Cisco 700 Series Router Command Reference (4.4)
Security Commands
Download this chapter
Security CommandsSecurity Commands
give_us_feedback

Table Of Contents

Security Commands

login

logout

reset calleridreceive

set callerid

set clicallback

set callidreceive

set local access

set logout

set password

set remote access

show security


Security Commands

This chapter describes the commands used to manage router security as it relates to modifying the configuration and monitoring the activity of the router.

login

To log into a remote router to make configuration changes, use the login command.

LOGIn [ipaddress | ethernetaddress | connectionid | REmote]

Syntax Description

ipaddress

IP address of a device on the same IP network or to a remote router connected across the ISDN line. The IP address must be entered in four-part dotted decimal format.

ethernetaddress

Used with bridging, the Ethernet address logs into a router on the same Ethernet segment or to a remote router connected across the ISDN line. The Ethernet address must be entered as 12 contiguous hexadecimal characters with no spaces.

connectionid

User profile connection identification used for remote login.

REmote

Log into a router connected to the ISDN line. Use this keyword while in profile mode.


Default

None

Command Mode

System or profile mode

Usage Guidelines

If access to the router has been restricted with the set local access command, you are required to enter the router system password before making any configuration changes.

You can only log into a remote Cisco 700 series router directly connected to your terminal or to a remote Cisco 700 series router with an active ISDN or Ethernet connection to your router. After 5 minutes of no activity, the remote router logs you out. Use the logout command to manually log out of the remote router.

Used without an argument or keyword, this command logs you into the router directly connected to your terminal through the console port.

Example

The following example shows how to log into a remote router, from a profile, across the ISDN connection by using the remote router IP address: 

Host> login 150.150.50.25 remote

Related Commands

logout
set local access
set remote access

logout

To end any remote session initiated with the login command, use the logout command.

LOGOut

Default

None

Command Mode

System or profile mode

Example

The following example ends a remote session initiated with the login command: 

Host> logout

Related Command

login
set local access
set remote access

reset calleridreceive

To delete one or all of the telephone numbers from which the router receives calls when caller ID is enabled, use the reset callidreceive command:

REset CALLIdreceive number | ALl

Syntax Description

number

Remote router telephone number entered with the set callidreceive command.

ALl

Delete all remote router telephone numbers entered with the set callidreceive command.


Default

None

Command Mode

System mode

Example

The following example deletes a caller ID receive number entered with the set callidreceive command: 

Host> reset callidreceive 5559020

Related Commands

set calledrid
set callidreceive

set callerid

To enable ISDN caller ID authentication, use the set callerid command.

SEt CALLErid ON | OFf

Syntax Description

ON

Enable ISDN caller ID authentication.

OFf

Disable ISDN caller ID authentication.


Default

Off (disabled)

Command Mode

System level

Usage Guidelines

The calling device is authenticated by its telephone number using caller ID (a service offered by the ISDN service provider).

Example

The following example enables caller ID checking for all ISDN connections: 

Host> set callerid on

Related Command

set callidreceive

set clicallback

To change the callback delay, use the set clicallback command:

SEt CLICallback OFf | ON [# of digit to match] [DElay seconds]

Syntax Description

ON

Enables caller ID callback.

OFf

Disables caller ID callback.

# of digit to match

Minimum number of digits (from right to left) to be matched.

seconds

Time between the rejection of incoming messages and the callback. Valid range is 3 to 30 seconds.


Default

10-second delay for all switch types.

Command Mode

Profile mode

Usage Guidelines

In software Release 4.0(1), the callback delay was a fixed value of 3 seconds. In software Release 4.1(2) and higher, the value can be set from 3 to 30 seconds by using the set clicallback delay command.

Because clicallback rejects calls when a match is found and cliauthentication accepts calls when a match is found, clicallback has precedence over cliauthentication. For cliauthentication to be active, clicallback must be turned off.

Example

The following example sets the callback delay to 7 seconds: 

Host> set clicallback on delay 7

Related Commands

set callidreceive

set callidreceive

To enter the ISDN telephone number from which the router accepts calls when caller ID checking is enabled, use the set callidreceive command.

SEt CALLIdreceive number

Syntax Description

number

ISDN phone number of a remote router from which the router accepts calls when caller ID checking is enabled with the set callerid command.


Default

No caller ID receive number is configured.

