Table Of Contents

filter-hash

filter-id

filter-version

firewall

fpm package-group

fpm package-info

fqdn (IKEv2 profile)

grant auto rollover

grant auto trustpoint

grant none

grant ra-auto

group(firewall)

group (authentication)

group (IKE policy)

group (IKEv2 proposal)

group (local RADIUS server)

group (RADIUS)

group-lock

hash (ca-trustpoint)

hash (cs-server)

hash (IKE policy)

heading

hide-url-bar

host (webvpn url rewrite)

hostname (IKEv2 keyring)

hostname (WebVPN)

http proxy-server

http-redirect

hw-module slot subslot only

filter-hash

To specify the hash for verification and validation of decrypted contents, use the filter-hash command in FPM match encryption filter configuration mode.

filter-hash hash-value

Syntax Description

hash-value

Hash value obtained from the encrypted traffic classification definition file (eTCDF).

Command Default

No hash value is specified.

Command Modes

FPM match encryption filter configuration (c-map-match-enc-config)

Command History

Release	Modification
15.0(1)M	This command was introduced.

Usage Guidelines

If you have access to an eTCDF or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.

Use the filter-hash command to specify the hash for verification and validation of decrypted contents.

Examples

The following example shows how to specify the hash value from the eTCDF file for verification and validation of decrypted contents:

Router(config)# class-map type access-control match-all c1

Router(config-cmap)# match encrypted

Router(c-map-match-enc-config)# filter-hash AABBCCDD11223344

Router(c-map-match-enc-config)#

Related Commands

Command	Description
class-map type	Creates a class map to be used for matching packets to a specified class.
match encrypted	Configures the match criteria for a class map on the basis of encrypted FPM filters and enters FPM match encryption filter configuration mode.

filter-id

To specify a filter-level ID for encrypted filters, use the filter-id command in FPM match encryption filter configuration mode.

filter-id id-value

Syntax Description

id-value

Filter-level ID value.

Command Default

No filter ID is specified.

Command Modes

FPM match encryption filter configuration (c-map-match-enc-config)

Command History

Release	Modification
15.0(1)M	This command was introduced.

Usage Guidelines

If you have access to an encrypted traffic classification definition file (eTCDF) or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.

Use the filter-id command to specify a filter-level ID for encrypted filters.

Examples

The following example shows how to specify the filter ID value for an encrypted filter:

Router(config)# class-map type access-control match-all c1

Router(config-cmap)# match encrypted

Router(c-map-match-enc-config)# filter-id id2

Router(c-map-match-enc-config)#

Related Commands

Command	Description
class-map type	Creates a class map to be used for matching packets to a specified class.
match encrypted	Configures the match criteria for a class map on the basis of encrypted FPM filters and enters FPM match encryption filter configuration mode.

filter-version

To specify the filter-level version value for the encrypted filter, use the filter-version command in FPM match encryption filter configuration mode.

filter-version version

Syntax Description

version

Filter-level version value of the encrypted filter.

Command Default

No filter version is specified.

Command Modes

FPM match encryption filter configuration (c-map-match-enc-config)

Command History

Release	Modification
15.0(1)M	This command was introduced.

Usage Guidelines

If you have access to an encrypted traffic classification definition file (eTCDF) or if you know valid values to configure encrypted Flexible Packet Matching (FPM) filters, you can configure the same eTCDF through the command-line interface instead of using the preferred method of loading the eTCDF on the router. You must create a class map of type access-control using the class-map type command, and use the match encrypted command to configure the match criteria for the class map on the basis of encrypted FPM filters and enter FPM match encryption filter configuration mode. You can then use the appropriate commands to specify the algorithm, cipher key, cipher value, filter hash, filter ID, and filter version. You can copy the values from the eTCDF by opening the eTCDF in any text editor.

Use the filter-version command to specify the filter-level version value for the encrypted filter.

Examples

The following example shows how to specify the filter version for the encrypted filter:

Router(config)# class-map type access-control match-all c1

Router(config-cmap)# match encrypted

Router(c-map-match-enc-config)# filter-version v1

Router(c-map-match-enc-config)#

Related Commands

Command	Description
class-map type	Creates a class map to be used for matching packets to a specified class.
match encrypted	Configures the match criteria for a class map on the basis of encrypted FPM filters and enters FPM match encryption filter configuration mode.

firewall

To specify secure virtual LAN (VLAN) groups and to attach them to firewall modules, use the firewall command in global configuration mode. To disable the configuration, use the no form of this command.

firewall {autostate | module number vlan-group number | multiple-vlan-interfaces | vlan-group number vlan-range}

no firewall {autostate | module number vlan-group number | multiple-vlan-interfaces | vlan-group number vlan-range}

Syntax Description

autostate	Enables auto state.
module	Specifies the module number to which a VLAN group is attached.
number	Module number. Valid values are from 1 to 6.
vlan-group	Specifies the secure group to which the VLANs are attached.
number	Group number. The range is from 1 to 65535.
multiple-vlan-interfaces	Enables multiple VLAN interfaces mode for firewall modules.
vlan-range	VLAN range. Valid values are from 2 to 1001 and 1006 to 4094.

