2(6)

The nat keyword was added.

12.2(8)T

The nat keyword was integrated into Cisco IOS Release 12.2(8)T.


Usage Guidelines

You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the port, timeout, key, single-connection, and nat keywords only when running a AAA/TACACS+ server.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.

The single-connection keyword specifies a single connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router and the server. The single connection is more efficient because it allows the server to handle a higher number of TACACS operations.

Examples

The following example specifies a TACACS+ host named Sea_Change: 

tacacs-server host Sea_Change

The following example specifies that, for authentication, authorization, and accounting (AAA) confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret. 

tacacs-server host Sea_Cure port 51 timeout 3 key a_secret

Related Commands

Command
Description

aaa authentication

Specifies or enables AAA authentication.

aaa authorization

Sets parameters that restrict user access to a network.

aaa accounting

Enables AAA accounting of requested services for billing or security.

ppp

Starts an asynchronous connection using PPP.

slip

Starts a serial connection to a remote host using SLIP.

tacacs-server key

Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.


tacacs-server key

To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.

tacacs-server key {0 string | 7 string | string}

no tacacs-server key {0 string | 7 string | string}

Syntax Description

0 string

Specifies that an unencrypted key will follow.

string—The unencrypted (clear text) shared key.

7 string

Specifies that a hidden key will follow.

string—The hidden shared key.

string

The unencrypted (clear text) shared key.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

11.1

This command was introduced.

12.3(2)T

The 0 string and 7 string keyword and argument pairs were added.


Usage Guidelines

After enabling authentication, authorization, and accounting (AAA) with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.

The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Examples

The following example sets the authentication and encryption key to "dare to go": 

tacacs-server key dare to go

Related Commands

Command
Description

aaa new-model

Enables the AAA access control model.

tacacs-server host

Specifies a TACACS+ host.


tacacs-server packet

To modify TACACS+ packet options, use the tacacs-server packet command in global configuration mode. To disable the modified packet options, use the no form of this command.

tacacs-server packet maxsize

no tacacs-server packet

Syntax Description

maxsize

Maximum TACACS+ packet size that is acceptable. The value is from 10240 through 65536.


Command Default

None

Command Modes

Global configuration

Command History

Release
Modification

Prior to 12.0

This command was introduced.


Examples

The following example shows that the TACACS+ packet size has been set to the minimum value of 10240: 

tacacs-server packet 10240

tacacs-server timeout

To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.

tacacs-server timeout seconds

no tacacs-server timeout seconds

Syntax Description

seconds

Timeout interval in seconds. The value is from 1 through 1000. The default is 5.


Command Default

If the command is not configured, the timeout interval is 5.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following example changes the interval timeout to 10 seconds: 

Router (config)# tacacs-server timeout 10

template (identity policy)

To specify a virtual template from which commands may be cloned, use the template command in identity policy configuration mode. To disable the virtual template, use the no form of this command.

template {virtual-template template-number}

no template {virtual-template template-number}

Syntax Description

virtual-template

Specifies the virtual template interface that will serve as the configuration clone source for the virtual interface that is dynamically created for authenticated users.

template-number

Template interface number. The value ranges from 1 through 200.


Defaults

A virtual template from which commands may be cloned is not specified.

Command Modes

Identity policy configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

The identity policy command must be entered in global configuration mode before the template command can be used.

Examples

The following example shows that an identity policy and a template have been specified: 

Router (config)# identity policy mypolicy

Router (config-identity-policy)# template virtual-template 1

Related Commands

Command
Description

identity policy

Creates an identity policy.


template (identity profile)

To specify a virtual template from which commands may be cloned, use the template command in identity profile configuration mode. To disable the virtual template, use the no form of this command.

template virtual-template

no template virtual-template

Syntax Description

virtual-template

Specifies the virtual template interface that will serve as the configuration clone source for the virtual interface that is dynamically created for authenticated users.


Defaults

A virtual template from which commands may be cloned is not specified.

Command Modes

Identity profile configuration

Command History

Release
Modification

12.3(2)XA

This command was introduced.

12.3(4)T

This command was integrated into Cisco IOS Release 12.3(4)T.


Usage Guidelines

The identity profile command and default keyword must be entered in global configuration mode before the template command can be used.

Examples

The following example shows that a default identity profile and a template have been specified: 

Router (config)# identity profile default

Router (config-identity-prof)# template virtualtemplate1

Related Commands

Command
Description

description

Enters an identity profile description.

device

Statically authorizes or rejects individual devices.

identity profile

Creates an identity profile.


template config

To specify a remote URL for a Cisco IOS command-line interface (CLI) configuration template, use the template config command in tti-registrar configuration mode. To remove the template from the configuration and use the default template, use the no form of this command.

template config url

no template config url

Syntax Description

url

One of the keywords in Table 76.


