-
Cisco IOS XR Virtual Firewall Command Reference, Release 3.7
-
Preface
-
Virtual Firewall Commands on Cisco IOS XR Software
-
Class Map Commands
-
Access Control List Commands
-
Policy Map Commands
-
Virtual Firewall Interface Commands
-
Virtualization Commands
-
Authentication and Accounting Commands
-
High Availability Commands
-
TCP/IP Normalization and IP Reassembly Parameters Commands
-
Parameter Map Commands
-
Terminal and Session Commands
-
System and File Management Commands
-
SNMP Commands
-
Logging Commands
-
VASI Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Authentication and Accounting Commands on the Virtual Firewall
radius-server attribute nas-ipaddr
Authentication and Accounting Commands on the Virtual Firewall
This module describes the user authentication and accounting commands that can be used on the VFW application. For more information regarding configuring authentication and accounting, refer to the "Configuring Authentication and Accounting Services on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Note
The commands described in this module are SanOS (Linux) commands used on the VFW application. Before you can access any of these commands, you must attach from the route processor to the VFW application using the service firewall attach location command. For more information, see the "Attaching to the VFW Application" section in Cisco IOS XR Virtual Firewall Configuration Guide.
aaa accounting default
To configure the default accounting method, use the aaa accounting default command in configuration mode. To remove the accounting method, use the no form of this command.
aaa accounting default group group_name local none
no aaa accounting default group group_name local none
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the aaa accounting default command to configure the default accounting method. You specify either a previously created AAA server group that identifies separate groups of TACACS+ or RADIUS servers, or the local database on the VFW application.
Examples
The following example shows how to enable user accounting to be performed using remote TACACS+ servers, followed by local login as the fallback method:
firewall/Admin(config)# aaa accounting default group TacServer localRelated Commands
aaa authentication login
To configure the authentication method used for login to the VFW application CLI, use the aaa authentication login command in configuration mode. To disable the authentication method, use the no form of this command.
aaa authentication login {{console | default} {group group_name | local | none} | error-enable}
no aaa authentication login {{console | default} {group group_name | local | none} | error-enable}
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the error-enable keyword cautiously. If you specify none, any user will be able to access the VFW application at any time.
To view the current display status, use the show aaa authentication login error-enable command. When a user attempts to log in, and the remote AAA servers do not respond to the authentication request, the VFW application processes the login sequence by switching to local user database. If you activate the error-enabled feature, the following message appears on the user terminal:
Remote AAA servers unreachable; local authentication done.If you use the console or default keywords, you must use at least one of the group, local, or none keywords. You can use any combination of these keywords as required.
Examples
The following example shows how to enable console authentication using the TACSERVER server group, followed by local login as the fallback method:
firewall/Admin(config)# aaa authentication login console group TACSERVER localPassword verification remains enabled for login authentication.The following example shows how to turn off password validation:
firewall/Admin(config)# aaa authentication login console group TACSERVER local noneRelated Commands
aaa group server
To configure independent server groups of TACACS+, RADIUS, or Lightweight Directory Access Protocol (LDAP) servers, use the aaa group server command in configuration mode. To remove a server group, use the no form of this command.
aaa group server {ldap | radius | tacacs+} group_name
no aaa group server {ldap | radius | tacacs+} group_name
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
A server group is a list of server hosts of a particular type. The VFW application allows you to configure multiple TACACS+, RADIUS, and LDAP servers as a named server group. You group the different AAA server hosts into distinct lists. The VFW application searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 100 server groups for each context in the VFW application.
You can configure server groups at any time, but they take effect only when you apply them to the AAA service using the aaa authentication login command or the aaa accounting default command.
To create a AAA server group and access one of the three AAA server group configuration modes, enter the aaa group server ldap, aaa group server radius, or aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-ldap), (config-radius), or (config-tacacs+). In this mode, you specify the IP address of one or more previously configured servers that you want added to or removed from the server group.
