-
Cisco Security Appliance Command Reference, Version 8.0
-
About This Guide
-
Using the Command Line Interface
- A through B Commands
- C Commands
- D through F Commands
- G through I Commands
- J through L Commands
- M through O Commands
- P though R Commands
-
S Commands
-
same-security-traffic -- show asdm sessions
-
show asp drop -- show curpriv
-
show ddns -- show ipv6 traffic
-
show isakmp sa -- show route
-
show running-config -- show running-config isakmp
-
show running-config ldap -- show running-config webvpn auto-signon
-
show service-policy -- show xlate
-
shun -- sysopt radius ignore-secret
-
- T through Z Commands
-
Table Of Contents
l2tp tunnel hello through log-adj-changes Commands
ldap-attribute-map (aaa-server host mode)
l2tp tunnel hello through log-adj-changes Commands
l2tp tunnel hello
To specify the interval between hello messages on L2TP over IPSec connections, use the l2tp tunnel hello command in global configuration mode. To reset the interval to the default, use the no form of the command:
l2tp tunnel hello interval
no l2tp tunnel hello interval
Syntax Description
interval
Interval between hello messages in seconds. The Default is 60 seconds. The range is 10 to 300 seconds.
Defaults
The default is 60 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
The l2tp tunnel hello command enables the security appliance to detect problems with the physical layer of the L2TP connection. The default is 60 secs. If you configure it to a lower value, connections that are experiencing problems are disconnected earlier.
Examples
The following example configures the interval between hello messages to 30 seconds:
hostname(config)# l2tp tunnel hello 30Related Commands
ldap attribute-map
To create and name an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names, use the ldap attribute-map command in global configuration mode. To remove the map, use the no form of this command.
ldap attribute-map map-name
no ldap attribute-map map-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
With the ldap attribute-map command, you can map your own attribute names and values to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would be as follows:
1.
2.
3.
Note
Examples
The following example command, entered in global configuration mode, creates an LDAP attribute map named myldapmap prior to populating it or binding it to an LDAP server:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)#Related Commands
ldap-attribute-map (aaa-server host mode)
To bind an existing mapping configuration to an LDAP host, use the ldap-attribute-map command in aaa-server host configuration mode. To remove the binding, use the no form of this command.
ldap-attribute-map map-name
no ldap-attribute-map map-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
If the Cisco-defined LDAP attribute names do not meet your ease-of-use or other requirements, you can create your own attribute names, map them to Cisco attributes, and then bind the resulting attribute configuration to an LDAP server. Your typical steps would include:
1.
2.
3.
Examples
The following example commands, entered in aaa-server host configuration mode, bind an existing attribute map named myldapmap to an LDAP server named ldapsvr1:
hostname(config)# aaa-server ldapsvr1 host 10.10.0.1hostname(config-aaa-server-host)# ldap-attribute-map myldapmaphostname(config-aaa-server-host)#Related Commands
ldap-base-dn
To specify the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request, use the ldap-base-dn command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, thus resetting the search to start at the top of the list, use the no form of this command.
ldap-base-dn string
no ldap-base-dn
Syntax Description
Defaults
Start the search at the top of the list.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for LDAP servers.
Examples
The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP base DN as starthere.
hostname(config)# aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# ldap-base-dn startherehostname(config-aaa-server-host)# exitRelated Commands
ldap-defaults
To define LDAP default values, use the ldap-defaults command in crl configure configuration mode. Crl configure configuration mode is accessible from crypto ca trustpoint configuration mode. These default values are used only when the LDAP server requires them. To specify no LDAP defaults, use the no form of this command.
ldap-defaults server [port]
no ldap-defaults
Syntax Description
Defaults
The default setting is not set.
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
•
•
•
•
•
Command History
Examples
The following example defines LDAP default values on the default port (389):
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# ldap-defaults ldapdomain4 8389Related Commands
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
protocol ldap
Specifies LDAP as a retrieval method for CRLs
ldap-dn
To pass a X.500 distinguished name and password to an LDAP server that requires authentication for CRL retrieval, use the ldap-dn command in crl configure configuration mode. Crl configure configuration mode is accessible from crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them. To specify no LDAP DN, use the no form of this command.
ldap-dn x.500-name password
no ldap-dn
Syntax Description
Defaults
The default setting is not on.
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
•
—
•
—
—
Command History
Examples
The following example specifies an X.500 name CN=admin,OU=devtest,O=engineering and a password xxzzyy for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# ldap-dn cn=admin,ou=devtest,o=engineering xxzzyyRelated Commands
crl configure
Enters crl configure configuration mode.
crypto ca trustpoint
Enters ca trustpoint configuration mode.
protocol ldap
Specifies LDAP as a retrieval method for CRLs.
ldap-group-base-dn
To specify the base group in the Active Directory hierarchy used by dynamic access policies for group searches, use the ldap-group-base-dn command in aaa-server host configuration mode. To remove the command from the running configuration, use the no form of the command:
ldap-group-base-dn [string]
no ldap-group-base-dn [string]
Syntax Description
Defaults
No default behavior or values. If you do not specify a group search DN, the search begins at the base DN.