Command Default

No secure VLAN groups are attached to firewall modules.

Command Modes

Global configuration (config)

Command History

Release	Modification
12.2(33)SXI	This command was introduced.

Examples

The following example shows how to configure a VLAN group:

Router(config)# firewall vlan-group 34 1-20

Related Commands

Command	Description
show firewall vlan-group	Displays secure VLANs attached to a secure group.

fpm package-group

To configure flexible packet matching (fpm) package support, use the fpm package-group command in global configuration mode. To disable fpm package support, use the no form of this command.

fpm package-group [fpm-group-name]

no fpm package-group [fpm-group-name]

Syntax Description

fpm-group-name

Specifies the fpm package group name.

Command Default

FPM groups are not configured by default.

Command Modes

Global configuration (config)#

Command History

Release	Modification
15.0(1)M	This command was introduced.

Examples

The following example enables fpm package-group:

Router(config)# fpm package-group fpm-group-76

Related Commands

Command	Description
fpm package-info	Enables fpm package transfer.

fpm package-info

To configure flexible packet matching (fpm) package transfer from an fpm server to a local server, use the fpm package-info command in global configuration mode. To disable fpm packet transfer, use the no form of this command.

fpm package-info

no fpm package-info

Syntax Description

This command has no keywords or arguments.

Command Default

The command is not configured by default.

Command Modes

Global configuration (config)#

Command History

Release	Modification
15.0(1)M	This command was introduced.

Examples

The following example enables fpm package transfer:

Router(config)# fpm package-info

Related Commands

Command	Description
fpm package-group	Configures fpm package group support.
show fpm package-group	Displays fpm package matching support configuration details.
show fpm package-info	Displays fpm package transfer configuration details.

fqdn (IKEv2 profile)

To derive the name mangler from the remote identity of type Fully Qualified Domain Name (FQDN), use the fqdn command in IKEv2 name mangler configuration mode. To remove the name derived from FQDN, use the no form of this command.

fqdn {all | domain | hostname}

no fqdn

Syntax Description

all	Derives the name mangler from the entire FQDN.
domain	Derives the name mangler from the domain name of FQDN.
hostname	Derives the name mangler from the hostname of FQDN.

Command Default

No default behavior or values.

Command Modes

IKEv2 name mangler configuration (config-ikev2-name-mangler)

Command History

Release	Modification
15.1(3)T	This command was introduced.
Cisco IOS XE Release 3.3S	This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

Use this command to derive the name mangler from the remote identity of type FQDN.

Examples

The following example shows how to derive a name for the name mangler from the hostname of FQDN:

Router(config)# crypto ikev2 name-mangler mangler2

Router(config-ikev2-name-mangler)# fqdn hostname

Related Commands

Command	Description
crypto ikev2 name mangler	Defines a name mangler.

grant auto rollover

To enable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate certificate authority (CA) server or registration authority (RA) mode CA, use the grant auto rollover command in certificate server configuration mode. To disable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate or RA-mode CA server, use the no form of this command.

grant auto rollover {ca-cert | ra-cert}

no grant auto rollover {ca-cert | ra-cert}

Syntax Description

ca-cert	Specifies that auto renewal is enabled for the subordinate CA rollover certificate.
ra-cert	Specifies that auto renewal is enabled for the RA-mode CA rollover certificate.

Command Default

Automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server or RA-mode CA reenrollment requests is not enabled. Reenrollment requests will have to be granted manually.

Command Modes

Certificate server configuration (cs-server).

Command History

Release	Modification
12.4(4)T	This command was introduced.

Usage Guidelines

The first time a CA is enabled, a certificate request is sent to its superior CA. This initial request must be granted manually. The grant auto rollover command allows subsequent renewal certificate grant requests to be automatically processed by the CA for either a subordinate CA certificate (by designating the ca-cert keyword) or an RA-mode CA (by designating the ra-cert keyword), thereby eliminating the need for operator intervention.

Examples

The following example shows how the user can enable automatic granting of certificate reenrollment requests for a Cisco IOS subordinate CA server:

Router(cs-server)# grant auto rollover ca-cert

Related Commands

Command	Description
auto-rollover	Enables the automated CA certificate rollover functionality.
crypto pki server	Enables a Cisco IOS certificate server and enters certificate server configuration mode.

grant auto trustpoint

To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.

grant auto trustpoint label

Syntax Description

label

Name of the non-Cisco IOS CA trustpoint.

