-
Cisco IOS Security Command Reference
-
Introduction
-
aaa accounting through aaa local authentication attempts max-fail
-
aaa nas Cisco-nas-port-use-async-info through alert-severity
-
all (profile map configuration) through browser-proxy
-
ca trust-point through clear eou
-
clear ip access-list counters through crl-cache none
-
crypto aaa attribute list through crypto ipsec transform-set
-
crypto isakmp aggressive-mode disable through crypto mib ipsec flowmib history tunnel size
-
crypto pki authenticate through ctype
-
database archive through dns
-
dnsix-dmdp retries through dynamic
-
E
-
F through H
-
icmp idle-timeout through ip http ezvpn
-
ip inspect through ip security strip
-
ip source-track through issuer-name
-
K through L
-
mac access-group through max-users (WebVPN)
-
message retry count through outgoing
-
parameter through port-misuse
-
ppp accounting through quit
-
radius attribute nas-port-type through rate-limit (firewall)
-
reauthentication time through rsa-pubkey
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show class-map type urlfilter
-
show crypto ace redundancy through show crypto vlan
-
show diameter peer through show object-group
-
show parameter-map type inspect through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through tms-class
-
traffic-export through zone security
-
Table Of Contents
fpm package-group
To configure flexible packet matching (fpm) package support, use the fpm package-group command in global configuration mode. To disable fpm package support, use the no form of this command.
fpm package-group [fpm-group-name]
no fpm package-group [fpm-group-name]
Syntax Description
Command Default
FPM groups are not configured by default.
Command Modes
Global configuration (config)#
Command History
Examples
The following example enables fpm package-group:
Router(config)# fpm package-group fpm-group-76Related Commands
fpm package-info
To configure flexible packet matching (fpm) package transfer from an fpm server to a local server, use the fpm package-info command in global configuration mode. To disable fpm packet transfer, use the no form of this command.
fpm package-info
no fpm package-info
Syntax Description
This command has no keywords or arguments.
Command Default
The command is not configured by default.
Command Modes
Global configuration (config)#
Command History
Examples
The following example enables fpm package transfer:
Router(config)# fpm package-infoRelated Commands
grant auto rollover
To enable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate certificate authority (CA) server or registration authority (RA) mode CA, use the grant auto rollover command in certificate server configuration mode. To disable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate or RA-mode CA server, use the no form of this command.
grant auto rollover {ca-cert | ra-cert}
no grant auto rollover {ca-cert | ra-cert}
Syntax Description
ca-cert
Specifies that auto renewal is enabled for the subordinate CA rollover certificate.
ra-cert
Specifies that auto renewal is enabled for the RA-mode CA rollover certificate.
Command Default
Automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA-mode CA reenrollment requests is not enabled. Reenrollment requests will have to be granted manually.
Command Modes
Certificate server configuration (cs-server).
Command History
Usage Guidelines
The first time a CA is enabled, a certificate request is sent to its superior CA. This initial request must be granted manually. The grant auto rollover command allows subsequent renewal certificate grant requests to be automatically processed by the CA for either a subordinate CA certificate (by designating the ca-cert keyword) or an RA-mode CA (by designating the ra-cert keyword), thereby eliminating the need for operator intervention.
Examples
The following example shows how the user can enable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server:
Router(cs-server)# grant auto rollover ca-cert
Related Commands
grant auto trustpoint
To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.
grant auto trustpoint label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.
Note
The newly created trustpoint can only be used one time (which occurs when the router is enrolled with the Cisco IOS CA). After the initial enrollment is successfully completed, the credential information will be deleted from the enrollment profile.
The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).
Caution
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant none
To specify all certificate requests to be rejected, use the grant none command in certificate server configuration mode. To disable automatic rejection of certificate enrollment, use the no form of this command.
grant none
no grant none
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Examples
The following example shows how to automatically reject all certificate enrollment requests for the certificate server "myserver":
Router#(config) ip http serverRouter#(config) crypto pki server myserverRouter#(cs-server) database level minimumRouter#(cs-server)# grant noneRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant automatic
Specifies automatic certificate enrollment.
grant ra-auto
To specify that all enrollment requests from a Registration Authority (RA) be granted automatically, use the grant ra-auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.
grant ra-auto
no grant ra-auto
Syntax Description
This command has no arguments or keywords.
