-
Cisco IOS Security Command Reference, Release 12.3 T
-
Introduction
-
Security Commands: aaa accounting through access-template
-
Security Commands: accounting through clear ip ips statistics
-
Security Commands: clear ip sdee through crypto isakmp nat keepalive
-
Security Commands: crypto key decrypt rsa through ctype
-
Security Commands: D through evaluate
-
Security Commands: fingerprint through ip ips signature disable
-
Security Commands: ip port-map through issuer name
-
Security Commands: keepalive (isakmp profile) through outgoing
-
Security Commands: parameter through quit
-
Security Commands: radius-server attribute 11 direction default through rsa-pubkey
-
Security Commands: save-password through show crypto ipsec transform-set
-
Security Commands: show crypto isakmp key through subject-name
-
Security Commands: tacacs-server administration through xauth userid mode
-
Table Of Contents
tacacs-server directed-request
tacacs-server dns-alias-lookup
vlan (local RADIUS server group)
wlccp authentication-server client
wlccp authentication-server infrastructure
tacacs-server administration
To enable the handling of administrative messages by the TACACS+ daemon, use the tacacs-server administration command in global configuration mode. To disable the handling of administrative messages by the TACACS+ daemon, use the no form of this command.
tacacs-server administration
no tacacs-server administration
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command Modes
Global configuration
Command History
Examples
The following example shows that the TACACS+ daemon is enabled to handle administrative messages:
tacacs-server administrationtacacs-server directed-request
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request command in global configuration mode. To send the entire string to the TACACS+ server, use the no form of this command.
tacacs-server directed-request [restricted] [no-truncate]
no tacacs-server directed-request
Syntax Description
restricted
(Optional) Restrict queries to directed request servers only.
no-truncate
(Optional) Do not truncate the @hostname from the username.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it.
With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected.
Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.
Examples
The following example disables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server:
no tacacs-server directed-requesttacacs-server dns-alias-lookup
To enable IP Domain Name System (DNS) alias lookup for TACACS+ servers, use the command in global configuration mode. To disable IP DNS alias lookup, use the no form of this command.
tacacs-server dns-alias-lookup
no tacacs-server dns-alias-lookup
Syntax Description
This command has no arguments or keywords.
Command Default
IP DNS alias lookup is disabled.
Command Modes
global configuration
Command History
Examples
The following example shows that IP DNS alias lookup has been enabled:
tacacs-server dns-alias-lookuptacacs-server host
To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.
tacacs-server host {host-name | host-ip-address} [key string] [nat] [port [integer]] [single-connection] [timeout [integer]]
no tacacs-server host {host-name | host-ip-address}
Syntax Description
Defaults
No TACACS+ host is specified.
Command Modes
Global configuration
Command History
10.0
This command was introduced.
12.1(11), 12.2(6)
The nat keyword was added.
12.2(8)T
The nat keyword was integrated into Cisco IOS Release 12.2(8)T.
Usage Guidelines
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the port, timeout, key, single-connection, and nat keywords only when running a AAA/TACACS+ server.
Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.
The single-connection keyword specifies a single connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router and the server. The single connection is more efficient because it allows the server to handle a higher number of TACACS operations.
Examples
The following example specifies a TACACS+ host named Sea_Change:
tacacs-server host Sea_ChangeThe following example specifies that, for authentication, authorization, and accounting (AAA) confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.
tacacs-server host Sea_Cure port 51 timeout 3 key a_secretRelated Commands
tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.
tacacs-server key {0 string | 7 string | string}
no tacacs-server key {0 string | 7 string | string}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.1
This command was introduced.
12.3(2)T
The 0 string and 7 string keyword and argument pairs were added.
Usage Guidelines
After enabling authentication, authorization, and accounting (AAA) with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.
The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
tacacs-server key dare to goRelated Commands
aaa new-model
Enables the AAA access control model.
tacacs-server host
Specifies a TACACS+ host.
tacacs-server packet
To modify TACACS+ packet options, use the tacacs-server packet command in global configuration mode. To disable the modified packet options, use the no form of this command.
tacacs-server packet maxsize
no tacacs-server packet
Syntax Description
Command Default
None
Command Modes
Global configuration
Command History
Examples
The following example shows that the TACACS+ packet size has been set to the minimum value of 10240:
tacacs-server packet 10240tacacs-server timeout
To set the interval for which the server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Syntax Description
Command Default
If the command is not configured, the timeout interval is 5.
Command Modes
Global configuration
Command History
Examples
The following example changes the interval timeout to 10 seconds:
Router (config)# tacacs-server timeout 10template (identity policy)
To specify a virtual template from which commands may be cloned, use the template command in identity policy configuration mode. To disable the virtual template, use the no form of this command.
template {virtual-template template-number}
no template {virtual-template template-number}
Syntax Description
Defaults
A virtual template from which commands may be cloned is not specified.
Command Modes
Identity policy configuration
Command History
Usage Guidelines
The identity policy command must be entered in global configuration mode before the template command can be used.