Defaults

No default behavior or values.

Command Modes

Certificate server configuration

Command History

Release	Modification
12.3(11)T	This command was introduced.
12.2(18)SXE	This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.

---

Note The newly created trustpoint can only be used one time (which occurs when the router is enrolled with the Cisco IOS CA). After the initial enrollment is successfully completed, the credential information will be deleted from the enrollment profile.

---

The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).

---

Caution The grant automatic command can be used for testing and building simple networks and should be disabled before the network is accessible by the Internet. However, it is recommended that you do not issue this command if your network is generally accessible.

---

Examples

The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:

! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and 
! authenticate the client with the non-Cisco IOS CA.

crypto pki trustpoint msca-root 

 enrollment mode ra

 enrollment url http://msca-root:80/certsrv/mscep/mscep.dll

 ip-address FastEthernet2/0

 revocation-check crl

!

! Configure trustpoint "cs" for Cisco IOS CA.

crypto pki trustpoint cs 

 enrollment profile cs1

 revocation-check crl

!

! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the 
! enrollment credential command) that "msca-root" is being initially enrolled with the 
! Cisco IOS CA.

crypto pki profile enrollment cs1

 enrollment url  http://cs:80

 enrollment credential  msca-root!

! Configure the certificate server, and issue the grant auto trustpoint command to 
! instruct the certificate server to accept enrollment request only from clients who are 
! already enrolled with trustpoint "msca-root." 

crypto pki server cs

 database level minimum

 database url nvram:

 issuer-name CN=cs

 grant auto trustpoint msca-root

!

crypto pki trustpoint cs

 revocation-check crl

rsakeypair cs

!

crypto pki trustpoint msca-root

 enrollment mode ra

 enrollment url http://msca-root:80/certsrv/mscep/mscep.dll

 revocation-check crl

Related Commands

Command	Description
crypto pki server	Enables a Cisco IOS certificate server and enters certificate server configuration mode.

grant none

To specify all certificate requests to be rejected, use the grant none command in certificate server configuration mode. To disable automatic rejection of certificate enrollment, use the no form of this command.

grant none

no grant none

Syntax Description

This command has no arguments or keywords.

Defaults

Certificate enrollment is manual; that is, authorization is required.

Command Modes

Certificate server configuration

Command History

Release	Modification
12.3(4)T	This command was introduced.

Examples

The following example shows how to automatically reject all certificate enrollment requests for the certificate server "myserver":

Router#(config) ip http server

Router#(config) crypto pki server myserver

Router#(cs-server) database level minimum

Router#(cs-server)# grant none

Related Commands

Command	Description
crypto pki server	Enables a Cisco IOS certificate server and enters certificate server configuration mode.
grant automatic	Specifies automatic certificate enrollment.

grant ra-auto

To specify that all enrollment requests from a Registration Authority (RA) be granted automatically, use the grant ra-auto command in certificate server configuration mode. To disable automatic certificate enrollment, use the no form of this command.

grant ra-auto

no grant ra-auto

Syntax Description

This command has no arguments or keywords.

Defaults

Certificate enrollment is manual; that is, authorization is required.

Command Modes

Certificate server configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.

Usage Guidelines

When grant ra-auto mode is configured on the issuing certificate server, ensure that the RA mode certificate server is running in manual grant mode so that enrollment requests are authorized individually by the RA.

---

Note For the grant ra-auto command to work, you have to include "cn=ioscs RA" or "ou=ioscs RA" in the subject name of the RA certificate.

---

Examples

The following output shows that the issuing certificate server is configured to issue a certificate automatically if the request comes from an RA:

Router (config)# crypto pki server myserver

Router-ca (cs-server)# grant ra-auto

% This will cause all certificate requests that are already authorized by known RAs to be 
automatically granted.

Are you sure you want to do this? [yes/no]:yes

Related Commands

Command	Description
crypto pki server	Enables a Cisco IOS certificate server and enters certificate server configuration mode.

group(firewall)

To enter redundancy application group configuration mode, use the group command in redundancy application configuration mode. To remove the group configuration, use the no form of this command.

group id

no group id

Syntax Description

id	Redundancy group ID. Valid values are 1 and 2.

Command Default

No group is configured.

Command Modes

Redundancy application configuration (config-red-app)

Command History

Release	Modification
Cisco IOS XE Release 3.1S	This command was introduced.

Examples

The following example shows how to configure a redundancy group with group ID 1:

Router# configure terminal

Router(config)# redundancy

Router(config-red)# application redundancy

Router(config-red-app)# group 1

Router(config-red-app-grp)#

Related Commands

Command	Description
application redundancy	Enters redundancy application configuration mode.

group (authentication)

To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.

group {tacacs+ server-group}

no group {tacacs+ server-group}

Syntax Description

tacacs+	Uses a TACACS+ server for authentication.
server-group	Name of the server group to use for authentication.

