Table Of Contents
tacacs-server administration
tacacs-server directed-request
tacacs-server dns-alias-lookup
tacacs-server host
tacacs-server key
tacacs-server packet
tacacs-server timeout
template (identity policy)
template (identity profile)
template config
template username
test aaa group
text-color
timeout
timeout login response
title
title-color
transfer-encoding type
trustpoint (tti-petitioner)
trustpoint signing
tunnel mode
tunnel protection
url-list
url-text
user
username
username secret
view
vlan (local RADIUS server group)
vpdn aaa attribute
vrf (isakmp profile)
webvpn
webvpn enable
wins
wlccp authentication-server client
wlccp authentication-server infrastructure
wlccp wds priority interface
xauth userid mode
tacacs-server administration
To enable the handling of administrative messages by the TACACS+ daemon, use the tacacs-server administration command in global configuration mode. To disable the handling of administrative messages by the TACACS+ daemon, use the no form of this command.
tacacs-server administration
no tacacs-server administration
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command Modes
Global configuration
Command History
Release
|
Modification
|
Prior to 12.0
|
This command was introduced.
|
Examples
The following example shows that the TACACS+ daemon is enabled to handle administrative messages:
tacacs-server administration
tacacs-server directed-request
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request command in global configuration mode. To send the entire string to the TACACS+ server, use the no form of this command.
tacacs-server directed-request [restricted] [no-truncate]
no tacacs-server directed-request
Syntax Description
restricted
|
(Optional) Restrict queries to directed request servers only.
|
no-truncate
|
(Optional) Do not truncate the @hostname from the username.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it.
With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected.
Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.
Examples
The following example disables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server:
no tacacs-server directed-request
tacacs-server dns-alias-lookup
To enable IP Domain Name System (DNS) alias lookup for TACACS+ servers, use the command in global configuration mode. To disable IP DNS alias lookup, use the no form of this command.
tacacs-server dns-alias-lookup
no tacacs-server dns-alias-lookup
Syntax Description
This command has no arguments or keywords.
Command Default
IP DNS alias lookup is disabled.
Command Modes
global configuration
Command History
Release
|
Modification
|
Prior to 12.0
|
This command was introduced.
|
Examples
The following example shows that IP DNS alias lookup has been enabled:
tacacs-server dns-alias-lookup
tacacs-server host
To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.
tacacs-server host {host-name | host-ip-address} [key string] [nat] [port [integer]]
[single-connection] [timeout [integer]]
no tacacs-server host {host-name | host-ip-address}
Syntax Description
host-name
|
Name of the host.
|
host-ip-address
|
IP address of the host.
|
key
|
(Optional) Specifies an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.
|
string
|
(Optional) Character string specifying authentication and encryption key.
|
nat
|
(Optional) Port Network Address Translation (NAT) address of the client is sent to the TACACS+ server.
|
port
|
(Optional) Specifies a TACACS+ server port number. This option overrides the default, which is port 49.
|
integer
|
(Optional) Port number of the server. Valid port numbers range from 1 through 65535.
|
single-connection
|
(Optional) Maintains a single open connection between the router and the TACACS+ server.
|
timeout
|
(Optional) Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
|
integer
|
(Optional) Integer value, in seconds, of the timeout interval. The value is from 1 through 1000.
|
Defaults
No TACACS+ host is specified.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
12.1(11), 12.2(6)
|
The nat keyword was added.
|
12.2(8)T
|
The nat keyword was integrated into Cisco IOS Release 12.2(8)T.
|
Usage Guidelines
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the port, timeout, key, single-connection, and nat keywords only when running a AAA/TACACS+ server.
Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.
The single-connection keyword specifies a single connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router and the server. The single connection is more efficient because it allows the server to handle a higher number of TACACS operations.
Examples
The following example specifies a TACACS+ host named Sea_Change:
tacacs-server host Sea_Change
The following example specifies that, for authentication, authorization, and accounting (AAA) confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.
tacacs-server host Sea_Cure port 51 timeout 3 key a_secret
Related Commands
Command
|
Description
|
aaa authentication
|
Specifies or enables AAA authentication.
|
aaa authorization
|
Sets parameters that restrict user access to a network.
|
aaa accounting
|
Enables AAA accounting of requested services for billing or security.
|
ppp
|
Starts an asynchronous connection using PPP.
|
slip
|
Starts a serial connection to a remote host using SLIP.
|
tacacs-server key
|
Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.
|
tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.
tacacs-server key {0 string | 7 string | string}
no tacacs-server key {0 string | 7 string | string}
Syntax Description
0 string
|
Specifies that an unencrypted key will follow.