Examples
The following example shows how to create a RADIUS server group and add previously configured RADIUS servers:
firewall/Admin(config)# aaa group server radius RAD_Server_Group1firewall/Admin(config-radius)# server 192.168.252.1firewall/Admin(config-radius)# server 192.168.252.2firewall/Admin(config-radius)# server 192.168.252.3Related Commands
attribute user-profile
To specify which user profile attribute to use by the Lightweight Directory Access Protocol (LDAP) server group, use the attribute user-profile command in LDAP configuration mode. To delete a user profile attribute from the LDAP server group, use the no form of this command.
attribute user-profile text
no attribute user-profile text
Syntax Description
text
User profile. The user profile is an unquoted text string of a maximum of 63 characters without spaces.
Defaults
No default behavior or values
Command Modes
LDAP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The user profile attribute type is a mandatory configuration for an LDAP server group. Without this setting, the user profile attribute cannot be retrieved by the LDAP server.
The user profile attribute type is a private attribute. In this case, the LDAP server database should use the same attribute type for the user profile. The LDAP client (the VFW application) sends the search request with this attribute type as the attribute it wants to download. If the lookup was successful, the search response contains this attribute value. The attribute value should contain a string that represents the user role and domain pair for this particular context.
Examples
The following example shows how to configure a user profile attribute for the LDAP server group:
firewall/Admin(config)# aaa server group ldap LDAP_Server_Group1firewall/Admin(config-ldap)# attribute user-profile usrprofRelated Commands
baseDN
To configure the base distinguished name (DN) that you want to use to perform search operations in the LDAP directory tree, use the baseDN command in LDAP configuration mode. To delete a configured base DN for the LDAP server group, use the no form of this command.
baseDN text
no baseDN text
Syntax Description
text
Distinguished name of the search base. The baseDN name is a quoted text string of a maximum of 63 characters without spaces.
Defaults
No default behavior or values
Command Modes
LDAP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the baseDN command, to configure the base DN that you want to use to perform search operations in the LDAP directory tree. A base DN can take a form such as "dc=your,dc=domain", where the base DN uses the DNS domain name as its basis and is split into the domain components.
The base DN is a mandatory configuration for an LDAP server group. Without this setting, a user cannot be authenticated.
Examples
The following example shows how to configure the base DN for the LDAP server group:
firewall/Admin(config)# aaa group server ldap LDAP_Server_Group1firewall/Admin(config-ldap)# baseDN "dc=sns,dc=cisco,dc=com"Related Commands
clear accounting log
To clear the accounting log, use the clear accounting log command in EXEC mode.
clear accounting log
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to clear the accounting log:
firewall/Admin# clear accounting logRelated Commands
Configures the default accounting method.
Displays AAA accounting log information.
deadtime
To specify a dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command in the appropriate configuration mode. To reset the RADIUS server group dead-time to the default of 0, use the no form of this command.
deadtime minutes
no deadtime minutes
Syntax Description
minutes
Length of time that the VFW application skips a nonresponsive RADIUS server for transaction requests. Valid entries are 0 to 1440 (24 hours). The default is 0.
Defaults
The default dead-time is 0.
Command Modes
RADIUS configuration
TACACS configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use of the deadtime command causes the VFW application to mark as "dead" any RADIUS servers that fail to respond to authentication requests. This action avoids the wait for the request to time out before trying the next configured server. The VFW application skips a RADIUS server that is marked as dead by additional requests for the duration of minutes.
During the dead-time interval, the VFW application sends probe access-request packets to verify that the RADIUS server is available and can receive authentication requests. The dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the VFW application retransmits the authentication request to the server.
Examples
The following example shows how to globally configure a 15-minute dead-time for RADIUS servers that fail to respond to authentication requests:
firewall/Admin(config) aaa group server radius RADIUS_Server_Group1firewall/Admin(config-radius)# deadtime 15Related Commands
filter search-user
To configure the exact filter to use in the search request sent by the Lightweight Directory Access Protocol (LDAP) client to the server to locate the user's node in the Directory Information Tree (DIT), use the filter search-user command in LDAP configuration mode. To delete the search request from the LDAP server group, use the no form of this command.
filter search-user text
no filter search-user text
Syntax Description
text
Search request. The search filter is a quoted text string of a maximum of 63 characters without spaces.