Defaults

No method list is configured.

Command Modes

AAA preauthentication configuration

Command History

Release	Modification
12.1(2)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).

Examples

The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:

aaa preauth

 group abc123

 dnis password aaa-DNIS

Related Commands

Command	Description
aaa preauth	Enters AAA preauthentication mode.
dnis (authentication)	Enables AAA preauthentication using DNIS.

group (IKE policy)

To specify one or more Diffie-Hellman (DH) group identifier(s) for use in an Internet Key Exchange (IKE) policy, which defines a set of parameters to be used during IKE negotiation, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. To reset the DH group identifier to the default value, use the no form of this command.

group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24}

no group

Syntax Description

1	Specifies the 768-bit DH group.
2	Specifies the 1024-bit DH group.
5	Specifies the 1536-bit DH group.
14	Specifies the 2048-bit DH group.
15	Specifies the 3072-bit DH group.
16	Specifies the 4096-bit DH group.
19	Specifies the 256-bit elliptic curve DH (ECDH) group.
20	Specifies the 384-bit ECDH group.
24	Specifies the 2048-bit DH/DSA group.

Command Default

DH group 1

Command Modes

ISAKMP policy configuration (config-isakmp)

Command History

Release	Modification
11.3 T	This command was introduced.
12.1(1.3)T	Support was added for DH group 5.
12.4(4)T	Support for IPv6 was added.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.2	Support was added for DH groups 14, 15, and 16 on the Cisco ASR 1000 series routers.
15.1(2)T	This command was modified. The 14, 15, 16, 19, and 20 keywords were added.

Usage Guidelines

The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Either group 14 or group 24 can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered.

The ISAKMP group and the IPsec perfect forward secrecy (PFS) group should be the same if PFS is used. If PFS is not used, a group is not configured in the IPsec crypto map.

Examples

The following example shows how to configure an IKE policy with the 1024-bit DH group (all other parameters are set to the defaults):

Router(config)# crypto isakmp policy 15

Router(config-isakmp) group 2

Router(config-isakmp) exit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
hash (IKE policy)	Specifies the hash algorithm within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

group (IKEv2 proposal)

To specify one or more Diffie-Hellman (DH) group identifier(s) for use in an Internet Key Exchange Version 2 (IKEv2) proposal, use the group command in IKEv2 proposal configuration mode. To reset the DH group identifier to the default value, use the no form of this command.

group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24}

no group

Syntax Description

1	Specifies the 768-bit DH group.
2	Specifies the 1024-bit DH group.
5	Specifies the 1536-bit DH group.
14	Specifies the 2048-bit DH group
15	Specifies the 3072-bit DH group.
16	Specifies the 4096-bit DH group.
19	Specifies the 256-bit elliptic curve DH (ECDH) group.
20	Specifies the 384-bit ECDH group.
24	Specifies the 2048-bit DH/DSA group.

Command Default

DH group 2 and 5 in the IKEv2 proposal.

Command Modes

IKEv2 proposal configuration (config-ikev2-proposal)

Command History

Release	Modification
15.1(1)T	This command was introduced.
15.1(2)T	This command was modified. The 14, 15, 16, 19, and 20 keywords were added.
Cisco IOS XE Release 3.3S	This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Either group 14 or group 24 can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered.

Examples

The following example shows how to configure an IKEv2 proposal with the 1024-bit DH group:

Router(config)# crypto ikev2 proposal proposal1

Router(config-ikev2-proposal)# group 2

Router(config-ikev2-proposal)# exit

Related Commands

Command	Description
crypto ikev2 proposal	Defines an IKEv2 proposal.
encryption (ikev2 proposal)	Specifies the encryption algorithm in an IKEv2 proposal.
integrity (ikev2 proposal)	Specifies the integrity algorithm in an IKEv2 proposal.
show crypto ikev2 proposal	Displays the algorithms configured in each IKEv2 proposal.

group (local RADIUS server)

To enter user group configuration mode and to configure shared settings for a user group, use the group command in local RADIUS server configuration mode. To remove the group configuration from the local RADIUS server, use the no form of this command.

group group-name

no group group-name

Syntax Description

group-name

Name of user group.

Defaults

No default behavior or values

Command Modes

Local RADIUS server configuration

Command History

Release	Modification
12.2(11)JA	This command was introduced on Cisco Aironet Access Point 1100 and Cisco Aironet Access Point 1200.
12.3(11)T	This command was implemented on the following platforms: Cisco 2600XM, Cisco 2691, Cisco 2811, Cisco 2821, Cisco 2851, Cisco 3700, and Cisco 3800 series routers.