Command Modes
The following table shows the modes in which you can enter the command:
aaa-server host configuration mode
•
—
•
—
—
Command History
Usage Guidelines
The ldap-group-base-dn command applies only to Active Directory servers using LDAP, and specifies an Active Directory heirarchy level that the show ad-groups command uses to begin its group search. The groups retrieved from the search are used by dynamic group policies as selection criteria for a specific policy.
Examples
The following example sets the group base DN to begin the search at the organization unit (ou) level Employees:
hostname(config-aaa-server-host)# ldap-group-base-dn ou=EmployeesRelated Commands
ldap-login-dn
To specify the name of the directory object that the system should bind this as, use the ldap-login-dn command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command.
ldap-login-dn string
no ldap-login-dn
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for LDAP servers. The maximum supported string length is 128 characters.
Some LDAP servers, including the Microsoft Active Directory server, require that the security applianceestablish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The security appliance identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field describes the authentication characteristics of the security appliance. These characteristics should correspond to those of a user with administrator privileges.
For the string variable, enter the name of the directory object for VPN Concentrator authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com. For anonymous access, leave this field blank.
Examples
The following example configures an LDAP AAA server named svrgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP login DN as myobjectname.
hostname(config)# aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# ldap-login-dn myobjectnamehostname(config-aaa-server-host)#Related Commands
ldap-login-password
To specify the login password for the LDAP server, use the ldap-login-password command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this password specification, use the no form of this command:
ldap-login-password string
no ldap-login-password
Syntax Description
string
A case-sensitive, alphanumeric password, up to 64 characters long. The password cannot contain space characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for LDAP servers. The maximum password string length is 64 characters.
Examples
The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP login password as obscurepassword.
hostname(config)# aaa-server svrgrp1 protocol ldaphostname(config)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server)# timeout 9hostname(config-aaa-server)# retry 7hostname(config-aaa-server)# ldap-login-password obscurepasswordhostname(config-aaa-server)#Related Commands
ldap-naming-attribute
To specify the Relative Distinguished Name attribute, use the ldap-naming-attribute command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command:
ldap-naming-attribute string
no ldap-naming-attribute
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
Enter the Relative Distinguished Name attribute that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).
This command is valid only for LDAP servers. The maximum supported string length is 128 characters.
Examples
The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP naming attribute as cn.
hostname(config)# aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# ldap-naming-attribute cnhostname(config-aaa-server-host)#Related Commands
ldap-over-ssl
To establish a secure SSL connection between the security appliance and the LDAP server, use the ldap-over-ssl command in aaa-server host configuration mode. To disable SSL for the connection, use the no form of this command.
ldap-over-ssl enable
no ldap-over-ssl enable
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
Use this command to specify that SSL secures a connection between the security appliance and an LDAP server.
Note
Examples
The following commands, entered in aaa-server host configuration mode, enable SSL for a connection between the security appliance and the LDAP server named ldapsvr1 at IP address 10.10.0.1. They also configure the plain SASL authentication mechanism.
hostname(config)# aaa-server ldapsvr1 protocol ldaphostname(config-aaa-server-host)# aaa-server ldapsvr1 host 10.10.0.1hostname(config-aaa-server-host)# ldap-over-ssl enablehostname(config-aaa-server-host)#Related Commands
ldap-scope
To specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request, use the ldap-scope command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command.
ldap-scope scope
no ldap-scope
Syntax Description
Defaults
The default value is onelevel.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
Specifying the scope as onelevel results in a faster search, because only one level beneath the Base DN is searched. Specifying subtree is slower, because all levels beneath the Base DN are searched.
This command is valid only for LDAP servers.
Examples
The following example configures an LDAP AAA server named svrgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP scope to include the subtree levels.
hostname(config)# aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)# aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)# timeout 9hostname(config-aaa-server-host)# retry 7hostname(config-aaa-server-host)# ldap-scope subtreehostname(config-aaa-server-host)#Related Commands
leap-bypass
To enable LEAP Bypass, use the leap-bypass enable command in group-policy configuration mode. To disable LEAP Bypass, use the leap-bypass disable command. To remove the LEAP Bypass attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for LEAP Bypass from another group policy.
leap-bypass {enable | disable}
no leap-bypass
Syntax Description
Defaults
LEAP Bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
When enabled, LEAP Bypass allows LEAP packets from wireless devices behind a VPN hardware client to travel across a VPN tunnel prior to user authentication. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Devices are then able to authenticate again, per user authentication.
This feature does not work as intended if you enable interactive hardware client authentication.
For further information, see the Cisco ASA 5500 Series Configuration Guide using the CLI.
Note
Examples
The following example shows how to set LEAP Bypass for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# leap-bypass enableRelated Commands
lifetime (ca server mode)
To specify the length of time that the Local Certificate Authority (CA) certificate, each issued user certificates, or the Certificate Revocation List (CRL) is valid, use the lifetime command in CA server configuration mode. To reset the lifetime to the default setting, use the no form of this command.
lifetime {ca-certificate | certificate | crl} time
no lifetime {