Defaults
No default behavior or values
Command Modes
LDAP configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The search filter is a mandatory configuration for an LDAP server group. Without this setting, a user cannot be authenticated.
The search filter should follow the format defined in RFC 2254. The LDAP client sends the search request with the configured search filter after replacing the $userid and $contextid with the user ID that the client is trying to authenticate and the associated virtual context name. The VFW application allows $userid and $contextid to be used as placeholders for user ID and context ID.
Examples
The following example shows how to configure a search request for the LDAP server group:
firewall/Admin(config)# aaa server group ldap LDAP_Server_Group1firewall/Admin(config-ldap)# filter search-user "(&(objectclass=person)(&(cn=$userid)(cid=$contextid)))"The following example shows how to delete the search request:
firewall/Admin(config-ldap)# no filter search-user "(&(objectclass=person)(&(cn=$userid)(cid=$contextid)))"Related Commands
ldap-server host
To specify the Lightweight Directory Access Protocol (LDAP) server IP address, destination port, and other options, use the ldap-server host command in configuration mode. To revert to a default LDAP server authentication setting, use the no form of this command.
ldap-server host ip_address [port port_number] [timeout seconds] [rootDN DN_string [password bind_password]]
no ldap-server host ip_address [port port_number] [timeout seconds] [rootDN DN_string [password bind_password]]
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the ldap-server host command to specify the LDAP server IP address, destination port, and other options. You can define multiple ldap-server host commands to configure multiple LDAP servers.
Guidelines for the port Keyword
By default, the LDAP server port is 389. If your LDAP server uses a port other than 389, use the port keyword to configure the VFW application for the appropriate port prior to starting the LDAP service. For the specified server, this command overrides the global setting assigned using the ldap-server port command.
Guidelines for the timeout Keyword
By default, the VFW application waits five seconds for the LDAP server to reply to an authentication request before the VFW application declares a timeout failure and attempts to contact the next server in the group. For the specified server, this command overrides the global setting assigned using the ldap-server timeout command.
Examples
The following example shows how to configure LDAP server authentication parameters:
firewall/Admin(config)# ldap-server host 192.168.2.3 port 2003firewall/Admin(config)# ldap-server host 192.168.2.3 timeout 60firewall/Admin(config)# ldap-server host 192.168.2.3 rootDN "cn=manager,dc=cisco,dc=com" password labRelated Commands
ldap-server port
To globally configure the VFW application for the appropriate port prior to starting the Lightweight Directory Access Protocol (LDAP) service if your LDAP server uses a port other than 389 (the default), use the ldap-server port command in configuration mode. To revert to the default of TCP port 389, use the no form of this command.
ldap-server port port_number
no ldap-server port port_number
Syntax Description
port_number
Destination port to the LDAP server. Enter an integer from 1 to 65535. The default is TCP port 389.
Defaults
By default the LDP server uses port 389.
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the ldap-server port command to globally configure the VFW application for the appropriate port prior to starting the LDAP service, if your LDAP server uses a port other than 389 (the default). This global port setting will be applied to those LDAP servers for which a TCP port value is not individually configured by the ldap-server host command.
To override the global TCP port setting (specified by the ldap-server port command) for a specific server, use the ldap-server host port command.
Examples
The following example shows how to globally configure the TCP port:
firewall/Admin(config)# ldap-server port 2003Related Commands
ldap-server timeout
To globally change the time interval that the VFW application waits for the Lightweight Directory Access Protocol (LDAP) server to reply to a response before it declares a timeout failure, use the ldap-server timeout command in configuration mode. To revert to the default of 5 seconds between transmission attempts, use the no form of this command.
ldap-server timeout seconds
no ldap-server timeout seconds
Syntax Description
Defaults
The default timeout value is 5 seconds.
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the ldap-server timeout command to globally change the time interval that the VFW application waits for the LDAP server to reply to a response before it declares a timeout failure. By default, the VFW application waits 5 seconds to receive a response from an LDAP server before it declares a timeout failure and attempts to contact the next server in the group. The VFW application applies this global timeout value to those LDAP servers for which a timeout value is not individually configured by the ldap-server host command.
To override the global TCP timeout setting (specified by the ldap-server timeout command) for a specific server, use the ldap-server host timeout command.