Examples

The following example shows that shared settings are being configured for group "team1":

group team1

Related Commands

Command	Description
block count	Configures the parameters for locking out members of a group to help protect against unauthorized attacks.
clear radius local-server	Clears the statistics display or unblocks a user.
debug radius local-server	Displays the debug information for the local server.
nas	Adds an access point or router to the list of devices that use the local authentication server.
radius-server host	Specifies the remote RADIUS server host.
radius-server local	Enables the access point or router to be a local authentication server and enters into configuration mode for the authenticator.
reauthentication time	Specifies the time (in seconds) after which access points or wireless-aware routers must reauthenticate the members of a group.
show radius local-server statistics	Displays statistics for a local network access server.
ssid	Specifies up to 20 SSIDs to be used by a user group.
user	Authorizes a user to authenticate using the local authentication server.
vlan	Specifies a VLAN to be used by members of a user group.

group (RADIUS)

To specify the authentication, authorization, and accounting (AAA) RADIUS server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.

group server-group

no group server-group

Syntax Description

server-group

Specifies a AAA RADIUS server group.

Defaults

No default behavior or values.

Command Modes

AAA preauthentication configuration

Command History

Release	Modification
12.1(2)T	This command was introduced.

Usage Guidelines

You must configure a RADIUS server group with the aaa group server radius command in global configuration mode before using the group command in AAA preauthentication configuration mode.

You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).

Examples

The following example shows the creation of a RADIUS server group called "maestro" and then specifies that DNIS preauthentication be performed using this server group:

aaa group server radius maestro

 server 10.1.1.1 

 server 10.2.2.2 

 server 10.3.3.3 

aaa preauth

 group maestro

 dnis required

Related Commands

Command	Description
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
clid	Preauthenticates calls on the basis of the CLID number.
ctype	Preauthenticates calls on the basis of the call type.
dnis (RADIUS)	Preauthenticates calls on the basis of the DNIS number.
dnis bypass (AAA preauthentication configuration)	Specifies a group of DNIS numbers that will be bypassed for preauthentication.

group-lock

The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.

To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.

---

Note Preshared keys are supported only. Certificates are not supported.

---

group-lock

no group-lock

Syntax Description

This command has no arguments or keywords.

Defaults

Group lock is not configured.

Command Modes

ISAKMP group configuration (config-isakmp-group)

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.

Usage Guidelines

The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:

name/group

name\group

name@group

name%group

where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.

---

Caution Do not use the Group-Lock attribute if you are using RSA signature authentication mechanisms such as certificates. Use the User-VPN-Group attribute instead.

---

The Group-Lock attribute is configured on a Cisco  IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.

---

Note If local authentication is used, then the Group-Lock attribute is the only option.

---

The username in the local or RADIUS database must be of the following format:

username[/,\,%,@]group.

Examples

The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:

---

Note You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the group-lock command.

---

crypto isakmp client configuration group cisco

  group-lock

The following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:

---

Note If RADIUS is used for user authentication, then use the User-VPN-Group attribute instead of the Group-Lock attribute.

---

ipsec:group-lock=1

Related Commands

Command	Description
acl	Configures split tunneling.
crypto isakmp client configuration group	Specifies the DNS domain to which a group belongs.

hash (ca-trustpoint)

To specify the cryptographic hash function the Cisco IOS client will use for self-signed certificates, use the hash command in ca-trustpoint configuration mode. To return to the default cryptographic hash function, use the no form of this command.

hash {md5 | sha1 | sha256 | sha384 | sha512}

no hash

Syntax Description

md5	Specifies that Message-Digest algorithm 5 (MD5), the default hash function, will be used.
sha1	Specifies that Secure Hash Algorithm (SHA-1) hash function will be used.
sha256	Specifies that the SHA-256 hash function will be used.
sha384	Specifies that the SHA-384 hash function will be used.
sha512	Specifies that the SHA-512 hash function will be used.

Command Default

By default, for self-signed certificates, the Cisco IOS client uses the MD5 cryptographic hash function.

Command Modes

Ca-trustpoint configuration (ca-trustpoint)

Command History

Release	Modification
12.4(15)T	This command was introduced.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

The hash command in ca-trustpoint configuration mode sets the hash function for the signature that the Cisco IOS client will use to sign its self-signed certificates. This hash setting does not specify what kind of signature the certificate authority (CA) will use when it issues a certificate to this client.