Examples
The following example shows that an identity policy and a template have been specified:
Router (config)# identity policy mypolicyRouter (config-identity-policy)# template virtual-template 1Related Commands
template (identity profile)
To specify a virtual template from which commands may be cloned, use the template command in identity profile configuration mode. To disable the virtual template, use the no form of this command.
template virtual-template
no template virtual-template
Syntax Description
virtual-template
Specifies the virtual template interface that will serve as the configuration clone source for the virtual interface that is dynamically created for authenticated users.
Defaults
A virtual template from which commands may be cloned is not specified.
Command Modes
Identity profile configuration
Command History
12.3(2)XA
This command was introduced.
12.3(4)T
This command was integrated into Cisco IOS Release 12.3(4)T.
Usage Guidelines
The identity profile command and default keyword must be entered in global configuration mode before the template command can be used.
Examples
The following example shows that a default identity profile and a template have been specified:
Router (config)# identity profile defaultRouter (config-identity-prof)# template virtualtemplate1Related Commands
description
Enters an identity profile description.
device
Statically authorizes or rejects individual devices.
identity profile
Creates an identity profile.
template config
To specify a remote URL for a Cisco IOS command-line interface (CLI) configuration template, use the template config command in tti-registrar configuration mode. To remove the template from the configuration and use the default template, use the no form of this command.
template config url
no template config url
Syntax Description
url
One of the keywords in Table 76.
Defaults
A default template will be used.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
Use the template config command to specify a URL in which to retrieve the template that will be sent from the Easy Secure Device Deployment (EzSDD) registrar to the EzSDD petitioner during the Trusted Transitive Introduction (TTI) exchange.
The default template, which is used if a template is not specified, contains the following commands:
!$t!$c!endThe variable "$t" will be expanded to include a Cisco IOS public key infrastructure (PKI) trustpoint that is configured for autoenrollment with the certificate server of the registrar. The variable "$c" will be expanded into the correct certificate chain for the certificate server of the registrar.
If an external template is specified, it must include the "$t" and "$c" variables to enable the petitioner device to obtain a certificate. The end command must be specified. If you want to specify details about the trustpoint, you can specify a template as follows:
!crypto ca trustpoint $lenrollment url http://<registrar fqdn>rsakeypair $k $sauto-enroll 70!$cendWhere $l comes from "trustpoint" configured under the petitioner, $k comes from "rsakeypair" under the trustpoint:
! $l will be replaced by 'mytp.'crypto wui tti petitionertrustpoint mytp! $k will be replaced by 'mykey.'crypto ca trustpoint mytprsakeypair mykey!
Note
The template configuration location may include a variable "$n," which is expanded to the name of the introducer.
Table 76 lists the available options for the url argument.
Examples
The following example shows how to specify the HTTP URL "http://pki1-36a.cisco.com:80" for the Cisco IOS CLI configuration template, which is sent from the EzSDD registrar to the EzSDD petitioner during the TTI exchange:
crypto wui tti registrarpki-server cs1template config http://pki1-36a.cisco.com:80Related Commands
template username
To establish a template username in which to access the file system, use the template username command in tti-registrar configuration mode.
template username name
Syntax Description
Defaults
A template username is not established.
Command Modes
tti-registrar configuration
Command History
Usage Guidelines
Use the template username command to create a username-based authentication system that allows you to access the configuration template, which is sent from the easy secure device deployment (EzSDD) registrar to the EzSDD petitioner during the Trusted Transitive Introduction (TTI) exchange.
Examples
The following example shows how to create the username "mycs" to access the configuration template for the TTI exchange:
crypto wui tti registrarpki-server cs1template username mycsRelated Commands
test aaa group
To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server, use the test aaa group command in privileged EXEC mode.
test aaa group {group-name | radius} username password new-code [profile profile-name]
Syntax Description
Defaults
If this command is not enabled, DNIS or CLID attribute values will not be sent to the RADIUS server.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the test aaa group command to associate a DNIS or CLID named user profile with the record that is sent to the RADIUS server, which can then access DNIS or CLID information when the server receives a RADIUS record.
Note
Examples
The following example shows how to configure a dnis = dnisvalue user profile named "prfl1" and associate it with a test aaa group command:
aaa user profile prfl1aaa attribute dnisaaa attribute dnis dnisvalueno aaa attribute clid! Attribute not found.aaa attribute clid clidvalueno aaa attribute clidexit!! Associate the dnis user profile with the test aaa group command.test aaa group radius user1 pass new-code profile prfl1Related Commands
aaa attribute
Adds DNIS or CLID attribute values to a user profile.
aaa user profile
Creates an AAA user profile.
text-color
To set the color of the text on the title bars of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the text-color command in Web VPN configuration mode. To revert to the default color, use the no form of this command.
text-color [black | white]
no text-color [black | white]
Syntax Description
black
(Optional) Color of the text is black. This is the default value
white
(Optional) Color of the text is white.
Defaults
Color of the text is black.