Examples
The following example shows how to globally configure the timeout value to 30 seconds:
firewall/Admin(config)# ldap-server timeout 30Related Commands
radius-server attribute nas-ipaddr
To specify a RADIUS NAS-IP-Address attribute, use the radius-server attribute nas-ipaddr command in configuration mode. To delete the RADIUS NAS-IP-Address and return to the default configuration, use the no form of this command.
radius-server attribute nas-ipaddr nas_ip_address
no radius-server attribute nas-ipaddr nas_ip_address
Syntax Description
nas_ip_address
IP address to be used as the RADIUS NAS-IP-Address, attribute 4. Enter the address in dotted-decimal IP notation.
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
By default, the NAS-IP-Address is not configured. The VFW application performs a route lookup on the RADIUS server IP address and uses the result.
The RADIUS NAS-IP-Address attribute allows you to configure an arbitrary IP address to be used as RADIUS attribute 4, NAS-IP-Address for each context.
The radius-server attribute nas-ipaddr command allows the VFW application to behave as a single RADIUS client from the perspective of the RADIUS server. The configured NAS-IP-Address is encapsulated in all outgoing RADIUS authentication request and accounting packets.
Examples
The following example shows how to specify a RADIUS NAS-IP-Address:
firewall/Admin(config)# radius-server attribute nas-ipaddr 192.168.1.1Related Commands
radius-server deadtime
To globally set the time interval in which the VFW application verifies whether a nonresponsive server is operational, use the radius-server deadtime command in configuration mode. To reset the RADIUS server dead-time to the default of 0, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
minutes
Length of time that the VFW application skips a nonresponsive RADIUS server for transaction requests. Enter an integer from 0 to 1440 (24 hours). The default is 0.
Defaults
The default dead-time is 0.
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The radius-server deadtime command causes the VFW application to mark as "dead" any RADIUS servers that fail to respond to authentication requests. This action avoids the wait for the request to time out before trying the next configured server. The VFW application skips a RADIUS server that is marked as dead by additional requests for the duration of minutes.
The dead-time interval starts when the server does not respond to the number of authentication request transmissions configured through the radius-server retransmit command. When the server responds to a probe access-request packet, the VFW application transmits the authentication request to the server.
Examples
The following example shows how to globally configure a 15-minute dead-time for RADIUS servers that fail to respond to authentication requests:
firewall/Admin(config)# radius-server deadtime 15Related Commands
radius-server host
To designate and configure a host for RADIUS-server functions, use the radius-server host command in configuration mode. To remove the RADIUS server from the configuration, use the no form of this command.
radius-server host ip_address [key {0 | 7} shared_secret ] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]
no radius-server host ip_address [key {0 | 7} shared_secret ] [auth-port port_number] [acct-port port_number] [authentication] [accounting] [timeout seconds] [retransmit count]
Syntax Description
Defaults
The default RADIUS authentication port is 1812.
The default RADIUS accounting port is 1813.
The default timeout value is 1 second.
The default number of retransmissions is 1.Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the radius-server host command to designate and configure a host for RADIUS-server functions. You can define multiple radius-server host commands to configure multiple RADIUS servers.
The key keyword overrides the global setting of the radius-server key command. If you do not specify a key, the global value is used. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays keys in encrypted form.
If neither the authentication keyword nor the accounting keyword is specified, the RADIUS server is used for both accounting and authentication purposes.
If your RADIUS server uses a port other than 1813, use the acct-port keyword to configure the VFW application for the appropriate port prior to starting the RADIUS service.
If your RADIUS server uses a port other than 1812, use the auth-port keyword to configure the VFW application for the appropriate port prior to starting the RADIUS service.
For the specified server, the retransmit and timeout keywords override the global settings assigned using the radius-server retransmit and radius-server timeout commands, respectively.
