-
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
-
About This Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
activation-key through auto-update timeout
-
backup-servers through bridge-group
-
cache-time through clear capture
-
clear configure through clear configure virtual
-
clear console-output through clear xlate
-
client-access-rule through crl-configure
-
crypto ca authenticate through crypto map set trustpoint
-
debug aaa through debug xdmcp
-
default through drop
-
email through ftp-map
-
gateway through http-map
-
icmp through ignore lsa mospf
-
inspect ctiqbe through inspect xdmcp
-
interface through issuer-name
-
join-failover-group through kill
-
ldap-base-dn through log-adj-changes
-
logging asdm through logout
-
mac-address-table aging-time through multicast-routing
-
name through ospf transmit-delay
-
pager through pwd
-
quit through router-id
-
same-security-traffic through show asdm sessions
-
show asp drop through show curpriv
-
show debug through show ipv6 traffic
-
show isakmp sa through show route
-
show running-config through show running-config isakmp
-
show running-config logging through show running-config vpn-sessiondb
-
show service-policy through show xlate
-
shun through sysopt uauth allow-http-cache
-
telnet through tunnel-limit
-
upgrade-mp through write terminal
-
Table Of Contents
aaa accounting through accounting-server-group Commands
aaa authentication challenge disable
aaa authentication include, exclude
aaa authentication secure-http-client
aaa authorization include, exclude
aaa local authentication attempts max-fail
aaa accounting through accounting-server-group Commands
aaa accounting
To enable, disable, or view TACACS+, or RADIUS user accounting (on a server designated by the aaa-server host command), use the aaa accounting command in global configuration mode. To disable these functions use the no form of this command.
aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
no aaa accounting {include | exclude} service interface-name local-ip local-mask foreign-ip foreign-mask server-tag
aaa accounting {include | exclude} service interface-name server-tag
no aaa accounting {include | exclude} service interface-name server-tag
Syntax Description
Defaults
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA server or servers. Accounting information is sent only to the active server in a server group unless you enable simultaneous accounting.
Before you can use this command, you must first designate an AAA server with the aaa-server command.
To enable accounting for traffic that is specified by an access list, use the aaa accounting match command.
Note
For outbound connections, first use the nat command to determine which IP addresses can access the FWSM. For inbound connections, first use the static and access-list extended command statements to determine which inside IP addresses can be accessed through the FWSM from the outside network.
If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.
Examples
The following example enables accounting on all connections:
hostname(config)# aaa-server mygroup protocol tacacs+hostname(config)# aaa-server mygroup (inside) host 192.168.10.10 thekey timeout 20hostname(config)# aaa authentication include any inside 0 0 0 0 mygrouphostname(config)# aaa authorization include any inside 0 0 0 0 mygrouphostname(config)# aaa accounting include any inside 0 0 0 0 mygrouphostname(config)# aaa authentication ssh console mygroupThis example specifies that the authentication server with the IP address 192.168.10.10 resides on the inside interface and is in the TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that SSH access to the FWSM console requires authentication from the TACACS+ server.
Related Commands
aaa accounting command
To configure command accounting so that the FWSM sends to the accounting server each command entered by an administrator, use the aaa accounting command command in global configuration mode. To disable support for AAA command privilege accounting, use the no form of this command. The aaa accounting command command indicates the minimum level that must be associated with a command for an accounting record to be generated.
aaa accounting command [ privilege level ] server-tag
no aaa accounting command [ privilege level ] server-tag
Syntax Description
Defaults
The default privilege level is 0. By default, AAA command-privilege accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
When you configure the aaa accounting command command, each command entered by an administrator/user is recorded and sent to the accounting server or servers. The optional privilege specification indicates the minimum privilege level that must be associated with a command for an accounting record to be generated.
This command applies only to TACACS+ servers.
You must specify the name of the server or group, previously specified in an aaa-server command, to which this command applies.
Examples
The following example specifies that accounting records will be generated for any command at privilege level 6 or higher, and that these records are sent to the server from the group named adminserver.
hostname(config)# aaa accounting command privilege 6 adminserverRelated Commands
aaa accounting console
To enable support for AAA accounting for administrative access, use the aaa accounting console command in global configuration mode. To disable support for accounting for administrative access, use the no form of this command.
aaa accounting {telnet | ssh | enable} console server-tag
no aaa accounting {telnet | ssh | enable} console server-tag
Syntax Description
Defaults
By default, AAA accounting for administrative access is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
1.1(1)
This command was introduced on the FWSM.