Command Modes
Web VPN configuration
Command History
Usage Guidelines
This command is limited to only two values to limit the number of icons that are on the toolbar.
Examples
The following example shows that the text color will be white:
text-color whiteRelated Commands
timeout
To override the global TCP idle timeout value for HTTP traffic, use the timeout command in appfw-policy-http configuration mode. To return to the default value, use the no form of this command.
timeout seconds
no timeout seconds
Syntax Description
Defaults
If this command is not issued, the default value specified via the ip inspect tcp idle-time command will be used.
Command Modes
appfw-policy-http configuration
Command History
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarmtimeout 60!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!Related Commands
ip inspect tcp idle-time
Specifies the TCP idle timeout (the length of time a TCP session will be managed while there is no activity).
timeout login response
To specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login response command in line configuration mode. To set the timeout value to 30 seconds (which is the default timeout value), use the no form of this command.
timeout login response seconds
no timeout login response seconds
Syntax Description
seconds
Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds. The default value is 30 seconds.
Defaults
The default login timeout value is 30 seconds.
Command Modes
Line configuration
Command History
Examples
The following example changes the login timeout value to 60 seconds:
line 10timeout login response 60title
To enter the HTML title string that is shown in the browser title and on the title bar for a Secure Sockets Layer Virtual Private Network (SSLVPN), use the title command in Web VPN configuration mode. To remove the title, use the no form of this command.
title [title-string]
no title [title-string]
Syntax Description
Defaults
If the title command is not configured, "WebVPN Service" is displayed in the browser of the user.
Command Modes
Web VPN configuration
Command History
Usage Guidelines
If you type the title command and then press the Enter key, a title will not be displayed on the browser.
If the no form of this command is used, the default title string "WebVPN Service" is displayed in the browser of the user.
Examples
The following example shows the title will be "Secure Corporate Access: Unauthorized users prohibited."
Router (config)# webvpnRouter (config-webvpn)# title "Secure Corporate Access: Unauthorized users prohibited."Syntax Description
title-color
To specify the color of the title bars on the login and portal pages of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the title-color command in Web VPN configuration mode. To remove the color, use the no form of this command.
title-color color
no title-color color
Syntax Description
Defaults
Purple
Command Modes
Web VPN configuration
Command History
Usage Guidelines
If a new color is configured, it will override the color that was already configured.
Examples
The following examples show three ways to configure the title color.
title-color darkseagreentitle-color #8FBC8Ftitle-color 143,188,143Related Commands
transfer-encoding type
To permit or deny HTTP traffic according to the specified transfer-encoding of the message, use the transfer-encoding type command in appfw-policy-http configuration mode. To disable this inspection parameter, use the no form of this command.
transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]
no transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]
Syntax Description
Defaults
If a given type is not specified, all transfer-encoding types are supported with the reset alarm action.
Command Modes
appfw-policy-http configuration
Command History
Usage Guidelines
Only encoding types specified by the transfer-encoding-type command are allowed through the firewall.
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy.appfw policy-name mypolicyapplication httpstrict-http action allow alarmcontent-length maximum 1 action allow alarmcontent-type-verification match-req-rsp action allow alarmmax-header-length request 1 response 1 action allow alarmmax-uri-length 1 action allow alarmport-misuse default action allow alarmrequest-method rfc default action allow alarmrequest-method extension default action allow alarmtransfer-encoding type default action allow alarm!!! Apply the policy to an inspection rule.ip inspect name firewall appfw mypolicyip inspect name firewall http!!! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface.interface FastEthernet0/0ip inspect firewall in!!trustpoint (tti-petitioner)
To specify the trustpoint that is to be associated with the Trusted Transitive Introduction (TTI) exchange between the easy secure device deployment (EzSDD) petitioner and the EzSDD registrar, use the trustpoint command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
trustpoint trustpoint-label
no trustpoint trustpoint-label
Syntax Description
Defaults
If a trustpoint is not specified, a default trustpoint called "tti" is generated.
Command Modes
tti-petitioner configuration
Command History
Usage Guidelines
Use the trustpoint command in tti-petitioner configuration mode to associate a trustpoint with the EzSDD petitioner.
Examples
The following example shows how specify the trustpoint "mytrust":
crypto wui tti petitionertrustpoint mytrustAfter the EzSDD exchange is complete, the petitioner will automatically enroll with the registrar and obtain a certificate. The following sample output from the show running-config command shows an automatically generated configuration which generates the default trustpoint "tti":
crypto pki trustpoint ttienrollment url http://pki1-36a.cisco.com:80revocation-check crlrsakeypair tti 1024auto-enroll 70Related Commands
trustpoint signing
To specify the trustpoint and associated certificate to be used when signing all introduction data during the Secure Device Provisioning (SDP) exchange, use the trustpoint signing command in tti-petitioner configuration mode. To change the specified trustpoint or use the default trustpoint, use the no form of this command.
trustpoint signing trustpoint-label
no trustpoint signing trustpoint-label
Syntax Description
Defaults
If a trustpoint is not specified, any existing device certificate is used. If none is available, a self-signed certificate is generated.
