Table Of Contents
keepalive (isakmp profile)
kerberos clients mandatory
kerberos credentials forward
kerberos instance map
kerberos local-realm
kerberos preauth
kerberos realm
kerberos server
kerberos srvtab entry
kerberos srvtab remote
key (isakmp-group)
key config-key
key config-key password-encryption
keyring
key-string (IKE)
language
length (RITE)
lifetime (certificate server)
lifetime (IKE policy)
lifetime crl
lifetime enrollment-request
list (LSP Attributes)
list (WebVPN)
li-view
load-balance (server-group)
load classification
local-address
local-port (WebVPN)
local priority
lockdown (LSP Attributes)
log (policy-map and class-map)
logging dmvpn
logging enabled
logging ip access-list cache (global configuration)
logging ip access-list cache (interface configuration)
login authentication
login block-for
login delay
login-message
login on-failure
login on-success
login quiet-mode access-class
login-photo
logo
keepalive (isakmp profile)
To allow the gateway to send dead peer detection (DPD) messages to the peer, use the keepalive command in Internet Security Association Key Management Protocol (ISAKMP) profile configuration mode. To return to the default, use the no form of this command.
keepalive seconds retry retry-seconds
no keepalive seconds retry retry-seconds
Syntax Description
seconds
|
Number of seconds between DPD messages. The range is from 10 to 3600 seconds.
|
retry retry-seconds
|
Number of seconds between retries if DPD message fails. The range is from 2 to 60 seconds.
|
Defaults
If this command is not configured, a DPD message is not sent to the client.
Command Modes
ISAKMP profile configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
Use this command to enable the gateway (instead of the client) to send DPD messages to the client. Internet Key Exchange (IKE) DPD is a new keepalive scheme that sends messages to let the router know that the client is still connected.
Examples
The following example shows that DPD messages have been configured to be sent every 60 seconds and every 5 seconds between retries if the peer does not respond:
crypto isakmp profile vpnprofile
kerberos clients mandatory
To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory command in global configuration mode. To make Kerberos optional, use the no form of this command.
kerberos clients mandatory
no kerberos clients mandatory
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the non-Kerberized protocols if unsuccessful.
If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate.
Examples
The following example causes the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server:
kerberos clients mandatory
Related Commands
Command
|
Description
|
connect
|
Logs in to a host that supports Telnet, rlogin, or LAT.
|
kerberos credentials forward
|
Forces all network application clients on the router to forward the Kerberos credentials of users upon successful Kerberos authentication.
|
rlogin
|
Logs in to a UNIX host using rlogin.
|
rsh
|
Executes a command remotely on a remote rsh host.
|
telnet
|
Logs in to a host that supports Telnet.
|
kerberos credentials forward
To force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward command in global configuration mode. To turn off forwarding of Kerberos credentials, use the no form of this command.
kerberos credentials forward
no kerberos credentials forward
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Enable credentials forwarding to have users' ticket granting tickets (TGTs) forwarded to the host on which they authenticate. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.
Examples
The following example forces all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication:
kerberos credentials forward
Related Commands
Command
|
Description
|
connect
|
Logs in to a host that supports Telnet, rlogin, or LAT.
|
rlogin
|
Logs in to a UNIX host using rlogin.
|
rsh
|
Executes a command remotely on a remote rsh host.
|
telnet
|
Logs in to a host that supports Telnet.
|
kerberos instance map
To map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map command in global configuration mode. To remove a Kerberos instance map, use the no form of this command.
kerberos instance map instance privilege-level
no kerberos instance map instance
Syntax Description
instance
|
Name of a Kerberos instance.
|
privilege-level
|
The privilege level at which a user is set if the user's Kerberos principal contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.
|
Defaults
Privilege level 1
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use this command to create user instances with access to administrative commands.
Examples
The following example sets the privilege level to 15 for authenticated Kerberos users with the admin instance in Kerberos realm:
kerberos instance map admin 15
Related Commands
Command
|
Description
|
aaa authorization
|
Sets parameters that restrict user access to a network.
|
kerberos local-realm
To specify the Kerberos realm in which the router is located, use the kerberos local-realm command in global configuration mode. To remove the specified Kerberos realm from this router, use the no form of this command.
kerberos local-realm kerberos-realm
no kerberos local-realm
Syntax Description
kerberos-realm
|
The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.
