-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
aaa accounting through accounting-server-group Commands
aaa authentication secure-http-client
aaa local authentication attempts max-fail
accounting-server-group (webvpn)
aaa accounting through accounting-server-group Commands
aaa accounting
To enable, disable, or view TACACS+, or RADIUS user accounting (on a server designated by the aaa-server host command), use the aaa accounting command in global configuration mode. To disable these functions use the no form of this command.
aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
no aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
aaa accounting {include | exclude} service interface-name server-tag
no aaa accounting {include | exclude} service interface-name server-tag
Syntax Description
Defaults
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA server or servers. Accounting information is sent only to the active server in a server group unless you enable simultaneous accounting.
Before you can use this command, you must first designate an AAA server with the aaa-server command.
To enable accounting for traffic that is specified by an access list, use the aaa accounting match command.
Note
For outbound connections, first use the nat command to determine which IP addresses can access the security appliance. For inbound connections, first use the static and access-list extended command statements to determine which inside IP addresses can be accessed through the security appliance from the outside network.
If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.
Examples
The following example enables accounting on all connections:
hostname(config)# aaa-server mygroup protocol tacacs+hostname(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20hostname(config)# aaa authentication include any inside 0 0 0 0 mygrouphostname(config)# aaa authorization include any inside 0 0 0 0 mygrouphostname(config)# aaa accounting include any inside 0 0 0 0 mygrouphostname(config)# aaa authentication serial console mygroupThis example specifies that the authentication server with the IP address 192.168.10.10 resides on the inside interface and is in the TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the security appliance serial console requires authentication from the TACACS+ server.
Related Commands
aaa accounting command
To configure command accounting so that the security appliance sends to the accounting server each command entered by an administrator, use the aaa accounting command command in global configuration mode. To disable support for AAA command privilege accounting, use the no form of this command. The aaa accounting command command indicates the minimum level that must be associated with a command for an accounting record to be generated.
aaa accounting command [ privilege level ] server-tag
no aaa accounting command [ privilege level ] server-tag
Syntax Description
Defaults
The default privilege level is 0. By default, AAA command-privilege accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you configure the aaa accounting command command, each command entered by an administrator/user is recorded and sent to the accounting server or servers. The optional privilege specification indicates the minimum privilege level that must be associated with a command for an accounting record to be generated.
This command applies only to TACACS+ servers.
You must specify the name of the server or group, previously specified in an aaa-server command, to which this command applies.
Examples
The following example specifies that accounting records will be generated for any command at privilege level 6 or higher, and that these records are sent to the server from the group named adminserver.
hostname(config)# aaa accounting command privilege 6 adminserverRelated Commands
aaa accounting console
To enable support for AAA accounting for administrative access, use the aaa accounting console command in global configuration mode. To disable support for aaa accounting for administrative access, use the no form of this command.
aaa accounting {http | serial| telnet | ssh | enable} console server-tag
no aaa accounting {http | serial | telnet | ssh | enable} console server-tag
Syntax Description
Defaults
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You must specify the name of the server group, previously specified in an aaa-server command.
Examples
The following example specifies that accounting records will be generated for all HTTP transactions, and that these records are sent to the server named adminserver.
hostname(config)# aaa accounting http console adminserverRelated Commands
aaa accounting match
To enable accounting for traffic that is identified by an access list, use the aaa accounting match command in global configuration mode. To disable accounting for traffic that is identified by an access list, use the no form of this command. The aaa accounting match command specifies an access list name that must be matched, as well as an interface name and a server tag.
aaa accounting match acl-name interface-name server-tag
no aaa accounting match acl-name interface-name server-tag
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The aaa accounting match command requires that you specify an ACL that permits the traffic for which you want the security appliance to send accounting data to AAA servers. The security appliance performs accounting for traffic permitted by the ACL and does not perform accounting for traffic denied by the ACL.
Before you can use this command, you must first create the AAA-server group tag by using the aaa-server protocol command.
User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA servers. Accounting information is sent only to the active server in a server group unless simultaneous accounting is enabled. See the accounting-mode command for more information.