Command Modes
tti-petitioner configuration
Command History
Usage Guidelines
Use the trustpoint signing command in tti-petitioner configuration mode to associate a specific trustpoint with the petitioner for signing its certificate.
Examples
The following example shows how to specify the trustpoint mytrust:
crypto provisioning petitionertrustpoint signing mytrustAfter the SDP exchange is complete, the petitioner automatically enrolls with the registrar and obtains a certificate. The following sample output from the show running-config command shows an automatically generated configuration with the default trustpoint tti:
crypto pki trustpoint ttienrollment url http://pki1-36a.cisco.com:80revocation-check crlrsakeypair tti 1024auto-enroll 70Related Commands
tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode command in interface configuration mode. To restore the default mode, use the no form of this command.
tunnel mode {aurp | cayman | dvmrp | eon | gre | gre multipoint | gre ipv6 | ipip [decapsulate-any] | ipsec ipv4 | iptalk | ipv6 |mpls | nos | rbscp}
no tunnel mode
Syntax Description
Defaults
GRE tunneling
Command Modes
Interface configuration
Command History
Usage Guidelines
Source and Destination Address
You cannot have two tunnels that use the same encapsulation mode with exactly the same source and destination address. The work around is to create a loopback interface and source packets off of the loopback interface.
Cayman Tunneling
Designed by Cayman Systems, Cayman tunneling implements tunneling to enable Cisco routers to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two routers or between a Cisco router and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address.
DVMRP
Use DVMRP when a router connects to an mrouted router to run DVMRP over a tunnel. You must configure Protocol Independent Multicast (PIM) and an IP address on a DVMRP tunnel.
GRE with AppleTalk
GRE tunneling can be done between Cisco routers only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. Using the AppleTalk network address you can ping the other end of the tunnel to check the connection.
Multipoint GRE
After enabling mGRE tunneling, you can enable the tunnel protection command, which allows you to associate the mGRE tunnel with an IP Security (IPSec) profile. Combining mGRE tunnels and IPSec encryption allows a single mGRE interface to support multiple IPSec tunnels, thereby simplifying the size and complexity of the configuration.
Note
RBSCP
RBSCP tunneling is designed for wireless or long-distance delay links with high error rates, such as satellite links. Using tunnels, RBSCP can improve the performance of certain IP protocols, such as TCP and IPSec, over satellite links without breaking the end-to-end model.
Examples
Cayman Tunneling
The following example shows how to enable Cayman tunneling:
Router(config)# interface tunnel 0Router(config-if)# tunnel source ethernet 0Router(config-if)# tunnel destination 10.108.164.19Router(config-if)# tunnel mode caymanGRE Tunneling
The following example shows how to enable GRE tunneling:
Router(config)# interface tunnel 0Router(config-if)# appletalk cable-range 4160-4160 4160.19Router(config-if)# appletalk zone EngineeringRouter(config-if)# tunnel source ethernet0Router(config-if)# tunnel destination 10.108.164.19Router(config-if)# tunnel mode greIPSec in IPv4 Transport
The following example shows how to configure a tunnel using IPSec encapsulation with IPv4 as the transport mechanism.
Router(config)# crypto ipsec profile PROF
Router(config)# set transform tset
!
Router(config)# interface Tunnel0
Router(config-if)# ip address 1.1.1.1 255.255.255.0
Router(config-if)# tunnel mode ipsec ipv4
Router(config-if)# tunnel source Loopback0
Router(config-if)# tunnel destination 172.1.1.1
Router(config-if)# tunnel protection ipsec profile PROF
Multipoint GRE Tunneling
The following example shows how to enable mGRE tunneling:
interface Tunnel0bandwidth 1000ip address 10.0.0.1 255.255.255.0! Ensures longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly.ip mtu 1416! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are learned via the mGRE interface back out that interface.no ip split-horizon eigrp 1no ip next-hop-self eigrp 1delay 1000! Sets IPSec peer address to Ethernet interface's public address.tunnel source Ethernet0tunnel mode gre multipoint! The following line must match on all nodes that want to use this mGRE tunnel.tunnel key 100000tunnel protection ipsec profile vpnprofRBSCP Tunneling
The following example shows how to enable RBSCP tunneling:
Router(config)# interface tunnel 0Router(config-if)# tunnel source ethernet 0Router(config-if)# tunnel destination 10.108.164.19Router(config-if)# tunnel mode rbscpRelated Commands
tunnel protection
To associate a tunnel interface with an IP Security (IPSec) profile, use the tunnel protection command in interface configuration mode. To disassociate a tunnel with an IPSec profile, use the no form of this command.
tunnel protection ipsec profile name [shared]
no tunnel protection ipsec profile name [shared]
Syntax Description
Defaults
Tunnel interfaces are not associated with IPSec profiles.
Command Modes
Interface configuration
Command History
12.2(13)T
This command was introduced.