• string—The unencrypted (clear text) shared key.
|
7 string
|
Specifies that a hidden key will follow.
• string—The hidden shared key.
|
string
|
The unencrypted (clear text) shared key.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
12.3(2)T
|
The 0 string and 7 string keyword and argument pairs were added.
|
Usage Guidelines
After enabling authentication, authorization, and accounting (AAA) with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.
The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
tacacs-server key dare to go
Related Commands
Command
|
Description
|
aaa new-model
|
Enables the AAA access control model.
|
tacacs-server host
|
Specifies a TACACS+ host.
|
tacacs-server packet
To modify TACACS+ packet options, use the tacacs-server packet command in global configuration mode. To disable the modified packet options, use the no form of this command.
tacacs-server packet maxsize
no tacacs-server packet
Syntax Description
maxsize
|
Maximum TACACS+ packet size that is acceptable. The value is from 10240 through 65536.
|
Command Default
None
Command Modes
Global configuration
Command History
Release
|
Modification
|
Prior to 12.0
|
This command was introduced.
|
Examples
The following example shows that the TACACS+ packet size has been set to the minimum value of 10240:
tacacs-server packet 10240
tacacs-server timeout
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Syntax Description
seconds
|
Timeout interval in seconds. The value is from 1 through 1000. The default is 5.
|
Command Default
If the command is not configured, the timeout interval is 5.
Command Modes
Global configuration
Command History
Release
|
Modification
|
10.0
|
This command was introduced.
|
Examples
The following example changes the interval timeout to 10 seconds:
Router (config)# tacacs-server timeout 10
template (identity policy)
To specify a virtual template from which commands may be cloned, use the template command in identity policy configuration mode. To disable the virtual template, use the no form of this command.
template {virtual-template template-number}
no template {virtual-template template-number}
Syntax Description
virtual-template
|
Specifies the virtual template interface that will serve as the configuration clone source for the virtual interface that is dynamically created for authenticated users.
|
template-number
|
Template interface number. The value ranges from 1 through 200.
|
Defaults
A virtual template from which commands may be cloned is not specified.
Command Modes
Identity policy configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
The identity policy command must be entered in global configuration mode before the template command can be used.
Examples
The following example shows that an identity policy and a template have been specified:
Router (config)# identity policy mypolicy
Router (config-identity-policy)# template virtual-template 1
Related Commands
Command
|
Description
|
identity policy
|
Creates an identity policy.
|
template (identity profile)
To specify a virtual template from which commands may be cloned, use the template command in identity profile configuration mode. To disable the virtual template, use the no form of this command.
template virtual-template
no template virtual-template
Syntax Description
virtual-template
|
Specifies the virtual template interface that will serve as the configuration clone source for the virtual interface that is dynamically created for authenticated users.
|
Defaults
A virtual template from which commands may be cloned is not specified.
Command Modes
Identity profile configuration
Command History
Release
|
Modification
|
12.3(2)XA
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
The identity profile command and default keyword must be entered in global configuration mode before the template command can be used.
Examples
The following example shows that a default identity profile and a template have been specified:
Router (config)# identity profile default
Router (config-identity-prof)# template virtualtemplate1
Related Commands
Command
|
Description
|
description
|
Enters an identity profile description.
|
device
|
Statically authorizes or rejects individual devices.
|
identity profile
|
Creates an identity profile.
|
template config
To specify a remote URL for a Cisco IOS command-line interface (CLI) configuration template, use the template config command in tti-registrar configuration mode. To remove the template from the configuration and use the default template, use the no form of this command.
template config url
no template config url
Syntax Description
Defaults
A default template will be used.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Use the template config command to specify a URL in which to retrieve the template that will be sent from the Easy Secure Device Deployment (EzSDD) registrar to the EzSDD petitioner during the Trusted Transitive Introduction (TTI) exchange.
The default template, which is used if a template is not specified, contains the following commands:
The variable "$t" will be expanded to include a Cisco IOS public key infrastructure (PKI) trustpoint that is configured for autoenrollment with the certificate server of the registrar. The variable "$c" will be expanded into the correct certificate chain for the certificate server of the registrar.
