-
Cisco Security Appliance Command Reference, Version 7.2
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting command through accounting-server-group Commands
-
acl-netmask-convert through auto-update timeout Commands
-
backup interface through browse networks Commands
-
cache through clear compression Commands
-
clear conn through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
ddns through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
intercept-dhcp through issuer-name Commands
-
java-trustpoint through kill Commands
-
l2tp tunnel hello through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
packet-tracer through pwd Commands
-
queue-limit through router rip Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show ddns through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show xlate Commands
-
shun through sysopt radius ignore-secret Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Table Of Contents
aaa accounting command through accounting-server-group Commands
aaa accounting include, exclude
aaa authentication include, exclude
aaa authentication secure-http-client
aaa local authentication attempts max-fail
accounting-server-group (webvpn)
aaa accounting command through accounting-server-group Commands
aaa accounting command
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode. To disable support for command accounting, use the no form of this command.
aaa accounting command [privilege level] tacacs+-server-tag
no aaa accounting command [privilege level] tacacs+-server-tag
Syntax Description
Defaults
The default privilege level is 0.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you configure the aaa accounting command command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers.
Examples
The following example specifies that accounting records will be generated for any supported command, and that these records are sent to the server from the group named adminserver.
hostname(config)# aaa accounting command adminserverRelated Commands
aaa accounting console
To enable support for AAA accounting for administrative access, use the aaa accounting console command in global configuration mode. To disable support for aaa accounting for administrative access, use the no form of this command.
aaa accounting {http | serial| telnet | ssh | enable} console server-tag
no aaa accounting {http | serial | telnet | ssh | enable} console server-tag
Syntax Description
Defaults
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You must specify the name of the server group, previously specified in an aaa-server command.
Examples
The following example specifies that accounting records will be generated for all HTTP transactions, and that these records are sent to the server named adminserver.
hostname(config)# aaa accounting http console adminserverRelated Commands
aaa accounting include, exclude
To enable accounting for TCP or UDP connections through the security appliance, use the aaa accounting include command in global configuration mode. To exclude addresses from accounting, use the aaa accounting exclude command. To disable accounting, use the no form of this command.
aaa accounting {include | exclude} service interface_name inside_ip inside_mask [outside_ip outside_mask] server_tag
no aaa accounting {include | exclude} service interface_name inside_ip inside_mask [outside_ip outside_mask] server_tag
Syntax Description
Defaults
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.
Before you can use this command, you must first designate a AAA server with the aaa-server command.
To enable accounting for traffic that is specified by an access list, use the aaa accounting match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM.
You cannot use the aaa accounting include and exclude commands between same-security interfaces. For that scenario, you must use the aaa accounting match command.
Examples
The following example enables accounting on all TCP connections:
hostname(config)# aaa-server mygroup protocol tacacs+hostname(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20hostname(config)# aaa accounting include any inside 0 0 0 0 mygroupRelated Commands
aaa accounting match
To enable accounting for TCP and UDP connections through the security appliance, use the aaa accounting match command in global configuration mode. To disable accounting for traffic, use the no form of this command.
aaa accounting match acl_name interface_name server_tag
no aaa accounting match acl_name interface_name server_tag
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The security appliance can send accounting information to a RADIUS or TACACS+ server about any TCP or UDP traffic that passes through the security appliance. If that traffic is also authenticated, then the AAA server can maintain accounting information by username. If the traffic is not authenticated, the AAA server can maintain accounting information by IP address. Accounting information includes when sessions start and stop, username, the number of bytes that pass through the security appliance for the session, the service used, and the duration of each session.
Before you can use this command, you must first designate a AAA server with the aaa-server command.
Accounting information is sent only to the active server in a server group unless you enable simultaneous accounting using the accounting-mode command in aaa-server protocol configuration mode.
You cannot use the aaa accounting match command in the same configuration as the aaa accounting include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM.