12.3(5)T
The shared keyword was added through DDTS CSCec28392.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
Usage Guidelines
Use the tunnel protection command to specify that IPSec encryption will be performed after the GRE has been added to the tunnel packet. The tunnel protection command can be used with multipoint GRE (mGRE) and point-to-point GRE (p-pGRE) tunnels. With p-pGRE tunnels, the tunnel destination address will be used as the IPSec peer address. With mGRE tunnels, multiple IPSec peers are possible; the corresponding Next Hop Resolution Protocol (NHRP) mapping nonbroadcast multiaccess (NBMA) destination addresses will be used as the IPSec peer addresses.
The shared Keyword
If you wish to configure two Dynamic Multipoint VPN (DMVPN) mGRE and IPSec tunnels on the same router with the same local endpoint (tunnel source) configuration, you must issue the shared keyword.
The dynamic crypto map that is created by the tunnel protection command is always different from a crypto map that is configured directly on the interface.
Note
supported in combination with the tunnel protection command.Examples
The following example shows how to associate the IPSec profile "vpnprof" with an mGRE tunnel interface. In this example, the IPSec source peer address will be the IP address from Ethernet interface 0. There is a static NHRP mapping from IP address 10.0.0.3 to IP address 172.16.2.1, so for this NHRP mapping the IPSec destination peer address will be 172.16.2.1. The IPSec proxy will be as follows: permit gre host ethernet0-ip-address host ip-address. Other NHRP mappings (static or dynamic) will automatically create additional IPSec security associations (SAs) with the same source peer address and the destination peer address from the NHRP mapping. The IPSec proxy for these NHRP mappings will be as follows: permit gre host ethernet0-ip-address host NHRP-mapping-NBMA-address.
crypto ipsec profile vpnprofset transform-set trans2!interface Tunnel0bandwidth 1000ip address 10.0.0.1 255.255.255.0! Ensures that longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly.ip mtu 1416ip nhrp authentication donttellip nhrp map multicast dynamicip nhrp network-id 99ip nhrp holdtime 300! Turns off split horizon on the mGRE tunnel interface; otherwise, EIGRP will not ! advertise routes that are learned via the mGRE interface back out that interface.no ip split-horizon eigrp 1no ip next-hop-self eigrp 1delay 1000! Sets the IPSec peer address to the Ethernet interface's public address.tunnel source Ethernet0tunnel mode gre multipoint! The following line must match on all nodes that want to use this mGRE tunnel.tunnel key 100000tunnel protection ipsec profile vpnprofThe following example shows how to associate the IPSec profile "vpnprof" with a p-pGRE tunnel interface. In this example, the IPSec source peer address will be the IP address from Ethernet interface 0. The IPSec destination peer address will be 172.16.1.10 (per the tunnel destination address command). The IPSec proxy will be as follows: permit gre host ethernet0-ip-address host ip-address.
interface Tunnel1 ip address 10.0.1.1 255.255.255.252 ! Ensures that longer packets are fragmented before they are encrypted; otherwise, the ! receiving router would have to do the reassembly. ip mtu 1420 tunnel source Ethernet0 tunnel destination 172.16.1.10 tunnel protection ipsec profile vpnprofRelated Commands
url-list
To configure the list of URLs to which a user has access on the portal page of a Secure Sockets Layer Virtual Private Network (SSLVPN) and to enter URL configuration mode, use the url-list command in Web VPN configuration mode. To remove a URL, use the no form of this command.
url-list list-name
no url-list list-name
Syntax Description
Defaults
A URL is not shown on the portal page.
Command Modes
Web VPN configuration
Command History
Examples
The following example shows that the URL list name is Mylist:
url-list MylistRelated Commands
url-text
To set the text of the link that is to be displayed on the portal page and the URL that is under the link, use the url-text command in Web VPN URL configuration mode. To remove the text and URL or the text or URL, use the no form of this command.
url-text text url-value URL
no url-text text url-value URL
Syntax Description
Command Modes
Web VPN URL configuration
Command History
Usage Guidelines
There is no checking performed on the URL text or URL value before it is added to the URL list. It is up to the administrator to verify the effect of this command on the portal page.
Examples
The following example shows that the text for the link to be displayed on the portal page is "ENG" and that the URL is "Mycompany.com":
Router (config)# webvpnRouter (config-webvpn)# url-list englistRouter (config-webvpn-url)# heading EngineeringRouter (config-webvpn-url)# url-text ENG url-value http://www.Mycompany.comRelated Commands
user
To enter the names of users that are allowed to authenticate using the local authentication server, use the user command in local RADIUS server configuration mode. To remove the username and password from the local RADIUS server, use the no form of this command.
user username {password | nthash} password [group group-name]
no user username {password | nthash} password [group group-name]
Syntax Description
Defaults
If no group name is entered, the user is not assigned to a VLAN and is never required to reauthenticate.
Command Modes
Local RADIUS server configuration
Command History
Usage Guidelines
If you do not know the user password, look up the NT value of the password in the authentication server database, and enter the NT hash as a hexadecimal string.