If an external template is specified, it must include the "$t" and "$c" variables to enable the petitioner device to obtain a certificate. The end command must be specified. If you want to specify details about the trustpoint, you can specify a template as follows:
enrollment url http://<registrar fqdn>
Where $l comes from "trustpoint" configured under the petitioner, $k comes from "rsakeypair" under the trustpoint:
! $l will be replaced by 'mytp.'
crypto wui tti petitioner
! $k will be replaced by 'mykey.'
crypto ca trustpoint mytp
Note
The template configuration location may include a variable "$n," which is expanded to the name of the introducer.
Table 76 lists the available options for the url argument.
Table 76 Options for the url Argument
Keyword
|
Description
|
cns:
|
Retrieves from the Cisco Networking Services (CNS) configuration engine.
|
flash:
|
Retrieves from flash memory.
|
ftp:
|
Retrieves from the FTP network server.
|
http:
|
Retrieves from a HTTP server (also called a web server).
|
https:
|
Retrieves from a Secure HTTP (HTTPS) server.
|
null:
|
Retrieves from the file system.
|
nvram:
|
Retrieves from the NVRAM of the router.
|
rcp:
|
Retrieves from a remote copy (rcp) protocol network server.
|
scp:
|
Retrieves from a network server that supports Secure Shell (SSH).
|
system:
|
Retrieves from system memory, which includes the running configuration.
|
tftp:
|
Retrieves from a TFTP network server.
|
webflash:
|
Retrieves from the file system.
|
xmodem:
|
Retrieves from a network machine that uses the Xmodem protocol.
|
Examples
The following example shows how to specify the HTTP URL "http://pki1-36a.cisco.com:80" for the Cisco IOS CLI configuration template, which is sent from the EzSDD registrar to the EzSDD petitioner during the TTI exchange:
template config http://pki1-36a.cisco.com:80
Related Commands
Command
|
Description
|
authentication list (tti-registrar)
|
Authenticates the introducer in an EzSDD operation.
|
authorization list (tti-registrar)
|
Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner in an EzSDD operation.
|
crypto wui tti registrar
|
Configures a device to become an EzSDD registrar and enters tti-registrar configuration mode.
|
debug crypto wui
|
Displays information about an EzSDD operation.
|
template username
|
Establishes a template username and password to access the configuration template on the file system.
|
template username
To establish a template username in which to access the file system, use the template username command in tti-registrar configuration mode.
template username name
Syntax Description
Defaults
A template username is not established.
Command Modes
tti-registrar configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Use the template username command to create a username-based authentication system that allows you to access the configuration template, which is sent from the easy secure device deployment (EzSDD) registrar to the EzSDD petitioner during the Trusted Transitive Introduction (TTI) exchange.
Examples
The following example shows how to create the username "mycs" to access the configuration template for the TTI exchange:
Related Commands
Command
|
Description
|
crypto wui tti registrar
|
Configures a device to become an EzSDD registrar and enters tti-registrar configuration mode.
|
template config
|
Specifies a remote URL for a Cisco IOS CLI configuration template.
|
test aaa group
To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server, use the test aaa group command in privileged EXEC mode.
test aaa group {group-name | radius} username password new-code [profile profile-name]
Syntax Description
group-name
|
Subset of RADIUS servers that are used as defined by the server group group-name.
|
radius
|
Uses RADIUS servers for authentication.
|
username
|
Specifies a name for the user.
|
password
|
Character string that specifies the password.
|
new-code
|
The code path through the new code, which supports a CLID or DNIS user profile association with a RADIUS server.
|
profile profile-name
|
(Optional) Identifies the user profile specified in the aaa user profile command. To associate a user profile with the RADIUS server, the user profile name must be identified.
|
Defaults
If this command is not enabled, DNIS or CLID attribute values will not be sent to the RADIUS server.
Command Modes
Privileged EXEC
Command History
Release
|
Modification
|
12.2(4)T
|
This command was introduced.
|
Usage Guidelines
Use the test aaa group command to associate a DNIS or CLID named user profile with the record that is sent to the RADIUS server, which can then access DNIS or CLID information when the server receives a RADIUS record.
Note
The test aaa group command does not work with TACACS+.