Examples
The following example enables accounting for traffic matching an ACL, acl2, followed by the output of the show access-list command that displays the ACL:
hostname(config) # aaa accounting match acl2 outside radserver1hostname(config) # show access-list acl12access-list acl12; 1 elementsaccess-list acl12 line 1 extended permit tcp any any (hitcnt=54021)Related Commands
aaa authentication
To include or exclude user authentication for traffic through the security appliance, use the aaa authentication command with the include or exclude keywords in global configuration mode. To disable user authentication, use the no form of this command.
Authentication lets you control access by requiring a valid username and password. You can configure the security appliance to authenticate the following items:
•
–
–
–
–
•
•
Each authentication server has a single pool of users. If you use the same server for multiple authentication rules and types, then a user needs to authenticate only one time for all rules and types, until the session expires. For example, if you configure the security appliance to authenticate Telnet and FTP, and a user successfully authenticates for Telnet, then as long as the session exists, the user does not also have to authenticate for FTP.
aaa authentication include | exclude authentication-service interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag
no aaa authentication include | exclude authentication-service interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag
aaa authentication {ftp | telnet | http | https } challenge disable
no aaa authentication {ftp | telnet | http | https } challenge disable
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To include or exclude traffic for authentication, you must designate an authentication server with the aaa-server command before using the aaa authentication command. Each combination of local and foreign IP addresses can have one aaa authentication command for inbound connections and one for outbound connections. A session whose IP address is identified by the aaa-server authentication command starts a connection through FTP, Telnet, HTTP, or HTTPS and is prompted for a username and password. If the username and password are verified by the designated authentication server, the security appliance allows further traffic between the authenticating host and the client address.
Use the interface-name, local-ip, and foreign-ip variables to define where access is sought and from whom. The address for local-ip is always on the highest security level interface and foreign-ip is always on the lowest.
Note
For the local and foreign IP address masks, you can use 0 as a shorthand representation if the IP address is 0.0.0.0. Use 255.255.255.255 for a host.
The authentication servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The security appliance proxies FTP, HTTP, HTTPS, and Telnet to display the credentials prompts.
Note
local access authentication
To configure a AAA server (TACACS+, RADIUS, or LOCAL) to authenticate administrators, choose one of the following access authentication service options: serial for serial console access, telnet for Telnet access, ssh for SSH access, http for HTTP access, and enable for enable-mode access.
cut-through authentication
For cut-through proxy and "to the box" authentication, you can also use the local security appliance user authentication database by specifying the server group tag LOCAL. If LOCAL is specified for server-tag and the local user credential database is empty, the following warning message appears:
Warning:local database is empty! Use 'username' command to define local users.Conversely, if the local database becomes empty when LOCAL is still present in the command, the following warning message appears:
Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication.The cut-through authentication service options are as follows: telnet, ftp, http, https, icmp/type, proto, tcp/port, and udp/port. The variable proto can be any supported IP protocol value or name: for example, ip or igmp. Only Telnet, FTP, HTTP, or HTTPS traffic triggers interactive user authentication.
The authentication ports that the security appliance supports for AAA are fixed:
•
•
•
•
For this reason, do not use Static PAT to reassign ports for services you want to authenticate. In other words, when the port to authenticate is not one of the three known ports, the security appliance rejects the connection instead of authenticating it.
You can enter an ICMP message type number for type to include or exclude that specific ICMP message type from authentication. For example, icmp/8 includes or excludes type 8 (echo request) ICMP messages.
The tcp/0 option enables authentication for all TCP traffic, which includes FTP, HTTP, HTTPS, and Telnet. When a specific port is specified, only the traffic with a matching destination port is included or excluded for authentication. Note that FTP, Telnet, HTTP, and HTTPS are equivalent to tcp/21, tcp/23, tcp/80, and tcp/443, respectively.
If you specify ip, all IP traffic is included or excluded for authentication, depending on whether include or exclude is specified. When all IP traffic is included for authentication, following are the expected behaviors:
•
•
Enabling Authentication
The aaa authentication command enables or disables the following features:
•
•
The prompts users see requesting AAA credentials differ among the services that can access the security appliance for authentication: Telnet, FTP, HTTP, and HTTPS:
Note
You can specify an interface name with the aaa authentication command. For example, if you specified aaa authentication include tcp outside 0 0 server-tag, the security appliance authenticates a tcp connection originating on the outside interface.