Examples
The following example shows that user "user1" has been allowed to authenticate using the local authentication server (using the password "userisok"). The user will be added to the group "team1":
user user1 password userisok group team1Related Commands
username
To establish a username-based authentication system, use the username command in global configuration mode. Use the no form of this command to remove an established username-based authentication.
username name {nopassword | password password | password encryption-type encrypted-password}
username name password secret
username name [access-class number]
username name [autocommand command]
username name [callback-dialstring telephone-number]
username name [callback-rotary rotary-group-number]
username name [callback-line [tty] line-number [ending-line-number]]
username name dnis
username name [nocallback-verify]
username name [noescape] [nohangup]
username name [privilege level]
username name user-maxlinks number
username [lawful-intercept] name [privilege privilege-level | view view-name] password password
no username name
Syntax Description
Defaults
No username-based authentication system is established.
Command Modes
Global configuration
Command History
Usage Guidelines
The username command provides username or password authentication, or both, for login purposes only.
Multiple username commands can be used to specify options for a single user.
Add a username entry for each remote system with which the local router communicates and from which it requires authentication. The remote device must have a username entry for the local router. This entry must have the same password as the local router's entry for that remote device.
This command can be useful for defining usernames that get special treatment. For example, you can use this command to define an "info" username that does not require a password but connects the user to a general purpose information service.
The username command is required as part of the configuration for the Challenge Handshake Authentication Protocol (CHAP). Add a username entry for each remote system from which the local router requires authentication.
Note
Note
Note
CLI and Lawful Intercept Views
Both CLI views and lawful intercept views restrict access to specified commands and configuration information. A lawful intercept view allows a user to secure access to lawful intercept commands that are held within the TAP-MIB, which is a special set of simple network management protocol (SNMP) commands that stores information about calls and users.
Users who are specified via the lawful-intercept keyword are placed in the lawful-intercept view, by default, if no other privilege level or view name has been explicitly specified.
If there is no secret specified and the debug serial-interface command is enabled, an error is displayed when a link is established and the CHAP challenge is not implemented. CHAP debugging information is available using the debug ppp negotiation, debug serial-interface, and debug serial-packet commands. For more information about debug commands, refer to the Cisco IOS Debug
Command Reference.Examples
The following example implements a service similar to the UNIX who command, which can be entered at the login prompt and lists the current users of the router:
username who nopassword nohangup autocommand show usersThe following example implements an information service that does not require a password to be used. The command takes the following form:
username info nopassword noescape autocommand telnet nic.ddn.milThe following example implements an ID that works even if all the TACACS+ servers break. The command takes the following form:
username superuser password superpasswordThe following example enables CHAP on interface serial 0 of "server_l." It also defines a password for a remote server named "server_r."
hostname server_l username server_r password theirsystem interface serial 0 encapsulation ppp ppp authentication chapWhen you look at your configuration file, the passwords will be encrypted, and the display will look similar to the following:
hostname server_l username server_r password 7 121F0A18 interface serial 0 encapsulation ppp ppp authentication chapIn both of the following configuration examples, a privilege level 1 user is denied access to privilege levels higher than 1:
username user privilege 0 password 0 ciscousername user 2 privilege 2 password 0 ciscoThe following example removes the username-based authentication for user 2:
no username user 2Related Commands
username secret
To encrypt a user password with Message Digest 5 (MD5) encryption, use the username secret command in global configuration mode.
username name secret {[0] password | 5 encrypted-secret}
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Use the username secret command to configure a username and MD5-encrypted user password. The optional 0 keyword enables MD5 encryption on a clear text password; the 5 keyword enters an MD5 encryption string and saves it as the user MD5-encrypted secret. MD5 encryption is a strong encryption method that is not retrievable; thus, you cannot use MD5 encryption with protocols that require clear text passwords, such as Challenge Handshake Authentication Protocol (CHAP).
The username secret command provides an additional layer of security over the username password. It also provides better security by encrypting the password using nonreversible MD5 encryption and storing the encrypted text. The added layer of MD5 encryption is useful in environments in which the password crosses the network or is stored on a TFTP server.
Use MD5 as the encryption type if you paste into this command an encrypted password that you copied from a router configuration file.
Examples
The following example shows how to configure username "abc" and enable MD5 encryption on the clear text password "xyz":
username abc secret xyzThe following example shows how to configure username "cde" and enter an MD5 encrypted text string that is stored as the username password:
username cde secret 5 $1$feb0$a104Qd9UZ./Ak00KTggPD0Related Commands
view
To add a normal command-line interface (CLI) view to a superview, use the view command in view configuration mode. To remove a CLI view from a superview, use the no form of this command.
view view-name
no view view-name
Syntax Description
Defaults
A superview will not contain any CLI views until this command is enabled.