Examples
The following example shows how to configure a dnis = dnisvalue user profile named "prfl1" and associate it with a test aaa group command:
aaa attribute dnis dnisvalue
aaa attribute clid clidvalue
! Associate the dnis user profile with the test aaa group command.
test aaa group radius user1 pass new-code profile prfl1
Related Commands
Command
|
Description
|
aaa attribute
|
Adds DNIS or CLID attribute values to a user profile.
|
aaa user profile
|
Creates an AAA user profile.
|
text-color
To set the color of the text on the title bars of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the text-color command in Web VPN configuration mode. To revert to the default color, use the no form of this command.
text-color [black | white]
no text-color [black | white]
Syntax Description
black
|
(Optional) Color of the text is black. This is the default value
|
white
|
(Optional) Color of the text is white.
|
Defaults
Color of the text is black.
Command Modes
Web VPN configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
This command is limited to only two values to limit the number of icons that are on the toolbar.
Examples
The following example shows that the text color will be white:
Related Commands
Command
|
Description
|
webvpn
|
Enters Web VPN configuration mode.
|
timeout
To override the global TCP idle timeout value for HTTP traffic, use the timeout command in appfw-policy-http configuration mode. To return to the default value, use the no form of this command.
timeout seconds
no timeout seconds
Syntax Description
seconds
|
Idle timeout value. Available range: 5 to 43200 (12 hours).
|
Defaults
If this command is not issued, the default value specified via the ip inspect tcp idle-time command will be used.
Command Modes
appfw-policy-http configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.
appfw policy-name mypolicy
strict-http action allow alarm
content-length maximum 1 action allow alarm
content-type-verification match-req-rsp action allow alarm
max-header-length request 1 response 1 action allow alarm
max-uri-length 1 action allow alarm
port-misuse default action allow alarm
request-method rfc default action allow alarm
request-method extension default action allow alarm
transfer-encoding type default action allow alarm
! Apply the policy to an inspection rule.
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
Related Commands
Command
|
Description
|
ip inspect tcp idle-time
|
Specifies the TCP idle timeout (the length of time a TCP session will be managed while there is no activity).
|
timeout login response
To specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login response command in line configuration mode. To set the timeout value to 30 seconds (which is the default timeout value), use the no form of this command.
timeout login response seconds
no timeout login response seconds
Syntax Description
seconds
|
Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds. The default value is 30 seconds.
|
Defaults
The default login timeout value is 30 seconds.
Command Modes
Line configuration
Command History
Release
|
Modification
|
11.3
|
This command was introduced.
|
Examples
The following example changes the login timeout value to 60 seconds:
timeout login response 60
title
To enter the HTML title string that is shown in the browser title and on the title bar for a Secure Sockets Layer Virtual Private Network (SSLVPN), use the title command in Web VPN configuration mode. To remove the title, use the no form of this command.
title [title-string]
no title [title-string]
Syntax Description
title-string
|
(Optional) Title string to be displayed in the browser of the user. Limited to 255 characters. The string value may contain 7-bit ASCII values, HTML tags, and escape sequences. The default is "WebVPN Service." If this argument is not configured, a title will not be displayed in the browser of the user.
|
Defaults
If the title command is not configured, "WebVPN Service" is displayed in the browser of the user.
Command Modes
Web VPN configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
If you type the title command and then press the Enter key, a title will not be displayed on the browser.
If the no form of this command is used, the default title string "WebVPN Service" is displayed in the browser of the user.
Examples
The following example shows the title will be "Secure Corporate Access: Unauthorized users prohibited."
Router (config-webvpn)# title "Secure Corporate Access: Unauthorized users prohibited."
Syntax Description
Command
|
Description
|
webvpn
|
Enters Web VPN configuration mode.
|
title-color
To specify the color of the title bars on the login and portal pages of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the title-color command in Web VPN configuration mode. To remove the color, use the no form of this command.
title-color color
no title-color color
Syntax Description
color
|
The value can be a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a "#"), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):
• \#/x{6}
• \d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)
• \w+
The default is purple.
|
Defaults
Purple
Command Modes
Web VPN configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
If a new color is configured, it will override the color that was already configured.
Examples
The following examples show three ways to configure the title color.