Note
Disabling Challenge Authentication
You can configure whether the security appliance challenges users for a username and password. By default, the security appliance prompts the user when a AAA rule enforces authentication for traffic in a new session and the protocol of the traffic is FTP, Telnet, HTTP, or HTTPS. In some cases, you may want to disable the authentication challenge for one or more of these protocols. You can use the aaa authentication command to do so.
hostname/contexta(config)# aaa authentication protocol challenge disableFor example, to disable the username and password challenge for new connections using FTP, enter the following command:
hostname/contexta(config)# aaa authentication ftp challenge disableIf you disable challenge authentication for a particular protocol, traffic using that protocol is allowed only if the traffic belongs to a session previously authenticated. This authentication can be accomplished by traffic using a protocol whose authentication challenge remains enabled. For example, if you disable challenge authentication for FTP, the security appliance denies new session using FTP if the traffic is included in an authentication rule. If the user establishes the session with a protocol whose authentication challenge is enabled (such as HTTP), FTP traffic is allowed.
TACACS+ and RADIUS servers
You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. The servers can be either TACACS+ or RADIUS servers—set with the aaa-server command. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
The security appliance permits only one authentication type per network. For example, if one network connects through the security appliance using TACACS+ for authentication, another network connecting through the security appliance can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.
Note
Examples
The following examples show some uses of the aaa authentication command:
Example 1:
The following example includes for authentication TCP traffic on the outside interface, with a local IP address of 192.168.0.0 and a netmask of 255.255.0.0, with a remote/foreign IP address of all hosts, and using a server named "tacacs+". The second command line excludes Telnet traffic on the outside interface with a local address of 192.168.38.0, with a remote/foreign IP address of all hosts:
hostname(config)# aaa authentication include tcp outside 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+hostname(config)# aaa authentication exclude telnet outside 192.168.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+Example 2:
The following examples demonstrate ways to use the interface-name parameter. The security appliance has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
This example enables authentication for connections originated from the inside network to the outside network:
hostname(config)# aaa authentication include tcp inside 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+Example 3:
This example enables authentication for connections originated from the inside network to the perimeter network:
hostname(config)#aaa authentication include tcp inside 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+Example 4:
This example enables authentication for connections originated from the outside network to the inside network:
hostname(config)# aaa authentication include tcp outside 209.165.201.0 255.255.255.224 192.168.1.0 255.255.255.0 tacacs+Example 5:
This example enables authentication for connections originated from the outside network to the perimeter network:
hostname(config)# aaa authentication include tcp outside 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+Example 6:
This example enables authentication for connections originated from the perimeter network to the outside network:
hostname(config)#aaa authentication include tcp inside 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+Example 7:
This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 must be authenticated by the security appliance when establishing connections through the outside interfac. In this example, the first aaa authentication command requires authentication of all FTP, HTTP, and Telnet sessions. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses a server group named tacacs+.
hostname(config)# nat (inside) 1 10.0.0.0 255.255.255.0hostname(config)# aaa authentication include tcp inside 0 0 tacacs+hostname(config)# aaa authentication exclude tcp inside 10.0.0.42 255.255.255.255 tacacs+Example 8:
This example permits inbound access to a tcp IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command requires authentication on HTTP. The authentication server is at IP address 10.16.1.20 on the inside interface.
hostname(config)# aaa-server AuthIn protocol tacacs+hostname(config)# aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20hostname(config)# access-list acl-out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-group acl-out in interface outsidehostname(config)# aaa authentication include http inside 0 0 0 0 AuthInRelated Commands
aaa authentication console
To do any of the following, use the aaa authentication console command in global configuration mode:
•
•
•
To disable this authentication service, use the no form of this command.
aaa authentication {serial | enable | telnet | ssh | http} console server-tag [ LOCAL ]
no aaa authentication {serial | enable | telnet | ssh | http} console server-tag [ LOCAL ]
Syntax Description
Defaults
By default, fallback to the local database is disabled.
If a aaa authentication http console server-tag command statement is not defined, you can gain access to the security appliance (via ASDM) with no username and the security appliance enable password (set with the password command). If the aaa commands are defined, but the HTTP authentication requests a time out, which implies the AAA servers might be down or not available, you can gain access to the security appliance using the default administrator username and the enable password. By default, the enable password is not set.