Examples
The following example enables accounting for traffic matching a specific access list acl2:
hostname(config)# access-list acl12 extended permit tcp any any
hostname(config)# aaa accounting match acl2 outside radserver1Related Commands
aaa authentication include, exclude
To enable authentication for connections through the security appliance, use the aaa authentication include command in global configuration mode. To exclude addresses from authentication, use the aaa authentication exclude command. To disable authentication, use the no form of this command.
aaa authentication {include | exclude} service interface_name inside_ip inside_mask [outside_ip outside_mask] {server_tag | LOCAL}
no aaa authentication {include | exclude} service interface_name inside_ip inside_mask [outside_ip outside_mask] {server_tag | LOCAL}
Syntax Description
exclude
Excludes the specified service and address from authentication if it was already specified by an include command.
include
Specifies the services and IP addresses that require authentication. Traffic that is not specified by an include statement is not processed.
inside_ip
Specifies the IP address on the higher security interface. This address might be the source or the destination address, depending on the interface to which you apply this command. If you apply the command to the lower security interface, then this address is the destination address. If you apply the command to the higher security interface, then this address is the source address. Use 0 to mean all hosts.
inside_mask
Specifies the network mask for the inside IP address. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
interface_name
Specifies the interface name from which users require authentication.
LOCAL
Specifies the local user database.
outside_ip
(Optional) Specifies the IP address on the lower security interface. This address might be the source or the destination address, depending on the interface to which you apply this command. If you apply the command to the lower security interface, then this address is the source address. If you apply the command to the higher security interface, then this address is the destination address. Use 0 to mean all hosts.
outside_mask
(Optional) Specifies the network mask for the outside IP address. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.
server_tag
Specifies the AAA server group defined by the aaa-server command.
service
Specifies the services that require authentication. You can specify one of the following values:
•
•
•
•
•
•
•
•
•
•
Although you can configure the security appliance to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the security appliance allows other traffic requiring authentication. See "Usage Guidelines" for more information.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable authentication for traffic that is specified by an access list, use the aaa authentication match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM.
You cannot use the aaa authentication include and exclude commands between same-security interfaces. For that scenario, you must use the aaa authentication match command.
TCP sessions might have their sequence numbers randomized even if you disable sequence randomization. This occurs when a AAA server proxies the TCP session to authenticate the user before permitting access.
One-Time Authentication
A user at a given IP address only needs to authenticate one time for all rules and types, until the authentication session expires. (See the timeout uauth command for timeout values.) For example, if you configure the security appliance to authenticate Telnet and FTP, and a user first successfully authenticates for Telnet, then as long as the authentication session exists, the user does not also have to authenticate for FTP.
For HTTP or HTTPS authentication, once authenticated, a user never has to reauthenticate, no matter how low the timeout uauth command is set, because the browser caches the string "Basic=Uuhjksdkfhk==" in every subsequent connection to that particular site. This can be cleared only when the user exits all instances of the web browser and restarts. Flushing the cache is of no use.
Applications Required to Receive an Authentication Challenge
Although you can configure the security appliance to require authentication for network access to any protocol or service, users can authenticate directly with HTTP, HTTPS, Telnet, or FTP only. A user must first authenticate with one of these services before the security appliance allows other traffic requiring authentication.
The authentication ports that the security appliance supports for AAA are fixed:
•
•
•
•
Security Appliance Authentication Prompts
For Telnet and FTP, the security appliance generates an authentication prompt.
For HTTP, the security appliance uses basic HTTP authentication by default, and provides an authentication prompt. You can optionally configure the security appliance to redirect users to an internal web page where they can enter their username and password (configured with the aaa authentication listener command).
For HTTPS, the security appliance generates a custom login screen. You can optionally configure the security appliance to redirect users to an internal web page where they can enter their username and password (configured with the aaa authentication listener command).
Redirection is an improvement over the basic method because it provides an improved user experience when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and firewall modes. It also supports authenticating directly with the security appliance.
You might want to continue to use basic HTTP authentication if: you do not want the security appliance to open listening ports; if you use NAT on a router and you do not want to create a translation rule for the web page served by the security appliance; basic HTTP authentication might work better with your network. For example non-browser applications, like when a URL is embedded in email, might be more compatible with basic authentication.
After you authenticate correctly, the security appliance redirects you to your original destination. If the destination server also has its own authentication, the user enters another username and password. If you use basic HTTP authentication and need to enter another username and password for the destination server, then you need to configure the virtual http command.
Note
For FTP, a user has the option of entering the security appliance username followed by an at sign (@) and then the FTP username (name1@name2). For the password, the user enters the security appliance password followed by an at sign (@) and then the FTP password (password1@password2). For example, enter the following text.
name> jamiec@jchrichtonpassword> letmein@he110This feature is useful when you have cascaded firewalls that require multiple logins. You can separate several names and passwords by multiple at signs (@).