Examples
The following example specify the Kerberos realm in which the router is located as EXAMPLE.COM:
kerberos local-realm EXAMPLE.COM
Related Commands
Command
|
Description
|
kerberos preauth
|
Specifies a preauthentication method to use to communicate with the KDC.
|
kerberos realm
|
Maps a host name or DNS domain to a Kerberos realm.
|
kerberos server
|
Specifies the location of the Kerberos server for a given Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration.
|
kerberos preauth
To specify a preauthentication method to use to communicate with the key distribution center (KDC), use the kerberos preauth command in global configuration mode. To disable Kerberos preauthentication, use the no form of this command.
kerberos preauth [encrypted-unix-timestamp | encrypted-kerberos-timestamp | none]
no kerberos preauth
Syntax Description
encrypted-unix-timestamp
|
(Optional) Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.
|
encrypted-kerberos-timestamp
|
(Optional) Use the RFC1510 kerberos timestamp as a quick authentication method when communicating with the KDC.
|
none
|
(Optional) Do not use Kerberos preauthentication.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.
The no form of this command is equivalent to using the none keyword.
Examples
The following example enables Kerberos preauthentication:
kerberos preauth encrypted-unix-timestamp
The following example disables Kerberos preauthentication:
Related Commands
Command
|
Description
|
kerberos local-realm
|
Specifies the Kerberos realm in which the router is located.
|
kerberos server
|
Specifies the location of the Kerberos server for a given Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration.
|
kerberos realm
To map a host name or Domain Name System (DNS) domain to a Kerberos realm, use the kerberos realm command in global configuration mode. To remove a Kerberos realm map, use the no form of this command.
kerberos realm {dns-domain | host} kerberos-realm
no kerberos realm {dns-domain | host} kerberos-realm
Syntax Description
dns-domain
|
Name of a DNS domain or host.
|
host
|
Name of a DNS host.
|
kerberos-realm
|
Name of the Kerberos realm to which the specified domain or host belongs.
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
DNS domains are specified with a leading dot (.) character; host names cannot begin with a dot (.) character. There can be multiple entries of this line.
A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters.
Examples
The following example maps the domain name "example.com" to the Kerberos realm, EXAMPLE.COM:
kerberos realm .example.com EXAMPLE.COM
Related Commands
Command
|
Description
|
kerberos local-realm
|
Specifies the Kerberos realm in which the router is located.
|
kerberos server
|
Specifies the location of the Kerberos server for a given Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generates a Kerberos SRVTAB entry configuration.
|
kerberos server
To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server command in global configuration mode. To remove a Kerberos server for a specified Kerberos realm, use the no form of this command.
kerberos server kerberos-realm {host-name | ip-address} [port-number]
no kerberos server kerberos-realm {host-name | ip-address}
Syntax Description
kerberos-realm
|
Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.
|
host-name
|
Name of the host functioning as a Kerberos server for the specified Kerberos realm (translated into an IP address at the time of entry).
|
ip-address
|
IP address of the host functioning as the Kerberos server for the specified Kerberos realm.
|
port-number
|
(Optional) Port that the key distribution center (KDC) monitors (defaults to 88).
|
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.1
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the kerberos server command to specify the location of the Kerberos server for a given realm.
Examples
The following example specifies 192.168.47.66 as the Kerberos server for the Kerberos realm EXAMPLE.COM:
kerberos server EXAMPLE.COM 192.168.47.66
Related Commands
Command
|
Description
|
kerberos local-realm
|
Specifies the Kerberos realm in which the router is located.
|
kerberos realm
|
Maps a host name or DNS domain to a Kerberos realm.
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generates a Kerberos SRVTAB entry configuration.
|
kerberos srvtab entry
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab entry command in global configuration mode. To remove a SRVTAB entry from the router's configuration, use the no form of this command.
kerberos srvtab entry kerberos-principal principal-type timestamp key-version number key-type
key-length encrypted-keytab
no kerberos srvtab entry kerberos-principal principal-type
Syntax Description
kerberos-principal
|
A service on the router.
|
principal-type
|
Version of the Kerberos SRVTAB.
|
timestamp
|
Number representing the date and time the SRVTAB entry was created.
|
key-version number
|
Version of the encryption key format.
|
key-type
|
Type of encryption used.
|
key-length
|
Length, in bytes, of the encryption key.
|
encrypted-keytab
|
Secret key the router shares with the key distribution center (KDC). It is encrypted with the private Data Encryption Standard (DES) key (if available) when you write out your configuration.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.