Related Commands
Command
|
Description
|
webvpn
|
Enters Web VPN configuration mode.
|
transfer-encoding type
To permit or deny HTTP traffic according to the specified transfer-encoding of the message, use the transfer-encoding type command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset |
allow} [alarm]
no transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset
| allow} [alarm]
Syntax Description
chunked
|
Encoding format (specified in RFC 2616, Hypertext Transfer Protocol—HTTP/1) in which the body of the message is transferred in a series of chunks; each chunk contains its own size indicator.
|
compress
|
Encoding format produced by the UNIX "compress" utility.
|
deflate
|
"ZLIB" format defined in RFC 1950, ZLIB Compressed Data Format Specification version 3.3, combined with the "deflate" compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification version 1.3.
|
gzip
|
Encoding format produced by the "gzip" (GNU zip) program.
|
identity
|
Default encoding, which indicates that no encoding has been performed.
|
default
|
All of the transfer encoding types.
|
action
|
Encoding types outside of the specified type are subject to the specified action (reset or allow).
|
reset
|
Sends a TCP reset notification to the client or server if the HTTP message fails the mode inspection.
|
allow
|
Forwards the packet through the firewall.
|
alarm
|
(Optional) Generates system logging (syslog) messages for the given action.
|
Defaults
If a given type is not specified, all transfer-encoding types are supported with the reset alarm action.
Command Modes
appfw-policy-http configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
Only encoding types specified by the transfer-encoding-type command are allowed through the firewall.
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.
appfw policy-name mypolicy
strict-http action allow alarm
content-length maximum 1 action allow alarm
content-type-verification match-req-rsp action allow alarm
max-header-length request 1 response 1 action allow alarm
max-uri-length 1 action allow alarm
port-misuse default action allow alarm
request-method rfc default action allow alarm
request-method extension default action allow alarm
transfer-encoding type default action allow alarm
! Apply the policy to an inspection rule.
ip inspect name firewall appfw mypolicy
ip inspect name firewall http
! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.
interface FastEthernet0/0
trustpoint (tti-petitioner)
To specify the trustpoint that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the easy secure device deployment (EzSDD) petitioner and the EzSDD registrar, use the trustpoint command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
trustpoint trustpoint-label
no trustpoint trustpoint-label
Syntax Description
trustpoint-label
|
Name of trustpoint.
|
Defaults
If a trustpoint is not specified, a default trustpoint called "tti" is generated.
Command Modes
tti-petitioner configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Use the trustpoint command in tti-petitioner configuration mode to associate a trustpoint with the EzSDD petitioner.
Examples
The following example shows how specify the trustpoint "mytrust":
crypto wui tti petitioner
After the EzSDD exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration which generates the default trustpoint "tti":
crypto pki trustpoint tti
enrollment url http://pki1-36a.cisco.com:80
Related Commands
Command
|
Description
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
crypto wui tti petitioner
|
Configures a device to become an EzSDD petitioner and enters tti-petitioner configuration mode.
|
trustpoint signing
To specify the trustpoint and associated certificate to be used when signing all introduction data during the Secure Device Provisioning (SDP) exchange, use the trustpoint signing command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
trustpoint signing trustpoint-label
no trustpoint signing trustpoint-label
Syntax Description
trustpoint-label
|
Name of trustpoint.
|
Defaults
If a trustpoint is not specified, any existing device certificate is used. If none is available, a self-signed certificate is generated.
Command Modes
tti-petitioner configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
Use the trustpoint signing command in tti-petitioner configuration mode to associate a specific trustpoint with the petitioner for signing its certificate.
Examples
The following example shows how to specify the trustpoint mytrust:
crypto provisioning petitioner
trustpoint signing mytrust
After the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:
crypto pki trustpoint tti
enrollment url http://pki1-36a.cisco.com:80
Related Commands
Command
|
Description
|
crypto ca trustpoint
|
Declares the CA that your router should use.
|
crypto provisioning petitioner
|
Configures a device to become an SDP petitioner and enters tti-petitioner configuration mode.
|
trustpoint (tti-petitioner)
|
Specifies the trustpoint associated with the SDP exchange between the petitioner and the registrar.
|
tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration mode. To restore the default mode, use the no form of this command.
tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip
[decapsulate-any] | ipsec ipv4 | iptalk | ipv6 |mpls | nos | rbscp}
no tunnel mode
Syntax Description