The number of login attempts allowed differs between the supported protocols:
Static PAT and HTTP
For HTTP authentication, the security appliance checks real ports when static PAT is configured. If it detects traffic destined for real port 80, regardless of the mapped port, the security appliance intercepts the HTTP connection and enforces authentication.
For example, assume that outside TCP port 889 is translated to port 80 (www) and that any relevant access lists permit the traffic:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 www netmask 255.255.255.255Then when users try to access 10.48.66.155 on port 889, the security appliance intercepts the traffic and enforces HTTP authentication. Users see the HTTP authentication page in their web browsers before the security appliance allows HTTP connection to complete.
If the local port is different than port 80, as in the following example:
static (inside,outside) tcp 10.48.66.155 889 192.168.123.10 111 netmask 255.255.255.255Then users do not see the authentication page. Instead, the security appliance sends to the web browser an error message indicating that the user must be authenticated prior using the requested service.
Authenticating Directly with the Security Appliance
If you do not want to allow HTTP, HTTPS, Telnet, or FTP through the security appliance but want to authenticate other types of traffic, you can authenticate with the security appliance directly using HTTP or HTTPS by configuring the aaa authentication listener command.
You can authenticate directly with the security appliance at the following URLs when you enable AAA for the interface:
http://interface_ip[:port]/netaccess/connstatus.htmlhttps://interface_ip[:port]/netaccess/connstatus.htmlAlternatively, you can configure virtual Telnet (using the virtual telnet command). With virtual Telnet, the user Telnets to a given IP address configured on the security appliance, and the security appliance provides a Telnet prompt.
Examples
The following example includes for authentication TCP traffic on the outside interface, with an inside IP address of 192.168.0.0 and a netmask of 255.255.0.0, with an outside IP address of all hosts, and using a server group named tacacs+. The second command line excludes Telnet traffic on the outside interface with an inside address of 192.168.38.0, with an outside IP address of all hosts:
hostname(config)# aaa authentication include tcp/0 outside 192.168.0.0 255.255.0.0 0 0 tacacs+hostname(config)# aaa authentication exclude telnet outside 192.168.38.0 255.255.255.0 0 0 tacacs+The following examples demonstrate ways to use the interface-name parameter. The security appliance has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
This example enables authentication for connections originated from the inside network to the outside network:
hostname(config)# aaa authentication include tcp/0 inside 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
hostname(config)#aaa authentication include tcp/0 inside 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
hostname(config)# aaa authentication include tcp/0 outside 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
hostname(config)# aaa authentication include tcp/0 outside 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
hostname(config)#aaa authentication include tcp/0 perimeter 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+Related Commands
aaa authentication console
To enable authentication service for access to the security appliance console over an SSH, HTTP, or Telnet connection or from the Console connector on the security appliance, use the aaa authentication console command in global configuration mode. This command also lets you enable access to privileged EXEC mode. To disable this authentication service, use the no form of this command.
aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL}
no aaa authentication {serial | enable | telnet | ssh | http} console {server-tag [LOCAL] | LOCAL}
Syntax Description
Defaults
By default, fallback to the local database is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
If you enable CLI authentication, the security appliance prompts you for your username and password to log in. After you enter your information, you have access to user EXEC mode.
To enter privileged EXEC mode, enter the enable command or the login command (if you are using the local database only).
If you configure enable authentication, the security appliance prompts you for your username and password. If you do not configure enable authentication, enter the system enable password when you enter the enable command (set by the enable password command). However, if you do not use enable authentication, after you enter the enable command, you are no longer logged in as a particular user. To maintain your username, use enable authentication. This feature is particularly useful when you perform command authorization, where usernames are important to determine the commands a user can enter.
For authentication using the local database, you can use the login command, which maintains the username but requires no configuration to turn on authentication.
Before the security appliance can authenticate a Telnet, SSH, or HTTP user, you must first configure access to the security appliance using the telnet, ssh, and http commands. These commands identify the IP addresses that are allowed to communicate with the security appliance. Telnet access to the security appliance console is available from any internal interface, and from the outside interface with IPSec configured. SSH access to the security appliance console is available from any interface.
The http keyword authenticates the ASDM client that accesses the security appliance using HTTPS. You only need to configure HTTP authentication if you want to use a AAA server. By default, ASDM uses the local database for authentication even if you do not configure this command. HTTP management authentication does not support the SDI protocol for a AAA server group.
If you use a AAA server group for authentication, you can configure the security appliance to use the local database as a fallback method if the AAA server is unavailable. Specify the server group name followed by LOCAL (LOCAL is case sensitive). We recommend that you use the same username and password in the local database as the AAA server because the security appliance prompt does not give any indication which method is being used.