If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.
If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.
Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.
Examples
In the following example, host/new-router.example.com@EXAMPLE.COM is the host, 0 is the type, 817680774 is the timestamp, 1 is the version of the key, 1 indicates the DES is the encryption type, 8 is the number of bytes, and .cCN.YoU.okK is the encrypted key:
kerberos srvtab entry host/new-router.example.com@EXAMPLE.COM 0 817680774 1 1 8
.cCN.YoU.okK
Related Commands
Command
|
Description
|
kerberos srvtab remote
|
Retrieves a krb5 SRVTAB file from the specified host.
|
key config-key
|
Defines a private DES key for the router.
|
kerberos srvtab remote
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab remote command in global configuration mode.
kerberos srvtab remote {boot_device:URL}
Syntax Description
URL
|
Machine that has the Kerberos SRVTAB file.
|
ip-address
|
IP address of the machine that has the Kerberos SRVTAB file.
|
filename
|
Name of the SRVTAB file.
|
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from the remote host (generally the key distribution center [KDC]), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with the private Data Encryption Standard (DES) key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory configuration command to write the router's running configuration to NVRAM.
Examples
The following example copies the SRVTAB file residing on b1.example.com to a router named s1.example.com:
kerberos srvtab remote tftp://b1.example.com/s1.example.com-new-srvtab
Related Commands
Command
|
Description
|
kerberos srvtab entry
|
Retrieves a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration.
|
key config-key
|
Defines a private DES key for the router.
|
key (isakmp-group)
To specify the Internet Key Exchange (IKE) preshared key for group policy attribute definition, use the key command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove a preshared key, use the no form of this command.
key name
no key name
Syntax Description
name
|
IKE preshared key that matches the password entered on the client.
Note This value must match the "password" field that is defined in the Cisco VPN Client 3.x configuration GUI.
|
Defaults
No default behavior or values.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS 12.2SX family of releases. Support in a specific 12.2SX release is dependent on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use the key command to specify the IKE preshared key when defining group policy information for Mode Configuration push. (It follows the crypto isakmp client configuration group command.) You must configure this command if the client identifies itself to the router with a preshared key. (You do not have to enable this command if the client uses a certificate for identification.)
Examples
The following example shows how to specify the preshared key "cisco":
crypto isakmp client configuration group default
Related Commands
Command
|
Description
|
acl
|
Configures split tunneling.
|
crypto isakmp client configuration group
|
Specifies the DNS domain to which a group belongs.
|
key config-key
To define a private DES key for the router, use the key config-key command in global configuration mode. To delete a private Data Encryption Standard (DES) key from the router, use the no form of this command.
key config-key 1 string
no key config-key 1 string
Syntax Description
1
|
Key number. This number is always 1.
|
string
|
Private DES key (can be up to eight alphanumeric characters).
|
Defaults
No DES-key defined.
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.2
|
This command was released.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
This command defines a private DES key for the router that will not show up in the router configuration. This private DES key can be used to DES-encrypt certain parts of the router's configuration.
Caution 
The private DES key is unrecoverable. If you encrypt part of your configuration with the private DES key and lose or forget the key, you will not be able to recover the encrypted data.
Examples
The following example sets keyxx as the private DES key on the router:
Related Commands
Command
|
Description
|
kerberos srvtab entry
|
Specifies a krb5 SRVTAB entry.
|
kerberos srvtab remote
|
Retrieves a SRVTAB file from a remote host and automatically generates a Kerberos SRVTAB entry configuration.
|
key config-key password-encryption
To store a type 6 encryption key in private NVRAM, use the key config-key password-encryption command in global configuration mode. To disable the encryption, use the no form of this command.
key config-key password-encryption [text]
no key config-key password-encryption [text]
Syntax Description
text
|
(Optional) Password or master key.
Note It is recommended that you do not use the text argument but instead use interactive mode (using the enter key after you enter the key config-key password-encryption command) so that the preshared key will not be printed anywhere and, therefore, cannot be seen.
|
Defaults
No type 6 password encryption
Command Modes
Global configuration
Command History
Release
|
Modification
|
12.3(2)T
|
This command was introduced.
|
12.2(18)SXD
|
This command was integrated into Cisco IOS Release 12.2(18)SXD.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
Usage Guidelines
You can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryption command with the password encryption aes command to configure and enable the password (symmetric cipher Advanced Encryption Standard [AES] is used to encrypt the keys). The password (key) configured using the key config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.