Examples

The following example configures the trustpoint "MyTP" and sets the cryptographic hash function to SHA-384:

crypto pki trustpoint MyTP 

   enrollment url http://MyTP 

   ip-address FastEthernet0/0 

   revocation-check none 

   hash sha384 

Related Commands

Command	Description
hash (cs-server)	Specifies the cryptographic hash function the Cisco IOS certificate server will use to sign certificates issued by the CA.

hash (cs-server)

To specify the cryptographic hash function the Cisco IOS certificate server will use to sign certificates issued by the certificate authority (CA), use the hash command in cs-server configuration mode. To return to the default cryptographic hash function, use the no form of this command.

hash {md5 | sha1 | sha256 | sha384 | sha512}

no hash

Syntax Description

md5	Specifies that the Message-Digest algorithm 5 (MD5), the default hash function, will be used.
sha1	Specifies that the Secure Hash Algorithm (SHA-1) hash function will be used.
sha256	Specifies that the SHA-256 hash function will be used.
sha384	Specifies that the SHA-384 hash function will be used.
sha512	Specifies that the SHA-512 hash function will be used.

Command Default

By default, to sign certificates issued by CA, the Cisco IOS client uses the MD5 cryptographic hash function.

Command Modes

Cs-server configuration (cs-server)

Command History

Release	Modification
12.4(14)XK	This command was introduced.
Cisco IOS XE Release 2.4	This command was implemented on the Cisco ASR 1000 series routers.

Usage Guidelines

The hash command in cs-server configuration mode sets the hash function for the signature that the Cisco IOS CA will use to sign all of the certificates issued by the server. If the CA is a root CA, it will use the hash function in its own, self-signed certificate.

Examples

The following example configures a certificate server, MyCS, and sets the cryptographic hash function to SHA-512 for the certificate server:

crypto pki server MyCS

database level complete

issuer-name CN=company,L=city,C=country

grant auto

hash sha512

lifetime crl 168

The following is sample output from the show crypto ca certificates command. This output shows that the CA has been configured and that the hash function SHA-512 has been specified.

CA Certificate

Status: Available

Certificate Serial Number: 01

Certificate Usage: Signature

Issuer:

cn=company

l=city

c=country

Subject:

cn=company

l=city

c=country

Validity Date:

start date: 01:32:35 GMT Aug 3 2006

end date: 01:32:35 GMT Aug 2 2009

Associated Trustpoints: MyTP

Certificate Subject:

Name: MyCS.cisco.com

IP Address: 192.168.10.2

Status: Pending Key

Usage: General Purpose

Certificate Request Fingerprint SHA1: 05080A60 82DE9395 B35607C2 38F3A0C3 50609EF8

Associated Trustpoint: MyTP

Related Commands

Command	Description
hash (ca-trustpoint)	Specifies the cryptographic hash function the Cisco IOS client will use for self-signed certificates.

hash (IKE policy)

To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default secure hash algorithm (SHA)-1 hash algorithm, use the no form of this command.

hash {sha | sha256 | sha384 | md5}

no hash

Syntax Description

sha	Specifies SHA-1 (HMAC variant) as the hash algorithm.
sha256	Specifies SHA-2 family 256-bit (HMAC variant) as the hash algorithm.
sha384	Specifies SHA-2 family 384-bit (HMAC variant) as the hash algorithm.
md5	Specifies MD5 (HMAC variant) as the hash algorithm.

Defaults

The SHA-1 hash algorithm

Command Modes

ISAKMP policy configuration

Command History

Release	Modification
11.3 T	This command was introduced.
12.4(4)T	IPv6 support was added.
12.2(33)SRA	This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.1	This command was introduced on Cisco ASR 1000 Series Routers.
15.1(2)T	This command was modified. The sha256 and sha384 keywords were added.

Usage Guidelines

Use this command to specify the hash algorithm to be used in an IKE policy.

Examples

The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):

crypto isakmp policy 15

 hash md5

 exit

Related Commands

Command	Description
authentication (IKE policy)	Specifies the authentication method within an IKE policy.
crypto isakmp policy	Defines an IKE policy.
encryption (IKE policy)	Specifies the encryption algorithm within an IKE policy.
group (IKE policy)	Specifies the Diffie-Hellman group identifier within an IKE policy.
lifetime (IKE policy)	Specifies the lifetime of an IKE SA.
show crypto isakmp policy	Displays the parameters for each IKE policy.

heading

To configure the heading that is displayed above URLs listed on the portal page of a SSL VPN, use the heading command in webvpn URL list configuration mode. To remove the heading, use the no form of this command.

heading text-string

no heading

Syntax Description

text-string

The URL list heading entered as a text string. The heading must be in quotation marks if it contains spaces.

Command Default

A heading is not configured.

Command Modes

Webvpn URL list configuration

Command History

Release	Modification
12.3(14)T	This command was introduced.