Defaults
Certificate enrollment is manual; that is, authorization is required.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
When grant ra-auto mode is configured on the issuing certificate server, ensure that the RA mode certificate server is running in manual grant mode so that enrollment requests are authorized individually by the RA.
Note
Examples
The following output shows that the issuing certificate server is configured to issue a certificate automatically if the request comes from an RA:
Router (config)# crypto pki server myserverRouter-ca (cs-server)# grant ra-auto% This will cause all certificate requests that are already authorized by known RAs to be automatically granted.Are you sure you want to do this? [yes/no]:yesRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
group (authentication)
To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group {tacacs+ server-group}
no group {tacacs+ server-group}
Syntax Description
tacacs+
Uses a TACACS+ server for authentication.
server-group
Name of the server group to use for authentication.
Defaults
No method list is configured.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:
aaa preauthgroup abc123dnis password aaa-DNISRelated Commands
aaa preauth
Enters AAA preauthentication mode.
dnis (authentication)
Enables AAA preauthentication using DNIS.
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2 | 5 | 14 | 15 | 16}
no group
Syntax Description
Command Default
The 768-bit Diffie-Hellman (group 1) identifier is the default.
Command Modes
ISAKMP policy configuration (config-isakmp-policy)
Command History
Usage Guidelines
IKE policies define a set of parameters to be used during IKE negotiation.
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
The 1024-bit Diffie-Hellman prime modulus group, group 2, provides more security than group 1 but requires more processing time than group 1.
The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. While there is some disagreement regarding how many bits are necessary in the Diffie-Hellman group to protect a specific key size, it is generally agreed that group 14 is good protection for 128-bit keys, group 15 is good protection for 192-bit keys, and group 16 is good protection for 256-bit keys.
Note
The ISAKMP group and the IPsec perfect forward secrecy (PFS) group should be the same if PFS is used. If PFS is not used, a group is not configured in the IPsec crypto map.
Examples
The following example shows how to configure an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
crypto isakmp policy 15group 2exitRelated Commands
group (local RADIUS server)
To enter user group configuration mode and to configure shared settings for a user group, use the group command in local RADIUS server configuration mode. To remove the group configuration from the local RADIUS server, use the no form of this command.
group group-name
no group group-name
Syntax Description
Defaults
No default behavior or values
Command Modes
Local RADIUS server configuration
Command History
Examples
The following example shows that shared settings are being configured for group "team1":
group team1Related Commands
group (RADIUS)
To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group server-group
no group server-group
Syntax Description
Defaults
No default behavior or values.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example shows the creation of a RADIUS server group called "maestro" and then specifies that DNIS preauthentication be performed using this server group:
aaa group server radius maestroserver 10.1.1.1server 10.2.2.2server 10.3.3.3aaa preauthgroup maestrodnis requiredRelated Commands
group-lock
The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.
To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.
Note
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Usage Guidelines
The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:
name/group
name\group
name@group
name%group
where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
Caution
The Group-Lock attribute is configured on a Cisco IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
Note
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.
Examples
The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:
Note
crypto isakmp client configuration group ciscogroup-lockThe following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:
Note
ipsec:group-lock=1Related Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
hash (ca-trustpoint)
To specify the cryptographic hash function the Cisco IOS client will use for self-signed certificates, use the hash command in ca-trustpoint configuration mode. To return to the default cryptographic hash function, use the no form of this command.
hash {md5 | sha1 | sha256 | sha384 | sha512}
no hash
Syntax Description
Command Default
By default, for self-signed certificates, the Cisco IOS client uses the MD5 cryptographic hash function.
Command Modes
Ca-trustpoint configuration (ca-trustpoint)
Command History
12.4(15)T
This command was introduced.
Cisco IOS XE Release 2.4
This command was implemented on the Cisco ASR 1000 series routers.
Usage Guidelines
The hash command in ca-trustpoint configuration mode sets the hash function for the signature that the Cisco IOS client will use to sign its self-signed certificates. This hash setting does not specify what kind of signature the certificate authority (CA) will use when it issues a certificate to this client.