Defaults

A default template will be used.

Command Modes

tti-registrar configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

Use the template config command to specify a URL in which to retrieve the template that will be sent from the Easy Secure Device Deployment (EzSDD) registrar to the EzSDD petitioner during the Trusted Transitive Introduction (TTI) exchange.

The default template, which is used if a template is not specified, contains the following commands: 

!

$t

!

$c

!

end

The variable "$t" will be expanded to include a Cisco IOS public key infrastructure (PKI) trustpoint that is configured for autoenrollment with the certificate server of the registrar. The variable "$c" will be expanded into the correct certificate chain for the certificate server of the registrar.

If an external template is specified, it must include the "$t" and "$c" variables to enable the petitioner device to obtain a certificate. The end command must be specified. If you want to specify details about the trustpoint, you can specify a template as follows: 

!

crypto ca trustpoint $l

 enrollment url http://<registrar fqdn>

 rsakeypair $k $s

 auto-enroll 70

!

$c

end

Where $l comes from "trustpoint" configured under the petitioner, $k comes from "rsakeypair" under the trustpoint: 

! $l will be replaced by 'mytp.'

crypto wui tti petitioner

  trustpoint mytp

! $k will be replaced by 'mykey.'

crypto ca trustpoint mytp

rsakeypair mykey

!

Note The template configuration location may include a variable "$n," which is expanded to the name of the introducer.

Table 76 lists the available options for the url argument.

Table 76 Options for the url Argument

Keyword
Description

cns:

Retrieves from the Cisco Networking Services (CNS) configuration engine.

flash:

Retrieves from flash memory.

ftp:

Retrieves from the FTP network server.

http:

Retrieves from a HTTP server (also called a web server).

https:

Retrieves from a Secure HTTP (HTTPS) server.

null:

Retrieves from the file system.

nvram:

Retrieves from the NVRAM of the router.

rcp:

Retrieves from a remote copy (rcp) protocol network server.

scp:

Retrieves from a network server that supports Secure Shell (SSH).

system:

Retrieves from system memory, which includes the running configuration.

tftp:

Retrieves from a TFTP network server.

webflash:

Retrieves from the file system.

xmodem:

Retrieves from a network machine that uses the Xmodem protocol.


Examples

The following example shows how to specify the HTTP URL "http://pki1-36a.cisco.com:80" for the Cisco IOS CLI configuration template, which is sent from the EzSDD registrar to the EzSDD petitioner during the TTI exchange: 

crypto wui tti registrar

 pki-server cs1

 template config http://pki1-36a.cisco.com:80

Related Commands

Command
Description

authentication list (tti-registrar)

Authenticates the introducer in an EzSDD operation.

authorization list (tti-registrar)

Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner in an EzSDD operation.

crypto wui tti registrar

Configures a device to become an EzSDD registrar and enters tti-registrar configuration mode.

debug crypto wui

Displays information about an EzSDD operation.

template username

Establishes a template username and password to access the configuration template on the file system.


template username

To establish a template username in which to access the file system, use the template username command in tti-registrar configuration mode.

template username name

Syntax Description

name

Template username.


Defaults

A template username is not established.

Command Modes

tti-registrar configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

Use the template username command to create a username-based authentication system that allows you to access the configuration template, which is sent from the easy secure device deployment (EzSDD) registrar to the EzSDD petitioner during the Trusted Transitive Introduction (TTI) exchange.

Examples

The following example shows how to create the username "mycs" to access the configuration template for the TTI exchange: 

crypto wui tti registrar

 pki-server cs1

 template username mycs

Related Commands

Command
Description

crypto wui tti registrar

Configures a device to become an EzSDD registrar and enters tti-registrar configuration mode.

template config

Specifies a remote URL for a Cisco IOS CLI configuration template.


test aaa group

To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server, use the test aaa group command in privileged EXEC mode.

test aaa group {group-name | radius} username password new-code [profile profile-name]

Syntax Description

group-name

Subset of RADIUS servers that are used as defined by the server group group-name.

radius

Uses RADIUS servers for authentication.

username

Specifies a name for the user.

password

Character string that specifies the password.

new-code

The code path through the new code, which supports a CLID or DNIS user profile association with a RADIUS server.

profile profile-name

(Optional) Identifies the user profile specified in the aaa user profile command. To associate a user profile with the RADIUS server, the user profile name must be identified.