Command Mode

System level

Usage Guidelines

To delete a telephone number set with this command, use the reset calleridreceive command.

Example

The following example enters the telephone number for a remote router authenticated when caller ID checking is enabled: 

Host> set callidreceive 4085559020

Related Commands

reset calleridreceive
set callerid

set local access

To restrict the commands allowed at the local port, use the set localaccess command.

SEt LOcalaccess ON | PArtial | PROtected

Syntax Description

ON

Set commands to be performed without restriction.

PArtial

Set commands to be performed with partial restriction.

PROtected

Set commands to be performed with system password only.


Default

On (enabled for all commands)

Command Mode

System mode

Usage Guidelines

To use dual tone multifrequency (DTMF) commands from the telephone keypad, the set local access command must be set to on. The set password command must be set. Table 4-1 describes the set local access command settings.

Table 4-1 set localaccess Command Settings 

Command
On
Partial
Protected

call

See Note1

 

P2

cd

   

P

demand

 

P

P

disconnect

   

P

establish

   

P

help

   

P

log

   

P

login and logout

     

ping

   

P

reboot

 

P

P

release

   

P

reset commands

 

P

P

set commands

 

P

P

show commands

   

P

software load

 

P

P

test commands

   

P

timeout

 

P

P

unlearn

   

P

unset commands

 

P

P

upload

 

P

P

version

   

P

1 An empty cell indicates that the command can be performed remotely without restrictions.

2 P indicates that the system password must be entered before using the command.


Example

The following example configures local configuration access to protected: 

Host> set localaccess protected

Related Command

set password

set logout

To set the inactivity timer for remote logins, use the set logout command.

SEt LOGout minutes

Syntax Description

minutes

Number of minutes of inactivity on a remote login Telnet session before the remote user is logged out. To disable the auto logout feature, use a logout value of 0.


Default

5 minutes

Command Mode

System mode

Example

The following example disables the remote inactivity timer session: 

Set logout 0

Related Command

login
logout

set password

To set a password, use the set password command.

SEt PAssword SYstem [ENcrypted] [<password>]

Syntax Description

SYstem

Configure the system password that authenticates users requesting a local or remote configuration session.

ENcrypted

Used by the computer when loading a saved configuration text file (UPL output) into the router.

password

Password used for authentication. If the password is absent from the command statement, you are prompted for the entry.


Default

No passwords

Command Mode

System mode

Usage Guidelines

The system password can consist of 1 to 30 characters. The command should be preceded with the set remote access or set local access command. If a password is not included in the command line, you are prompted to enter the password. When configuring a system password, you are also prompted for a username to associate with the password. This username can consist of 1 to 7 characters.

The encrypted parameter is used by the computer when loading a saved configuration into the router. If UPL is run, the system password is displayed. For example: 

set password system encrypted 053b2b3c09641f

When this command is loaded back into the original router (or another router), the router knows the password is already encrypted by examining the encrypted parameter.

Warning   You should not use the encrypted parameter when typing in the system password manually. If you do, the router will try to decrypt it, and you will not be able to log into the router.

The password can be included in a configuration file, which can generate a set password command that includes unencrypted or encrypted passwords for PPP authentication.

Note that the system password protects remote access, but not local access. Before downloading a configuration, a remote user has to enter a system password (if it has been set), but a local user does not. For example, an unauthorized user can use the upload command to generate PPP CHAP or PAP authentication and cut-and-paste the password to a local console.

Examples

The following example configures a host password for profile 2503:

Step 1 Enter the set password command: 

Host:2503> set password system

Step 2 Enter your host password. (Your password is not echoed on the screen.): 

Enter new Password: <new password>

Step 3 Reenter your host password for confirmation: 

Re-Type new Password: <new password>

Step 4 Enter the username you want associated with the host password: 

Enter User Name: johndoe

Related Commands

login
logout
set local access
set remote access

set remote access

To restrict remote configuration access to the router, use the set remote access command.

SEt REmoteaccess OFf | PRotected | PArtial

Syntax Description

OFf

No remote login sessions are allowed.

PRotected

Set commands to be performed with system password only.

PArtial

Set commands to be performed with partial restrictions.


Default

Off

Command Mode

System mode

Usage Guidelines

describes the set remote access command settings.