Examples
The following example shows how to configure RADIUS-server authentication parameters:
firewall/Admin(config)# radius-server host 192.168.2.3 key HostKeyfirewall/Admin(config)# radius-server host 192.168.2.3 key 7 secret_1256firewall/Admin(config)# radius-server host 192.168.2.3 auth-port 1645firewall/Admin(config)# radius-server host 192.168.2.3 acct-port 1646firewall/Admin(config)# radius-server host 192.168.2.3 authenticationfirewall/Admin(config)# radius-server host 192.168.2.3 accountingfirewall/Admin(config)# radius-server host 192.168.2.3 timeout 25firewall/Admin(config)# radius-server host 192.168.2.3 retransmit 3Related Commands
radius-server key
To globally configure an authentication key for communication between the VFW application and the RADIUS daemon running on each RADIUS server, use the radius-server key command in configuration mode. To remove the global RADIUS-server key setting from the configuration, use the no form of this command.
radius-server key [0 | 7] shared_secret
no radius-server key [0 | 7] shared_secret
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The key is a text string that must match the encryption key used on the RADIUS server. RADIUS keys are always stored in encrypted form in persistent storage on the VFW application. This global key is applied to those RADIUS servers in a named server group for which a shared secret is not individually configured by the radius-server host command.
Examples
The following example shows how to globally configure an authentication key to be sent in encrypted text (indicated by 7) to the RADIUS server:
firewall/Admin(config)# radius-server key 7 abe4DFeeweo00oThe following example shows how to delete the key:
firewall/Admin(config)# no radius-server key 7 abe4DFeeweo00oRelated Commands
radius-server retransmit
To globally change the number of times the VFW application sends an authentication request to a RADIUS server, use the radius-server retransmit command in configuration mode. To revert to the default of one transmission attempt, use the no form of this command.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
count
Number of times the VFW application attempts to connect to a RADIUS server before trying to contact the next available server. Enter an integer from 1 to 5.
Defaults
The default is one transmission attempt.
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The VFW application applies this global retransmission value to those RADIUS servers for which a value is not individually configured by the radius-server host command.
If all servers in the group are unavailable for authentication and accounting, the VFW application tries the local database if it is configured as a local fallback method in the aaa authentication login command or the aaa accounting default command. If you do not have a fallback method, the VFW application continues to contact one of the AAA servers listed in the server group.
Examples
The following example shows how to globally configure the number of retransmissions to 3:
firewall/Admin(config)# radius-server retransmit 3Related Commands
radius-server timeout
To globally change the time interval that the VFW application waits for the RADIUS server to reply before retransmitting an authentication request to the RADIUS server, use the radius-server timeout command in configuration mode. To revert to the default of one second between transmission attempts, use the no form of this command.
radius-server timeout seconds
no radius-server timeout seconds
Syntax Description
seconds
Time in seconds between retransmissions to the RADIUS server. Enter an integer from 1 to 60 seconds.
Defaults
The default is 1 second between transmission attempts.
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The VFW application applies this global timeout value to those RADIUS servers for which a timeout value is not individually configured by the radius-server host command.
Examples
The following example shows how to globally configure the timeout value to 30 seconds:
firewall/Admin(config)# radius-server timeout 30Related Commands
server
To specify the IP address of one or more previously configured Lightweight Directory Access Protocol (LDAP), RADIUS, or TACACS+ servers that you want added to or removed from the AAA server group, use the server command in the appropriate configuration mode. To remove the server from the AAA server group, use the no form of this command.
server ip_address
no server ip_address
Syntax Description
Defaults
No default behavior or values
Command Modes
LDAP configuration
RADIUS configuration
TACACS configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
You can add multiple RADIUS servers to the AAA server group by entering multiple server commands while in this mode. The same server can belong to multiple server groups.
Examples
The following example shows how to add servers to a RADIUS server group:
firewall/Admin(config-radius)# server 172.16.56.76firewall/Admin(config-radius)# server 172.16.56.79firewall/Admin(config-radius)# server 172.16.56.82The following example shows how to remove a server from a RADIUS server group:
firewall/Admin(config) aaa group server radius RADIUS_Server_Group1firewall/Admin(config-radius)# no server 172.16.56.76The following example shows how to add one or more servers to an LDAP server group:
firewall/Admin(config)# aaa server group ldap LDAP_Server_Group1firewall/Admin(config-ldap)# server 172.16.56.76firewall/Admin(config-ldap)# server 172.16.56.79firewall/Admin(config-ldap)# server 172.16.56.82Related Commands
show aaa
To display AAA accounting and authentication configuration information for the current context, use the show aaa command in EXEC mode.
show aaa {accounting | authentication [login error-enable] | groups}
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to display the accounting configuration information:
firewall/Admin# show aaa accountingdefault: localRelated Commands
Configures the default accounting method.