Command Modes
View configuration
Command History
Usage Guidelines
Before you can use this command to add normal views to a superview, ensure that the following steps have been taken:
•
•
Examples
The following sample output from the show running-config command shows that "view_one" and "view_two" have been added to superview "su_view1," and "view_three" and "view_four" have been added to superview "su_view2":
!parser view su_view1 superviewpassword5 <encoded password>view view_oneview view_two!parser view su_view2 superviewpassword5 <encoded password>view view_threeview view_four!Related Commands!
parser view
Creates or changes a CLI view and enters view configuration mode.
password 5
Associates a CLI view or a superview with a password.
vlan (local RADIUS server group)
To specify a VLAN to be used by members of the user group, use the vlan command in local RADIUS server group configuration mode. To reset the parameter to the default value, use the no form of this command.
vlan vlan
no vlan vlan
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server group configuration
Command History
Usage Guidelines
The access point or router moves group members into the VLAN that you specify, overriding any other VLAN assignments. You can assign only one VLAN to a user group.
Examples
The following example shows that VLAN "225" is to be used by members of the user group:
vlan 225Related Commands
vpdn aaa attribute
To enable reporting of network access server (NAS) authentication, authorization, and accounting (AAA) attributes related to a virtual private dialup network (VPDN) to the AAA server, use the vpdn aaa attribute command in global configuration mode. To disable reporting of AAA attributes related to VPDN, use the no form of this command.
vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port {vpdn-nas | physical-channel-id}}
no vpdn aaa attribute {nas-ip-address vpdn-nas | nas-port}
Syntax Description
Command Default
AAA attributes are not reported to the AAA server.
Command Modes
Global configuration
Command History
Usage Guidelines
This command can be used with RADIUS or TACACS+, and is applicable only on the VPDN tunnel server.
The PPP extended NAS-Port format enables the NAS-Port and NAS-Port-Type attributes to provide port details to a RADIUS server when one of the following protocols is configured:
•
•
•
Before PPP extended NAS-Port format attributes can be reported to the RADIUS server, the radius-server attribute nas-port format command with the d keyword must be configured on both the tunnel server and the NAS, and the tunnel server and the NAS must both be Cisco routers.
Examples
The following example configures VPDN on a tunnel server and enables reporting of VPDN AAA attributes to the AAA server:
vpdn enablevpdn-group 1accept-dialinprotocol anyvirtual-template 1!terminate-from hostname nas1local name ts1!vpdn aaa attribute nas-ip-address vpdn-nasvpdn aaa attribute nas-port vpdn-nasvpdn aaa attribute nas-port physical-channel-idThe following example configures the tunnel server for VPDN, enables AAA, configures a RADIUS AAA server, and enables reporting of PPP extended NAS-Port format values to the RADIUS server. PPP extended NAS-Port format must also be configured on the NAS for this configuration to be effective.
vpdn enablevpdn-group L2TP-tunnelaccept-dialinprotocol l2tpvirtual-template 1!terminate-from hostname nas1local name ts1!aaa new-modelaaa authentication ppp default local group radiusaaa authorization network default local group radiusaaa accounting network default start-stop group radius!radius-server host 171.79.79.76 auth-port 1645 acct-port 1646radius-server retransmit 3radius-server attribute nas-port format dradius-server key ts123!vpdn aaa attribute nas-port vpdn-nasRelated Commands
radius-server attribute nas-port format
Selects the NAS-Port format used for RADIUS accounting features.
vrf (isakmp profile)
To define the virtual routing and forwarding (VRF) value to which the IP Security (IPSec) tunnel will be mapped, use the vrf command in Internet Security Association Key Management (ISAKMP) profile configuration mode. To disable the VRF that was defined, use the no form of this command.
vrf ivrf
no vrf ivrf
Syntax Description
Defaults
The VRF will be the same as the front door VRF (FVRF).
Command Modes
ISAKMP profile configuration
Command History
Usage Guidelines
Use this command to map IPSec tunnels that terminate on a global interface to a specific Virtual Private Network (VPN).
If traffic from the router to a certification authority (CA) (for authentication, enrollment, or for obtaining a certificate revocation list [CRL]) or to a Lightweight Directory Access Protocol (LDAP) server (for obtaining a CRL) needs to be routed via a VRF, the vrf command must be added to the trustpoint. Otherwise, such traffic will use the default routing table.
If a profile does not specify one or more trustpoints, all trustpoints in the router will be used to attempt to validate the certificate of the peer (Internet Key Exchange [IKE] main mode or signature authentication). If one or more trustpoints are specified, only those trustpoints will be used.
Examples
The following example shows that two IPSec tunnels to VPN 1 and VPN 2 are terminated:
crypto isakmp profile vpn1vrf vpn1keyring vpn1match identity address 172.16.1.1 255.255.255.255crypto isakmp profile vpn2vrf vpn2keyring vpn2match identity address 10.1.1.1 255.255.255.255crypto ipsec transform-set vpn1 esp-3des esp-sha-hmaccrypto ipsec transform-set vpn2 esp-3des esp-md5-hmac!crypto map crypmap 1 ipsec-isakmpset peer 172.16.1.1set transform-set vpn1set isakmp-profile vpn1match address 101crypto map crypmap 3 ipsec-isakmpset peer 10.1.1.1set transform-set vpn2set isakmp-profile vpn2match address 102!!interface Ethernet1/2ip address 172.26.1.1 255.255.255.0duplex halfno keepaliveno cdp enablecrypto map crypmapwebvpn
To enter Web VPN configuration mode, use the webvpn command in global configuration mode. To remove all commands that were entered in Web VPN configuration mode, use the no form of this command.
webvpn
no webvpn
Syntax Description
This command has no arguments or keywords.