Examples

The following example configures a heading for a URL list:

Router(config)# webvpn context context1 

Router(config-webvpn-context)# url-list ACCESS 

Router(config-webvpn-url)# heading "Quick Links" 

Router(config-webvpn-url)# 

Related Commands

Command	Description
url-list	Enters webvpn URL list configuration mode to configure the list of URLs to which a user has access on the portal page of a SSL VPN.

hide-url-bar

To prevent the URL bar from being displayed on the SSL VPN portal page, use the hide-url-bar command in webvpn group policy configuration mode. To display the URL bar on the portal page, use the no form of this command.

hide-url-bar

no hide-url-bar

Syntax Description

This command has no arguments or keywords.

Command Default

The URL bar is displayed on the SSL VPN portal page.

Command Modes

Webvpn group policy configuration

Command History

Release	Modification
12.4(6)T	This command was introduced.

Usage Guidelines

The configuration of this command applies only to clientless mode access.

Examples

The following example hides the URL bar on the SSL VPN portal page:

Router(config)# webvpn context context1 

Router(config-webvpn-context)# policy group ONE 

Router(config-webvpn-group)# hide-url-bar 

Router(config-webvpn-group)# 

Related Commands

Command	Description
policy group	Enters webvpn group policy configuration mode to configure a policy group.
webvpn context	Enters webvpn context configuration mode to configure the SSL VPN context.

host (webvpn url rewrite)

To select the name of the host site to be mangled on a Secure Socket Layer virtual private network (SSL VPN) gateway, use the host command in webvpn url rewrite configuration mode. To deselect a site, use the no form of this command.

host host-name

no host host-name

Syntax Description

host-name

Hostname of the site to be mangled.

Command Default

A host site is not selected.

Command Modes

Webvpn url rewrite (config-webvpn-url-rewrite)

Command History

Release	Modification
12.4(20)T	This command was introduced.

Examples

The following example shows that the site www.examplecompany.com is to be mangled:

Router (config)# webvpn context

Router (config-webvpn-context)# url rewrite

Router (config-webvpn-url-rewrite)# host www.examplecompany.com

Related Commands

Command	Description
ip (webvpn url rewrite)	Configures the IP address of the site to be mangled on an SSL VPN gateway.
unmatched-action (webvpn url rewrite)	Defines the action when the user request does not match the IP address or host site configuration.

hostname (IKEv2 keyring)

To specify the hostname for the peer in the Internet Key Exchange Version 2 (IKEv2) keyring, use the hostname command IKEv2 keyring peer configuration mode. To remove the hostname, use the no form of this command.

hostname name

no hostname

Syntax Description

name	Name for the peer.

Command Default

The hostname is not specified.

Command Modes

IKEv2 keyring peer configuration (config-ikev2-keyring-peer)

Command History

Release	Modification
15.1(1)T	This command was introduced.
Cisco IOS XE Release 3.3S	This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

When configuring the IKEv2 keyring, use this command to identify the peer using hostname, which is:

•Independent of the IKEv2 identity.

•Available on an IKEv2 initiator only.

•Provided by IPsec to IKEv2 as part of a security association setup request to identify the peer.

•Used to identify the peer only with crypto maps and not with tunnel protection.

Examples

The following example shows how to configure the hostname for a peer when configuring an IKEv2 keyring:

Router(config)# crypto ikev2 keyring keyring-1

Router(config-ikev2-keyring)# peer peer1

Router(config-ikev2-keyring-peer)# description peer1

Router(config-ikev2-keyring-peer)# hostname peer1.example.com

Related Commands

Command	Description
address (ikev2 keyring)	Specifies the IPv4 address or the range of the peers in IKEv2 key.
crypto ikev2 keyring	Defines an IKEv2 keyring.
description (ikev2 keyring)	Describes an IKEv2 peer or a peer group for the IKEv2 keyring.
identity (ikev2 keyring)	Identifies the peer with IKEv2 types of identity.
peer	Defines a peer or a peer group for the keyring.
pre-shared-key (ikev2 keyring)	Defines a preshared key for the IKEv2 peer.

hostname (WebVPN)

To configure the hostname for a SSL VPN gateway, use the hostname command in webvpn gateway configuration mode. To remove the hostname from the SSL VPN gateway configuration, use the no form of this command.

hostname name

no hostname

Syntax Description

name	Specifies the hostname.

Command Default

The hostname is not configured.

Command Modes

Webvpn gateway configuration

Command History

Release	Modification
12.4(6)T	This command was introduced.

Usage Guidelines

A hostname is configured for use in the URL and cookie-mangling process. In configurations where traffic is balanced among multiple SSL VPN gateways, the hostname configured with this command maps to the gateway IP address configured on the load-balancing device(s).