Configures the authentication method used for logging in to the VFW application CLI.
Displays AAA accounting log information.
show accounting log
To display AAA accounting log information, use the show accounting log command in EXEC mode.
show accounting log [size]
Syntax Description
Defaults
The default value of the size argument is 250000 bytes.
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to display the contents of the accounting log file:
firewall/Admin# show accounting logRelated Commands
Configures the default accounting method.
Displays AAA accounting and authentication configuration information for the current context.
show ldap-server
To display the configured Lightweight Directory Access Protocol (LDAP) server and server group parameters, use the show ldap-server command in EXEC mode.
show ldap-server [groups]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to display the configured LDAP server groups:
firewall/Admin# show ldap-server groupstotal number of groups: 1following LDAP server groups are configured:group LDAP_Server_Group1:baseDN: "dc=sns,dc=cisco,dc=com"user profile attribute: usrprofsearch filter: "(&(objectclass=person) (&(cn=$userid)(cid=$contextid)))"Related Commands
show radius-server
To display the configured RADIUS server and group parameters, use the show radius-server command in EXEC mode.
show radius-server [groups | sorted]
Syntax Description
groups
(Optional) Displays configured RADIUS server group information.
sorted
(Optional) Displays RADIUS server information sorted by name.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows sample output from the show radius-server command:
firewall/Admin# show radius-serverretransmission count:1timeout value:1deadtime value:20total number of servers:2following RADIUS servers are configured:192.168.34.45:available for authentication on port:1812available for accounting on port:1813192.168.2.3:available for authentication on port:1812available for accounting on port:1813RADIUS shared secret:********The following example shows sample output from the show radius-server command with the groups keyword:
firewall/Admin# show radius-server groupstotal number of groups:2following RADIUS server groups are configured:group radius:server: all configured radius serversgroup RAD_Server_Group:deadtime is 0The following example shows sample output from the show radius-server command with the sorted keyword:
firewall/Admin# show radius-server sortedretransmission count:1timeout value:1deadtime value:20total number of servers:2following RADIUS servers are configured:192.168.34.45:available for authentication on port:1812available for accounting on port:1813192.168.2.3:available for authentication on port:1812available for accounting on port:1813RADIUS shared secret:********Related Commands
show tacacs-server
To display the configured TACACS+ server and server group parameters, use the show tacacs-server command in EXEC mode.
show tacacs-server [groups | sorted]
Syntax Description
groups
(Optional) Displays configured TACACS+ server group information.
sorted
(Optional) Displays TACACS+ server information sorted by name.
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows sample output from the show tacacs-server command:
firewall/Admin# show tacacs-serverGlobal TACACS+ shared secret:tacacsPwordtimeout value:30total number of servers:3following TACACS+ servers are configured:192.168.58.91:available on port:2cisco.com:available on port:49192.168.22.95:available on port:49TACACS+ shared secret:MyKeyThe following example shows sample output from the show tacacs-server command with the groups keyword:
firewall/Admin# show tacacs-server groupstotal number of groups:1following TACACS+ server groups are configured:group TacServers:server 192.168.58.91 on port 2The following example shows sample output from the show tacacs-server command with the sorted keyword:
firewall/Admin# show tacacs-server sortedtimeout value:1total number of servers:1Related Commands
tacacs-server deadtime
To globally set the time interval in which the VFW application verifies whether a nonresponsive server is operational, use the tacacs-server deadtime command in configuration mode. To reset the TACACS+ server dead-time to the default of 0, use the no form of this command.
tacacs-server deadtime minutes
no tacacs-server deadtime minutes
Syntax Description
minutes
Length of time in minutes that the VFW application skips a nonresponsive TACACS+ server for transaction requests. Enter an integer from 0 to 1440 (24 hours).