Defaults
Web VPN configuration mode is not entered.
Command Modes
Global configuration
Command History
Examples
The following example shows that Web VPN configuration mode has been entered:
Router (config)# webvpnRouter (config-webvpn)#Related Commands
webvpn enable
To enable WebVPN in the system, use the webvpn enable command in global configuration mode. To disable WebVPN in the system, use the no form of this command.
webvpn enable [gateway-addr ip-address]
no webvpn enable [gateway-addr ip-address]
Syntax Description
gateway-addr ip-address
(Optional) Enables WebVPN on only the IP address that is specified. If this keyword and argument are not configured, WebVPN is enabled globally on all IP addresses.
Defaults
WebVPN is disabled in the system.
Command Modes
Web VPN configuration
Command History
Usage Guidelines
This command initializes the required system data structures, initializes TCP sockets, and performs other startup tasks related to WebVPN.
Examples
The following example shows that WebVPN has been enabled in the system:
webvpn enableRelated Commands
wins
To specify the primary and secondary Windows Internet Naming Service (WINS) servers, use the wins command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove this command from your configuration, use the no form of this command.
wins primary-server secondary-server
no wins primary-server secondary-server
Syntax Description
Defaults
No default behavior or values.
Command Modes
ISAKMP group configuration
Command History
Usage Guidelines
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the wins command.
Examples
The following example shows how to define a primary and secondary WINS server for the group "cisco":
crypto isakmp client configuration group ciscokey ciscodns 10.2.2.2 10.3.2.3pool dogacl 199wins 10.1.1.2 10.1.1.3Related Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
wlccp authentication-server client
To configure the list of servers to be used for 802.1X authentication, use the wlccp authentication-server client command in global configuration mode. To disable the server list, use the no form of this command.
wlccp authentication-server client {any | eap | leap | mac} list
no wlccp authentication-server client {any | eap | leap | mac} list
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
You can specify a list of client devices that use any type of authentication, or you can specify a list of client devices that use a certain type of authentication (such as EAP, LEAP, or MAC-based authentication).
Examples
The following example shows how to configure the server list for LEAP authentication for client devices:
Router (config)# wlccp authentication-server client leap leap-list1Related Commands
wlccp authentication-server infrastructure
To configure the list of servers to be used for 802.1X authentication for the wireless infrastructure devices, use the wlccp authentication-server infrastructure command in global configuration mode. To disable the server list, use the no form of this command.
wlccp authentication-server infrastructure list
no wlccp authentication-server infrastructure list
Syntax Description
list
List of servers to be used for 802.1X authentication for the wireless infrastructure devices, such as access points, repeaters, and wireless-aware routers.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Examples
This example shows how to configure the server list for 802.1X authentication for infrastructure devices participating in Cisco Centralized Key Management:
Router (config)# wlccp authentication-server infrastructure wlan-list1Related Commands
wlccp wds priority interface
To configure the router or access point to provide WDS, use the wlccp wds priority interface command in global configuration mode. To remove the WDS configuration from the router or access point, use the no form of the command .
wlccp wds priority priority interface interface
no wlccp wds priority priority interface interface
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
The WDS candidate with the highest priority becomes the active WDS device.
Examples
This example shows how to configure the priority for an access point as a candidate to provide WDS with priority 200:
Router (config)# wlccp wds priority 200 interface bvi 1Related Commands
xauth userid mode
To specify how the Easy VPN client handles extended authentication (Xauth) requests, use the xauth userid mode command in Cisco IOS Easy VPN remote configuration mode. To remove the setting, use the no form of this command.
xauth userid mode {http-intercept | interactive | local}
no xauth userid mode {http-intercept | interactive | local}
Syntax Description
Defaults
If the command is not configured, the default behavior is interactive.
Command Modes
Cisco IOS Easy VPN remote configuration
Command History
Usage Guidelines
If you want to be prompted by the console, use the interactive keyword.
If you want to use a saved username or password, use the local keyword. If a local username or password is defined, the mode changes to that username or password.
Examples
The following example shows that HTTP connections will be intercepted from the user and that the user can authenticate using web-based activation:
crypto ipsec client ezvpn tunnel22connect manualgroup tunnel22 key 22tunnelmode clientpeer 192.0.0.1xauth userid mode http-intercept!!interface Ethernet0ip address 10.4.23.15 255.0.0.0crypto ipsec client ezvpn tunnel22 inside !interface Ethernet1ip address 192.0.0.13 255.255.255.128duplex autocrypto ipsec client ezvpn catch22!Related Commands