Examples
The following example configures the trustpoint "MyTP" and sets the cryptographic hash function to SHA-384:
crypto pki trustpoint MyTPenrollment url http://MyTPip-address FastEthernet0/0revocation-check nonehash sha384Related Commands
hash (cs-server)
Specifies the cryptographic hash function the Cisco IOS certificate server will use to sign certificates issued by the CA.
hash (cs-server)
To specify the cryptographic hash function the Cisco IOS certificate server will use to sign certificates issued by the certificate authority (CA), use the hash command in cs-server configuration mode. To return to the default cryptographic hash function, use the no form of this command.
hash {md5 | sha1 | sha256 | sha384 | sha512}
no hash
Syntax Description
Command Default
By default, to sign certificates issued by CA, the Cisco IOS client uses the MD5 cryptographic hash function.
Command Modes
Cs-server configuration (cs-server)
Command History
12.4(14)XK
This command was introduced.
Cisco IOS XE Release 2.4
This command was implemented on the Cisco ASR 1000 series routers.
Usage Guidelines
The hash command in cs-server configuration mode sets the hash function for the signature that the Cisco IOS CA will use to sign all of the certificates issued by the server. If the CA is a root CA, it will use the hash function in its own, self-signed certificate.
Examples
The following example configures a certificate server, MyCS, and sets the cryptographic hash function to SHA-512 for the certificate server:
crypto pki server MyCSdatabase level completeissuer-name CN=company,L=city,C=countrygrant autohash sha512lifetime crl 168The following is sample output from the show crypto ca certificates command. This output shows that the CA has been configured and that the hash function SHA-512 has been specified.
CA CertificateStatus: AvailableCertificate Serial Number: 01Certificate Usage: SignatureIssuer:cn=companyl=cityc=countrySubject:cn=companyl=cityc=countryValidity Date:start date: 01:32:35 GMT Aug 3 2006end date: 01:32:35 GMT Aug 2 2009Associated Trustpoints: MyTPCertificate Subject:Name: MyCS.cisco.comIP Address: 192.168.10.2Status: Pending KeyUsage: General PurposeCertificate Request Fingerprint SHA1: 05080A60 82DE9395 B35607C2 38F3A0C3 50609EF8Associated Trustpoint: MyTPRelated Commands
hash (ca-trustpoint)
Specifies the cryptographic hash function the Cisco IOS client will use for self-signed certificates.
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Defaults
The SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
crypto isakmp policy 15hash md5exitRelated Commands
heading
To configure the heading that is displayed above URLs listed on the portal page of a SSL VPN, use the heading command in webvpn URL list configuration mode. To remove the heading, use the no form of this command.
heading text-string
no heading
Syntax Description
text-string
The URL list heading entered as a text string. The heading must be in quotation marks if it contains spaces.
Command Default
A heading is not configured.
Command Modes
Webvpn URL list configuration
Command History
Examples
The following example configures a heading for a URL list:
Router(config)# webvpn context context1Router(config-webvpn-context)# url-list ACCESSRouter(config-webvpn-url)# heading "Quick Links"Router(config-webvpn-url)#Related Commands
url-list
Enters webvpn URL list configuration mode to configure the list of URLs to which a user has access on the portal page of a SSL VPN.
hide-url-bar
To prevent the URL bar from being displayed on the SSL VPN portal page, use the hide-url-bar command in webvpn group policy configuration mode. To display the URL bar on the portal page, use the no form of this command.
hide-url-bar
no hide-url-bar
Syntax Description
This command has no arguments or keywords.
Command Default
The URL bar is displayed on the SSL VPN portal page.
Command Modes
Webvpn group policy configuration
Command History
Usage Guidelines
The configuration of this command applies only to clientless mode access.
Examples
The following example hides the URL bar on the SSL VPN portal page:
Router(config)# webvpn context context1Router(config-webvpn-context)# policy group ONERouter(config-webvpn-group)# hide-url-barRouter(config-webvpn-group)#Related Commands
policy group
Enters webvpn group policy configuration mode to configure a policy group.
webvpn context
Enters webvpn context configuration mode to configure the SSL VPN context.
host (webvpn url rewrite)
To select the name of the host site to be mangled on a Secure Socket Layer virtual private network (SSL VPN) gateway, use the host command in webvpn url rewrite configuration mode. To deselect a site, use the no form of this command.
host host-name
no host host-name
Syntax Description
Command Default
A host site is not selected.