Examples

The following example configures a hostname for a SSL VPN gateway:

Router(config)# webvpn gateway GW_1 

Router(config-webvpn-gateway)# hostname VPN_Server 

Related Commands

Command	Description
webvpn gateway	Defines a SSL VPN gateway and enters webvpn gateway configuration mode.

http proxy-server

To direct Secure Socket Layer virtual private network (SSL VPN) user requests through a backend HTTP proxy server, use the http proxy-server command in webvpn policy group configuration mode. To redirect user requests to internal servers, use the no form of this command.

http proxy-server {dns-name | ip-address} port port-number

no http proxy-server

Syntax Description

dns-name	Domain Name System (DNS) to be directed to the HTTP proxy server.
ip-address	IP address to be directed to the HTTP proxy server.
port port-number	Port number of the backend HTTP proxy server.

Command Default

User requests are routed directly to internal servers.

Command Modes

Webvpn policy group configuration (config-webvpn-group)

Command History

Release	Modification
12.4(20)T	This command was introduced.

Examples

The following example shows that requests from IP address 10.1.1.1 are to be routed to the proxy server (port number 2034):

Router (config)# webvpn context e1

Router (config-webvpn-context)# policy group g1

Router (config-webvpn-group)# http proxy-server 10.1.1.1 port 2034

Router (config-webvpn-group)# exit

Router (config-webvpn-context)# default-group-policy g1

http-redirect

To configure HTTP traffic to be carried over secure HTTP (HTTPS), use the http-redirect command in webvpn gateway configuration mode. To remove the HTTPS configuration from the SSL VPN gateway, use the no form of this command.

http-redirect [port number]

no http-redirect

Syntax Description

port number

(Optional) Specifies a port number. The value for this argument is a number from 1 to 65535.

Command Default

The following default value is used if this command is configured without entering the port keyword:

port number : 80

Command Modes

Webvpn gateway configuration

Command History

Release	Modification
12.4(6)T	This command was introduced.

Usage Guidelines

When this command is enabled, the HTTP port is opened and the SSL VPN gateway listens for HTTP connections. HTTP connections are redirected to use HTTPS. Entering the port keyword and number argument configures the gateway to listen for HTTP traffic on the specified port. Entering the no form, disables HTTP traffic redirection. HTTP traffic is handled by the HTTP server if one is running.

Examples

The following example, starting in global configuration mode, redirects HTTP traffic (on TCP port 80) over to HTTPS (on TCP port 443):

Router(config)# webvpn gateway SSL_GATEWAY 

Router(config-webvpn-gateway)# http-redirect 

Related Commands

Command	Description
webvpn gateway	Defines a SSL VPN gateway and enters webvpn gateway configuration mode.

hw-module slot subslot only

---

Note This command is deleted effective with Cisco IOS Release 12.2SXI.

---

To change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot, use the hw-module slot subslot only command in global configuration mode. If this command is not used, the total amount of buffers available is divided between the two subslots on the Cisco 7600 SSC-400.

---

Note This command automatically generates a reset on the Cisco 7600 SSC-400. See Usage Guidelines below for details.

---

hw-module slot slot subslot subslot only

Syntax Description

slot	Chassis slot number where the Cisco 7600 SSC-400 is located. Refer to the appropriate hardware manual for slot information. For SIPs and SSCs, refer to the platform-specific SPA hardware installation guide or the corresponding "Identifying Slots and Subslots for SIPs and SPAs" topic in the platform-specific SPA software configuration guide.
subslot	Secondary slot number on the SSC where the IPSec VPN SPA is installed.

Defaults

No default behavior or values.

Command Modes

Global configuration mode

Command History

Release	Modification
12.2(18)SXF2	This command was introduced.
12.2(33)SRA	This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.2SXI	This command was deleted.

Usage Guidelines

Follow these guidelines and restrictions when configuring a Cisco 7600 SSC-400 and IPSec VPN SPAs using the hw-module slot subslot only command:

•This command is useful when supporting IP multicast over GRE on the IPSec VPN SPA.

•When this command is executed, it automatically takes a reset action on the Cisco 7600 SSC-400 and issues the following prompt to the console:

Module n will be reset? Confirm [n]:

The prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.

•When in this mode, if you manually plug in a second SPA, or if you attempt to reset the SPA (by entering a no hw-module subslot shutdown command, for example), a message is displayed on the router console which refers you to the customer documentation.

Examples

The following example allocates full buffers to the SPA that is installed in subslot 0 of the SIP located in slot 1 of the router and takes a reset action of the Cisco 7600 SSC-400.

Router(config)# hw-module slot 4 subslot 1 only

Module 4 will be reset? Confirm [no]: y

Note that the prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.

Related Commands

Command	Description
ip multicast-routing	Enables IP multicast routing.
ip pim	Enables Protocol Independent Multicast (PIM) on an interface.