If you configure the password encryption aes command without configuring the key config-key password-encryption command, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured:
"Can not encrypt password. Please configure a configuration-key with `key config-key'"
Changing a Password
If the password (master key) is changed, or reencrypted, using the key config-key password-encryption command), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.
Deleting a Password
If the master key that was configured using the key config-key password-encryption command is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.
Caution 
If the password configured using the
key config-key password-encryption command is lost, it cannot be recovered. The password should be stored in a safe location.
Unconfiguring Password Encryption
If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryption command exists, the type 6 passwords will be decrypted as and when required by the application.
Storing Passwords
Because no one can "read" the password (configured using the key config-key password-encryption command), there is no way that the password can be retrieved from the router. Existing management stations cannot "know" what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryption command). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.
Configuring New or Unknown Passwords
If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:
"ciphertext>[for username bar>] is incompatible with the configured master key."
If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.
If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryption command. Deleting the master key using the no key config-key password-encryption command causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.
Examples
The following example shows that a type 6 encryption key is to be stored in NVRAM:
Router (config)# key config-key password-encryption
Related Commands
Command
|
Description
|
password encryption aes
|
Enables a type 6 encrypted preshared key.
|
password logging
|
Provides a log of debugging output for a type 6 password operation.
|
keyring
To configure a keyring with an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the keyring command in ISAKMP profile configuration mode. To remove the keyring from the ISAKMP profile, use the no form of this command.
keyring keyring-name
no keyring keyring-name
Syntax Description
keyring-name
|
The keyring name, which must match the keyring name that was defined in the global configuration.
|
Defaults
If this command is not used, the ISAKMP profile uses the keys defined in the global configuration.
Command Modes
ISAKMP profile configuration
Command History
Release
|
Modification
|
12.2(15)T
|
This command was introduced.
|
Usage Guidelines
The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. If no keyring is defined in the profile, the global keys that were defined in the global configuration are used.
Examples
The following example shows that "vpnkeyring" is configured as the keyring name:
crypto isakmp profile vpnprofile
key-string (IKE)
To specify the Rivest, Shamir, and Adelman (RSA) public key of the remote peer, use the key-string command in public key configuration mode. To remove the RSA public key, use the no form of this command.
key-string key-string
no key-string key-string
Syntax Description
key-string
|
Enter the key in hexadecimal format. While entering the key data, you can press Return to continue entering data.
|
Defaults
No default behavior or values
Command Modes
Public key configuration
Command History
Release
|
Modification
|
11.3 T
|
This command was introduced.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS release 12.(33)SRA.
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
|
Usage Guidelines
Before using this command, you must enter the rsa-pubkey command in the crypto keyring mode.
If possible, to avoid mistakes, you should cut and paste the key data (instead of attempting to type in the data).
To complete the command, you must return to the global configuration mode by typing quit at the config-pubkey prompt.
Examples
The following example manually specifies the RSA public keys of an IP Security (IPSec) peer:
Router(config)# crypto keyring vpnkeyring
Router(conf-keyring)# rsa-pubkey name host.vpn.com
Router(config-pubkey-key)# address 10.5.5.1
Router(config-pubkey)# key-string
Router(config-pubkey)# 00302017 4A7D385B 1234EF29 335FC973
Router(config-pubkey)# 2DD50A37 C4F4B0FD 9DADE748 429618D5
Router(config-pubkey)# 18242BA3 2EDFBDD3 4296142A DDF7D3D8
Router(config-pubkey)# 08407685 2F2190A0 0B43F1BD 9A8A26DB
Router(config-pubkey)# 07953829 791FCDE9 A98420F0 6A82045B
Router(config-pubkey)# 90288A26 DBC64468 7789F76E EE21
Router(config-pubkey)# quit
Router(config-pubkey-key)# exit
Router(conf-keyring)# exit
Related Commands
Command
|
Description
|
crypto keyring
|
Defines a crypto keyring.
|
rsa-pubkey
|
Defines the RSA public key to be used for encryption or signatures during IKE authentication.
|
show crypto keyring
|
Displays keyrings on your router.
|
language
To specify the language to be used in a webvpn context, use the language command in web Virtual Private Network (VPN) context configuration mode. To remove the language that was specified, use the no form of this command.
language {Japanese | customize language-name device:file}
no language {Japanese | customize language-name device:file}
Syntax Descriptionno language {Japanese | customize language-name device:file}
Japanese
|
Specifies that the language to be used is Japanese.
|
customize language-name device:file
|
Specifies that a language other than English or Japanese is to be used.