Table 4-2 set remote access Command Settings 

Commands
Partial
Protected
Off

call

See Note.1

P2

X3

demand

P

P

X

disconnect

 

P

X

help

 

P

X

log commands

 

P

X

login

   

X

logout

   

X

reboot

 

P

X

reset commands

P

P

X

set commands

P

P

X

show commands

 

P

X

software load

P

P

X

test commands

 

P

X

timeout

P

P

X

unset commands

P

P

X

upload

 

P

X

version

 

P

X

cd

   

P

establish

   

P

ping

   

P

release

   

P

unlearn

   

P

1 An empty cell indicates that the command can be performed remotely without restrictions.

2 P indicates that a system password must be entered before this command can be performed remotely.

3 X indicates that this command cannot be performed remotely.


Example

The following example configures the router for protected remote access: 

Host> set remote access protected

Related Command

set local access
set password

show security

To display the security configurations, use the show security command.

SHow SEcurity [ALl]

Syntax Description

ALl

In profile mode, display all security configurations as if the command were issued in system mode. Ignored in system mode.


Command Mode

System or profile mode

Example

The following example shows output from the show security command in system mode: 

Host> show security

System Parameters

Security

Access Status             

System Password          N E

Remote Configuration     PROTECTED

Local Configuration       

Logout Timeout           5

Caller ID Security       OFF

Caller Id Numbers


PPP Security

PPP Authentication  IN   CHAP  PAP

CHAP REFUSE              NONE

CHAP ALLOW MULTIHOST     OFF

Profile Parameters

PPP Security

PPP Authentication OUT   NONE

Token Authentication Support

TAS Client             0.0.0.0

Use Local CHAP Secret  ON

Client

User Name              NONE

PAP Password           NONE

CHAP Secret            NONE

Host

PAP Password           NONE

CHAP Secret            NONE

Callback

Request                OFF

Reply                  OFF

The following example shows output from the show security command in profile mode: 

Host:temp> show security

>PPP Security

PPP Authentication OUT   NONE   

PPP Authentication ACCEPT   EITHER   

Token Authentication Support

TAS Client             0.0.0.0   

Use Local CHAP Secret  ON   

Client

User Name              odc7

PAP Password           NONE

CHAP Secret            NONE

Host

PAP Password           NONE   

CHAP Secret            NONE   

Callback

Request                OFF   

Reply                  OFF

Table 4-3 lists the significant fields shown in the display.

Table 4-3 show security Command Fields 

Field
Description

System Parameters

Security configurations that apply to system mode.

Access Status

Indicates remote access is enabled. Can be on or off.

System Password

Indicates a system password has been entered with the set password system command. Can be none or exists.

Remote Configuration

Remote access restriction as configured with the set remote access command.

Local Configuration

Local configuration restriction as configured with the set local access command.

Caller ID Security

Indicates caller ID is enabled. Can be on or off.

Caller ID Number

Phone numbers entered with the set calleridreceive command.

PPP Authentication In

PPP authentication method for incoming calls. Can be PAP, CHAP, none, or any combination of these three. Set with the set ppp authentication in command.

Profile Parameters

Security configurations that apply to the profile. If you are using the show security command in system mode, these configurations make up the profile template for security parameters.

PPP Authentication Out

PPP authentication method used for outgoing calls. Can be PAP, CHAP, none, or any combination of these three. Set with the set ppp authentication out command.

PAP Client Password

PAP client password entered with the set ppp password command. Can be none or exists.

CHAP Client Secret

CHAP client password entered with the set ppp secret command. Can be none or exists.

Callback ID Security

Indicates callback authentication is enabled. Can be on or off.

CHAP Refuse

Indicates rejection of CHAP challenges.

CHAP Allow Multihost

Indicates whether chap challenges with multiple hostnames are allowed. Can be on or off.

Callback

Indicates callback is enabled. Can be on or off.

Callback Numbers

Numbers entered with the set clicallback command.

Number of Host Passwords

Number of host passwords that have been entered with the set password command.

PAP Host Password

PAP host password entered with the set ppp password command. Can be none or exists.

CHAP Host Secret

CHAP host password entered with the set ppp secret command. Can be none or exists.

Callback Request

Request a callback from the remote unit. Can be on or off.

Callback Reply

Perform a callback if requested to do so by the remote router. Can be on or off.


Related Commands

set clicallback
set local access
set password
set ppp authentication
set ppp password
set ppp secret
set remote access