Defaults

If this command is not enabled, DNIS or CLID attribute values will not be sent to the RADIUS server.

Command Modes

Privileged EXEC

Command History

Release
Modification

12.2(4)T

This command was introduced.


Usage Guidelines

Use the test aaa group command to associate a DNIS or CLID named user profile with the record that is sent to the RADIUS server, which can then access DNIS or CLID information when the server receives a RADIUS record.

Note The test aaa group command does not work with TACACS+.

Examples

The following example shows how to configure a dnis = dnisvalue user profile named "prfl1" and associate it with a test aaa group command: 

aaa user profile prfl1

  aaa attribute dnis

  aaa attribute dnis dnisvalue

  no aaa attribute clid

! Attribute not found.

  aaa attribute clid clidvalue

  no aaa attribute clid 

  exit

!

! Associate the dnis user profile with the test aaa group command.

test aaa group radius user1 pass new-code profile prfl1

Related Commands

Command
Description

aaa attribute

Adds DNIS or CLID attribute values to a user profile.

aaa user profile

Creates an AAA user profile.


text-color

To set the color of the text on the title bars of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the text-color command in Web VPN configuration mode. To revert to the default color, use the no form of this command.

text-color [black | white]

no text-color [black | white]

Syntax Description

black

(Optional) Color of the text is black. This is the default value

white

(Optional) Color of the text is white.


Defaults

Color of the text is black.

Command Modes

Web VPN configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

This command is limited to only two values to limit the number of icons that are on the toolbar.

Examples

The following example shows that the text color will be white: 

text-color white

Related Commands

Command
Description

webvpn

Enters Web VPN configuration mode.


timeout

To override the global TCP idle timeout value for HTTP traffic, use the timeout command in appfw-policy-http configuration mode. To return to the default value, use the no form of this command.

timeout seconds

no timeout seconds

Syntax Description

seconds

Idle timeout value. Available range: 5 to 43200 (12 hours).


Defaults

If this command is not issued, the default value specified via the ip inspect tcp idle-time command will be used.

Command Modes

appfw-policy-http configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface. 

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  strict-http action allow alarm

  content-length maximum 1 action allow alarm

  content-type-verification match-req-rsp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

  timeout 60

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

Related Commands

Command
Description

ip inspect tcp idle-time

Specifies the TCP idle timeout (the length of time a TCP session will be managed while there is no activity).


timeout login response

To specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login response command in line configuration mode. To set the timeout value to 30 seconds (which is the default timeout value), use the no form of this command.

timeout login response seconds

no timeout login response seconds

Syntax Description

seconds

Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds. The default value is 30 seconds.


Defaults

The default login timeout value is 30 seconds.

Command Modes

Line configuration

Command History

Release
Modification

11.3

This command was introduced.


Examples

The following example changes the login timeout value to 60 seconds: 

line 10

 timeout login response 60

title

To enter the HTML title string that is shown in the browser title and on the title bar for a Secure Sockets Layer Virtual Private Network (SSLVPN), use the title command in Web VPN configuration mode. To remove the title, use the no form of this command.

title [title-string]

no title [title-string]

Syntax Description

title-string

(Optional) Title string to be displayed in the browser of the user. Limited to 255 characters. The string value may contain 7-bit ASCII values, HTML tags, and escape sequences. The default is "WebVPN Service." If this argument is not configured, a title will not be displayed in the browser of the user.


Defaults

If the title command is not configured, "WebVPN Service" is displayed in the browser of the user.

Command Modes

Web VPN configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

If you type the title command and then press the Enter key, a title will not be displayed on the browser.

If the no form of this command is used, the default title string "WebVPN Service" is displayed in the browser of the user.

Examples

The following example shows the title will be "Secure Corporate Access: Unauthorized users prohibited." 

Router (config)# webvpn

Router (config-webvpn)# title "Secure Corporate Access: Unauthorized users prohibited."

Syntax Description

Command
Description

webvpn

Enters Web VPN configuration mode.


title-color

To specify the color of the title bars on the login and portal pages of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the title-color command in Web VPN configuration mode. To remove the color, use the no form of this command.

title-color color

no title-color color

Syntax Description

color

The value can be a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a "#"), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):

\#/x{6}

\d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)

\w+

The default is purple.


Defaults

Purple

Command Modes

Web VPN configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

If a new color is configured, it will override the color that was already configured.