Command Modes
Webvpn url rewrite (config-webvpn-url-rewrite)
Command History
Examples
The following example shows that the site www.examplecompany.com is to be mangled:
Router (config)# webvpn contextRouter (config-webvpn-context)# url rewriteRouter (config-webvpn-url-rewrite)# host www.examplecompany.comRelated Commands
hostname (WebVPN)
To configure the hostname for a SSL VPN gateway, use the hostname command in webvpn gateway configuration mode. To remove the hostname from the SSL VPN gateway configuration, use the no form of this command.
hostname name
no hostname
Syntax Description
Command Default
The hostname is not configured.
Command Modes
Webvpn gateway configuration
Command History
Usage Guidelines
A hostname is configured for use in the URL and cookie-mangling process. In configurations where traffic is balanced among multiple SSL VPN gateways, the hostname configured with this command maps to the gateway IP address configured on the load-balancing device(s).
Examples
The following example configures a hostname for a SSL VPN gateway:
Router(config)# webvpn gateway GW_1Router(config-webvpn-gateway)# hostname VPN_ServerRelated Commands
webvpn gateway
Defines a SSL VPN gateway and enters webvpn gateway configuration mode.
http proxy-server
To direct Secure Socket Layer virtual private network (SSL VPN) user requests through a backend HTTP proxy server, use the http proxy-server command in webvpn policy group configuration mode. To redirect user requests to internal servers, use the no form of this command.
http proxy-server {dns-name | ip-address} port port-number
no http proxy-server
Syntax Description
Command Default
User requests are routed directly to internal servers.
Command Modes
Webvpn policy group configuration (config-webvpn-group)
Command History
Examples
The following example shows that requests from IP address 10.1.1.1 are to be routed to the proxy server (port number 2034):
Router (config)# webvpn context e1Router (config-webvpn-context)# policy group g1Router (config-webvpn-group)# http proxy-server 10.1.1.1 port 2034Router (config-webvpn-group)# exitRouter (config-webvpn-context)# default-group-policy g1http-redirect
To configure HTTP traffic to be carried over secure HTTP (HTTPS), use the http-redirect command in webvpn gateway configuration mode. To remove the HTTPS configuration from the SSL VPN gateway, use the no form of this command.
http-redirect [port number]
no http-redirect
Syntax Description
port number
(Optional) Specifies a port number. The value for this argument is a number from 1 to 65535.
Command Default
The following default value is used if this command is configured without entering the port keyword:
port number : 80
Command Modes
Webvpn gateway configuration
Command History
Usage Guidelines
When this command is enabled, the HTTP port is opened and the SSL VPN gateway listens for HTTP connections. HTTP connections are redirected to use HTTPS. Entering the port keyword and number argument configures the gateway to listen for HTTP traffic on the specified port. Entering the no form, disables HTTP traffic redirection. HTTP traffic is handled by the HTTP server if one is running.
Examples
The following example, starting in global configuration mode, redirects HTTP traffic (on TCP port 80) over to HTTPS (on TCP port 443):
Router(config)# webvpn gateway SSL_GATEWAYRouter(config-webvpn-gateway)# http-redirectRelated Commands
webvpn gateway
Defines a SSL VPN gateway and enters webvpn gateway configuration mode.
hw-module slot subslot only
Note
To change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot, use the hw-module slot subslot only command in global configuration mode. If this command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400.
Note
hw-module slot slot subslot subslot only
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration mode
Command History
Usage Guidelines
Follow these guidelines and restrictions when configuring a Cisco 7600 SSC-400 and IPSec VPN SPAs using the hw-module slot subslot only command:
•
•
Module n will be reset? Confirm [n]:
The prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.
•
Examples
The following example allocates full buffers to the SPA that is installed in subslot 0 of the SIP located in slot 1 of the router and takes a reset action of the Cisco 7600 SSC-400.
Router(config)# hw-module slot 4 subslot 1 onlyModule 4 will be reset? Confirm [no]: yNote that the prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.
Related Commands
ip multicast-routing
Enables IP multicast routing.
ip pim
Enables Protocol Independent Multicast (PIM) on an interface.