The help aaa command displays the syntax and usage for the aaa authentication commands in summary form.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The aaa authentication console command enables or disables authentication on entry to privileged mode, lets you require authentication verification to access the security appliance via the specified type of connection, or supports administrative authentication fallback.
Telnet access requires previous use of the telnet command. SSH access requires previous use of the ssh command.
The serial keyword also causes the security appliance to log to a syslog server any changes made to the configuration from the serial console.
Using the aaa authentication console command requires that you have previously used the aaa-server command to designate an authentication server, unless you have specified LOCAL as the server-group protocol. The aaa authentication console command supports RADIUS and TACACS+ groups.
Except as noted in "Defaults," if you are using HTTP authentication, the security appliance requires authentication verification of the HTTP server through the aaa authentication http console command.
When an administrator requests an action that requires authentication, the security appliance initiates an authentication session with servers from the server group specified. If the system is unable to communicate with any server from this group.
To configure administrative authentication to support fallback to the local user database if all servers in the specified server group are unavailable, use the aaa authentication command with the LOCAL option specified. This feature is disabled by default.
The maximum username prompt for HTTP authentication is 30 characters. The maximum password length is 16 characters.
As the following table shows, the action of the prompts for authenticated access to the security appliance console differ, depending on the option you choose with the aaa authentication {serial | enable | telnet | ssh | http} console server-tag command.
Telnet access to the security appliance console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the security appliance console is also available from any interface without IPSec configured, and requires previous use of the ssh command.
The ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if a aaa authentication ssh console server-tag command statement is not defined, you can gain access to the security appliance console with the username pix and with the security appliance Telnet password (set with the passwd command). If the aaa command is defined, but the SSH authentication requests timeouts (which implies the AAA servers may be down or not available), you can gain access to the security appliance using administrator username and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
The prompts users see requesting AAA credentials differ among the services that can access the security appliance for authentication: Telnet, FTP, HTTP, and HTTPS:
•
•
authentication-user-name@remote-system-user-nameauthentication-password@remote-system-passwordIf you daisy-chain security appliances, Telnet authentication works in the same way as a single unit, but FTP and HTTP users must enter each password and username with an additional "at" (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit, depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
•
The security appliance accepts only 7-bit characters during authentication. After authentication, the client and server can negotiate for 8 bits, if required. During authentication, the security appliance negotiates only Go-Ahead, Echo, and NVT (network virtual terminal).
HTTP Authentication
When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users might be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the security appliance authentication credentials.
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the security appliance username-password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, the security appliance provides the virtual http command, which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL that the user originally requested.
Once authenticated, a user never has to reauthenticate, no matter how low the security appliance uauth timeout is set, because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can be cleared only when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
Multimedia applications such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS NetMeeting silently start the HTTP service before an H.323 session is established from the inside to the outside.
Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.
Note
TACACS+ and RADIUS servers
You can have up to 15 single-mode groups or 4 multi-mode groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. The servers can be either TACACS+ or RADIUS servers. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.
The security appliance displays the same timeout message for both RADIUS and TACACS+. The message "aaa server host machine not responding" displays when either of the following occurs:
•
•
Examples
The following examples show the use of the aaa authentication console command.
Example 1:
The following example shows use of the aaa authentication console command for a Telnet connection to a RADIUS server with the server tag "radius":
hostname(config)# aaa authentication telnet console radiusExample 2:
The following example identifies the server group "AuthIn" for administrative authentication.
hostname(config)# aaa authentication enable console AuthInExample 3:
The following example shows use of the aaa authentication console command with fallback to the LOCAL user database if all the servers in the group "srvgrp1" fail:
hostname(config)# aaa-server svrgrp1 protocol tacacshostname(config)# aaa authentication serial console srvgrp1 LOCALRelated Commands
aaa authentication match
To enable the use of a specified access list that must be matched to enable LOCAL, TACACS+, or RADIUS user authentication on a server designated by the aaa-server command or ASDM user authentication, use the aaa authentication match command in global configuration mode. To disable the requirement to match a specified access list, use the no form of this command. The aaa authentication match command specifies the name of an access list, previously defined in an access-list command, that must be matched, and then provides authentication for that match.
aaa authentication match acl-name interface-name server-tag
no aaa authentication match acl-name interface-name server-tag
Syntax Description