Examples

The following examples show three ways to configure the title color. 

title-color darkseagreen


title-color #8FBC8F


title-color 143,188,143

Related Commands

Command
Description

webvpn

Enters Web VPN configuration mode.


transfer-encoding type

To permit or deny HTTP traffic according to the specified transfer-encoding of the message, use the transfer-encoding type command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.

transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]

no transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]

Syntax Description

chunked

Encoding format (specified in RFC 2616, Hypertext Transfer Protocol—HTTP/1) in which the body of the message is transferred in a series of chunks; each chunk contains its own size indicator.

compress

Encoding format produced by the UNIX "compress" utility.

deflate

"ZLIB" format defined in RFC 1950, ZLIB Compressed Data Format Specification version 3.3, combined with the "deflate" compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification version 1.3.

gzip

Encoding format produced by the "gzip" (GNU zip) program.

identity

Default encoding, which indicates that no encoding has been performed.

default

All of the transfer encoding types.

action

Encoding types outside of the specified type are subject to the specified action (reset or allow).

reset

Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.

allow

Forwards the packet through the firewall.

alarm

(Optional) Generates system logging (syslog) messages for the given action.


Defaults

If a given type is not specified, all transfer-encoding types are supported with the reset alarm action.

Command Modes

appfw-policy-http configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

Only encoding types specified by the transfer-encoding-type command are allowed through the firewall.

Examples

The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface. 

! Define the HTTP policy.

appfw policy-name mypolicy

 application http

  strict-http action allow alarm

  content-length maximum 1 action allow alarm

  content-type-verification match-req-rsp action allow alarm

  max-header-length request 1 response 1 action allow alarm

  max-uri-length 1 action allow alarm

  port-misuse default action allow alarm

  request-method rfc default action allow alarm

  request-method extension default action allow alarm

  transfer-encoding type default action allow alarm

!

!

! Apply the policy to an inspection rule. 

ip inspect name firewall appfw mypolicy

ip inspect name firewall http

!

!

! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.

interface FastEthernet0/0

 ip inspect firewall in

!

!

trustpoint (tti-petitioner)

To specify the trustpoint that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the easy secure device deployment (EzSDD) petitioner and the EzSDD registrar, use the trustpoint command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.

trustpoint trustpoint-label

no trustpoint trustpoint-label

Syntax Description

trustpoint-label

Name of trustpoint.


Defaults

If a trustpoint is not specified, a default trustpoint called "tti" is generated.

Command Modes

tti-petitioner configuration

Command History

Release
Modification

12.3(8)T

This command was introduced.


Usage Guidelines

Use the trustpoint command in tti-petitioner configuration mode to associate a trustpoint with the EzSDD petitioner.

Examples

The following example shows how specify the trustpoint "mytrust": 

crypto wui tti petitioner

 trustpoint mytrust

After the EzSDD exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration which generates the default trustpoint "tti": 

crypto pki trustpoint tti

 enrollment url http://pki1-36a.cisco.com:80 

 revocation-check crl

 rsakeypair tti 1024

 auto-enroll 70

Related Commands

Command
Description

crypto ca trustpoint

Declares the CA that your router should use.

crypto wui tti petitioner

Configures a device to become an EzSDD petitioner and enters tti-petitioner configuration mode.


trustpoint signing

To specify the trustpoint and associated certificate to be used when signing all introduction data during the Secure Device Provisioning (SDP) exchange, use the trustpoint signing command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.

trustpoint signing trustpoint-label

no trustpoint signing trustpoint-label

Syntax Description

trustpoint-label

Name of trustpoint.


Defaults

If a trustpoint is not specified, any existing device certificate is used. If none is available, a self-signed certificate is generated.

Command Modes

tti-petitioner configuration

Command History

Release
Modification

12.3(14)T

This command was introduced.


Usage Guidelines

Use the trustpoint signing command in tti-petitioner configuration mode to associate a specific trustpoint with the petitioner for signing its certificate.

Examples

The following example shows how to specify the trustpoint mytrust: 

crypto provisioning petitioner

 trustpoint signing mytrust

After the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti: 

crypto pki trustpoint tti

 enrollment url http://pki1-36a.cisco.com:80 

 revocation-check crl

 rsakeypair tti 1024

 auto-enroll 70

Related Commands

Command
Description

crypto ca trustpoint

Declares the CA that your router should use.

crypto provisioning petitioner

Configures a device to become an SDP petitioner and enters tti-petitioner configuration mode.

trustpoint (tti-petitioner)

Specifies the trustpoint associated with the SDP exchange between the petitioner and the registrar.


tunnel mode

To set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration mode. To restore the default mode, use the no form of this command.

tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 |mpls | nos | rbscp}

no tunnel mode

Syntax Description

aurp