You can alternatively use the local database as your main method of authentication (with no fallback) by entering LOCAL alone.
The maximum username prompt for HTTP authentication is 30 characters. The maximum password length is 16 characters.
As the following table shows, the action of the prompts for authenticated access to the security appliance console differ, depending on the option you choose with this command.
If the SSH authentication request times out (which implies the AAA servers may be down or not available), you can gain access to the security appliance using the username pix and the enable password (set with the enable password command). By default, the enable password is blank. This behavior differs from when you log into the security appliance without AAA configured; in that case, you use the login password (set by the passwd command).
If a aaa authentication http console command statement is not defined, you can gain access to the security appliance using ASDM with no username and the security appliance enable password (set with the enable password command). If the aaa commands are defined, but the HTTP authentication requests a time out, which implies the AAA servers might be down or not available, you can gain access to the security appliance using the default administrator username and the enable password. By default, the enable password is not set.
Examples
The following example shows use of the aaa authentication console command for a Telnet connection to a RADIUS server with the server tag "radius":
hostname(config)# aaa authentication telnet console radiusThe following example identifies the server group "AuthIn" for administrative authentication.
hostname(config)# aaa authentication enable console AuthInThe following example shows use of the aaa authentication console command with fallback to the LOCAL user database if all the servers in the group "srvgrp1" fail:
hostname(config)# aaa-server svrgrp1 protocol tacacs+hostname(config)# aaa authentication serial console srvgrp1 LOCALRelated Commands
aaa authentication listener
To enable HTTP(S) listening ports to authenticate network users, use the aaa authentication listener command in global configuration mode. When you enable a listening port, the security appliance serves an authentication page for direct connections and/or for through traffic. To disable the listeners, use the no form of this command.
aaa authentication listener http[s] interface_name [port portnum] [redirect]
no aaa authentication listener http[s] interface_name [port portnum] [redirect]
Syntax Description
Defaults
By default, no listener services are enabled, and HTTP connections use basic HTTP authentication. If you enable the listeners, the default ports are 80 (HTTP) and 443 (HTTPS).
If you are upgrading from 7.2(1), then the listeners are enabled on ports 1080 (HTTP) and 1443 (HTTPS). The redirect option is also enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Without the aaa authentication listener command, when HTTP(S) users need to authenticate with the security appliance after you configure the aaa authentication match or aaa authentication include command, the security appliance uses basic HTTP authentication. For HTTPS, the security appliance generates a custom login screen.
If you configure the aaa authentication listener command with the redirect keyword, the security appliance redirects all HTTP(S) authentication requests to web pages served by the security appliance.
Redirection is an improvement over the basic method because it provides an improved user experience when authenticating, and an identical user experience for HTTP and HTTPS in both Easy VPN and firewall modes. It also supports authenticating directly with the security appliance.
You might want to continue to use basic HTTP authentication if: you do not want the security appliance to open listening ports; if you use NAT on a router and you do not want to create a translation rule for the web page served by the security appliance; basic HTTP authentication might work better with your network. For example non-browser applications, like when a URL is embedded in email, might be more compatible with basic authentication.
If you enter the aaa authentication listener command without the redirect option, then you only enable direct authentication with the security appliance, while letting through traffic use basic HTTP authentication. The redirect option enables both direct and through-traffic authentication. Direct authentication is useful when you want to authenticate traffic types that do not support authentication challenges; you can have each user authenticate directly with the security appliance before using any other services.
Examples
The following example configures the security appliance to redirect HTTP and HTTPS connections to the default ports:
hostname(config)# aaa authentication http redirecthostname(config)# aaa authentication https redirectThe following example allows authentication requests directly to the security appliance; through traffic uses basic HTTP authentication:
hostname(config)# aaa authentication httphostname(config)# aaa authentication httpsThe following example configures the security appliance to redirect HTTP and HTTPS connections to non-default ports:
hostname(config)# aaa authentication http port 1100 redirecthostname(config)# aaa authentication https port 1400 redirectRelated Commands
aaa authentication match
To enable authentication for connections through the security appliance, use the aaa authentication match command in global configuration mode. To disable authentication, use the no form of this command.
aaa authentication match acl_name interface_name {server_tag | LOCAL}
no aaa authentication match acl_name interface_name {server_tag | LOCAL}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