• language-name—This language will be displayed in the selection box on the login and portal pages.
• device:file—Storage device on the system and the filename. The file name should include the directory location.
|
Command Default
English is the language.
Command Modes
Webvpn context configuration (config-webvpn-context)
Command History
Release
|
Modification
|
12.4(22)T
|
This command was introduced.
|
Examples
The following example shows that the language to be used is Japanese:
Router (config)# webvpn context
Router (config-webvpn-context)# language Japanese
The following example shows that the language (mylang) is to be customized from the file "lang.js," which is in flash:
Router (config)# webvpn context
Router (config-webvpn-context)# language customize mylang flash:lang.js
Note
The lang.js file does not have to be created if the language is English or Japanese.
Related Commands
Command
|
Description
|
webvpn create template
|
Creates templates for multilanguage support for messages in an SSL VPN.
|
length (RITE)
To specify the length the captured portion of the packets being captured in IP traffic export capture mode, use the length command in RITE configuration mode. To return to the default condition of capturing entire packets, use the no form of this command.
length bytes
no length
Syntax Description
bytes
|
The length in bytes of the packet captured in IP traffic export capture mode. Acceptable values are 128, 256, and 512.
|
Command Default
When you do not use this command, the entire packet is captured.
Command Modes
RITE configuration
Command History
Release
|
Modification
|
12.4(11)T
|
This command was introduced.
|
Usage Guidelines
Use this command to limit the length of the portion of the packets being captured in IP traffic export capture mode. The captured portion of the packets are limited to 128, 256, or 512 bytes. If you do not use the length command, entire packets are captured.
Examples
The following example shows the use of the length command in the configuration of IP traffic export capture mode profile "corp2":
Router(config)# ip traffic-export profile corp2 mode_capture
Router(config-rite)# bidirectional
Router(config-rite)# outgoing sample one-in-every 50
Router(config-rite)# incoming access-list ham_acl
Router(config-rite)# length 512
Router(config-rite)# exit
Router(config)# interface FastEthernet 0/0
Router(config-if)# ip traffic-export apply corp2 size 10000000
Related Commands
Command
|
Description
|
bidirectional
|
Enables incoming and outgoing IP traffic to be exported or captured across a monitored interface.
|
incoming
|
Configures filtering for incoming IP traffic export or IP traffic capture traffic.
|
ip traffic-export apply profile
|
Applies an IP traffic export or IP traffic capture profile to a specific interface.
|
ip traffic-export profile
|
Creates an IP traffic export or IP traffic capture profile on an ingress interface.
|
outgoing
|
Configures filtering for outgoing IP traffic export or IP traffic capture traffic.
|
traffic-export interface
|
Controls the operation of IP traffic capture mode.
|
lifetime (certificate server)
To specify the lifetime of the certification authority (CA) or a certificate, use the lifetime command in certificate server configuration mode. To return to the default lifetime values, use the no form of this command.
lifetime {ca-certificate | certificate} time
no lifetime {ca-certificate | certificate} time
Syntax Description
ca-certificate
|
Lifetime is for the CA certificate of the certificate server.
|
certificate
|
Lifetime is for the certificate of the certificate server.
The maximum certificate lifetime is one month less than the expiration date of the CA certificate's lifetime.
|
time
|
Lifetime value in days. Valid values range from 1 day to 7305 days.
All certificates are valid on the date that they are issued.
|
Defaults
The default CA certificate lifetime is 3 years.
The default certificate lifetime is 1 year.
Command Modes
Certificate server configuration
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
After you enable a certificate server via the crypto pki server command, use the lifetime command if you wish to specify lifetime values other than the default values for the CA certificate and the certificate of the certificate server.
After the certificate generates its signed certificate, the lifetime cannot be changed.
Examples
The following example shows how to set the lifetime value for the CA to 30 days:
Router(config)# ip http server
Router(config)# crypto pki server mycertserver
Router(cs-server)# lifetime ca certificate 30
Related Commands