Defaults
The default dead-time is 0.
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the VFW application retransmits the authentication request to the server.
Use of the tacacs-server deadtime command causes the VFW application to mark as "dead" any TACACS+ servers that fail to respond to authentication requests. This action avoids the wait for the request to time out before trying the next configured server. The VFW application skips a TACACS+ server that is marked as dead by additional requests for the duration of minutes.
Examples
The following example shows how to globally configure a 15-minute dead-time for TACACS+ servers that fail to respond to authentication requests:
firewall/Admin(config)# tacacs-server deadtime 15The following example shows how to set the TACACS+ server dead-time request to 0:
firewall/Admin(config)# no tacacs-server deadtime 15Related Commands
tacacs-server host
To specify the TACACS+ server IP address, encrypted key, destination port, and other options, use the tacacs-server host command in configuration mode. To revert to the default TACACS+ server authentication setting, use the no form of this command.
tacacs-server host ip_address [key [0 | 7] shared_secret ] [port port_number] [timeout seconds]
no tacacs-server host ip_address [key [0 | 7] shared_secret] [port port_number] [timeout seconds]
Syntax Description
Defaults
The default TACACS+ authentication port is 1812.
The default timeout is 1 second.Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the tacacs-server host command to specify the TACACS+ server IP address, encrypted key, destination port, and other options. You can define multiple tacacs-server host commands to configure multiple TACACS+ servers.
The key shared_secret text string must match the encryption key used on the TACACS+ server. This key overrides the global setting of the tacacs-server key command. If you do not specify a key, the global value is used. TACACS+ keys are always stored in encrypted form in persistent storage. The running configuration also displays keys in encrypted form.
For the specified server, the timeout command overrides the global setting assigned using the tacacs-server timeout command.
By default, the VFW application waits one second for the TACACS+ server to reply to an authentication request before it declares a timeout failure and attempts to contact the next server in the group. If all servers in the group are unavailable for authentication and accounting, the VFW application tries the local database if configured as a local fallback method in the aaa authentication login or the aaa accounting default commands.
Examples
The following example shows how to configure TACACS+ server authentication parameters:
firewall/Admin(config)# tacacs-server host 192.168.3.2 key HostKeyfirewall/Admin(config)# tacacs-server host 192.168.3.2 tacacs3 key 7 1234firewall/Admin(config)# tacacs-server host 192.168.3.2 port 1645firewall/Admin(config)# tacacs-server host 192.168.3.2 timeout 5Related Commands
Configures independent server groups of TACACS+, RADIUS, or LDAP servers.
Displays AAA accounting and authentication configuration information for the current context.
tacacs-server key
To globally configure an authentication key for communication between the VFW application and the TACACS+ daemon running on each TACACS+ server, use the tacacs-server key command in configuration mode. To delete the key, use the no form of this command.
tacacs-server key [0 | 7] shared_secret
no tacacs-server key [0 | 7] shared_secret
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The key is a text string that must match the encryption key used on the TACACS+ server. TACACS+ keys are always stored in encrypted form in persistent storage on the VFW application. This global key is applied to those TACACS+ servers in a named server group for which a shared secret is not individually configured by the tacacs-server host command.
Examples
The following example shows how to globally configure an authentication key in encrypted text to authenticate communication between the TACACS+ client and server:
firewall/Admin(config)# tacacs-server key 7 abe4DFeeweo00oRelated Commands
tacacs-server timeout
To globally change the time interval that the VFW application waits for the TACACS+ server to reply before retransmitting an authentication request to the TACACS+ server, use the tacacs-server timeout command in configuration mode. To revert to the default of 1 second between transmission attempts, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Syntax Description
Defaults
The default timeout value is 1 second.
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the tacacs-server timeout command to globally change the time interval that the VFW application waits for the TACACS+ server to reply before retransmitting an authentication request to the TACACS+ server. The VFW application applies this global timeout value to those TACACS+ servers for which a timeout value is not individually configured by the tacacs-server host command.
Examples
The following example shows how to globally configure the timeout value to 30 seconds:
firewall/Admin(config)# tacacs-server timeout 30Related Commands