2.2(1)
This command was modified to support fallback to LOCAL.
Usage Guidelines
You must specify the name of the server group, previously specified in an aaa-server command.
Examples
The following example specifies that accounting records will be generated for all Telnet transactions, and that these records are sent to the server named adminserver.
hostname(config)# aaa accounting telnet console adminserverRelated Commands
aaa accounting match
To enable accounting for traffic that is identified by an access list, use the aaa accounting match command in global configuration mode. To disable accounting for traffic that is identified by an access list, use the no form of this command. The aaa accounting match command specifies an access list name that must be matched, as well as an interface name and a server tag.
aaa accounting match acl-name interface-name server-tag
no aaa accounting match acl-name interface-name server-tag
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
The acl-name is defined by the access-list command.
In an ACL, permit = perform accounting and deny = do not perform accounting.
The AAA server group tag is defined by the aaa-server command. Before you can use this command, you must first designate an AAA server with the aaa-server command.
User accounting services keep a record of which network services a user has accessed. These records are kept on the designated AAA server or servers. Accounting information is sent only to the active server in a server group unless simultaneous accounting is enabled. The aaa accounting match command requires that a user specify an ACL name that must be matched before the accounting action can take place.
The ACL name can be either a number or an alphanumeric name.
Examples
The following example enables accounting for traffic matching a specific ACL, acl2, followed by the output of the show access-list command that displays the access list:
hostname(config) # aaa accounting match acl2 outside radserver1hostname(config) # show access-list acl12access-list acl12; 1 elementsaccess-list acl12 line 1 extended permit tcp any any (hitcnt=54021)Related Commands
aaa authentication challenge disable
To disable authentication challenge for FTP, Telnet, HTTP, or HTTPS, use the aaa authentication challenge disable command in global configuration mode. To reset the FWSM to default authentication, use the no form of this command.
aaa authentication {ftp | telnet | http | https } challenge disable
no aaa authentication {ftp | telnet | http | https } challenge disable
Syntax Description
Defaults
By default, if you enable authentication using the aaa authentication match or aaa authentication [include | exclude] commands, authentication challenge is enabled for FTP, Telnet, HTTP, and HTTPS.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
You can configure whether the FWSM challenges users for a username and password. By default, the FWSM prompts the user when a AAA rule enforces authentication for traffic in a new session and the protocol of the traffic is FTP, Telnet, HTTP, or HTTPS. In some cases, you may want to disable the authentication challenge for one or more of these protocols. You can use the aaa authentication challenge command to do so.
If you disable challenge authentication for a particular protocol, traffic using that protocol is allowed only if the traffic belongs to a session previously authenticated. This authentication can be accomplished by traffic using a protocol whose authentication challenge remains enabled. For example, if you disable challenge authentication for FTP, the FWSM denies a new session using FTP if the traffic is included in an authentication rule. If the user establishes the session with a protocol whose authentication challenge is enabled (such as HTTP), FTP traffic is allowed.
Examples
The following example permits inbound access to a TCP IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command requires authentication. The authentication server is at IP address 10.16.1.20 on the inside interface. The final command disables challenge authentication for FTP, which means that users whose sessions are identifed by the aaa authentication include command must be authenticated by Telnet, HTTP, or HTTPS, and not by FTP.
hostname(config)# aaa-server AuthIn protocol tacacs+hostname(config)# aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20hostname(config)# access-list acl-out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224hostname(config)# access-group acl-out in interface outsidehostname(config)# aaa authentication include tcp inside 0 0 0 0 AuthInhostname(config)# aaa authentication ftp challenge disableRelated Commands
aaa authentication console
To do any of the following, use the aaa authentication console command in global configuration mode:
•
•
•
To disable this authentication service, use the no form of this command.
aaa authentication {enable | telnet | ssh | http} console server-tag [LOCAL]
no aaa authentication {enable | telnet | ssh | http} console server-tag [LOCAL]
Syntax Description
Defaults
By default, fallback to the local database is disabled.
If a aaa authentication http console server-tag command statement is not defined, you can gain access to the FWSM (via ASDM) with no username and the FWSM enable password (set with the password command). If the aaa commands are defined, but the HTTP authentication requests a time out, which implies the AAA servers might be down or not available, you can gain access to the FWSM using the default administrator username and the enable password. By default, the enable password is not set.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
1.1(1)
This command was introduced.
2.2(1)
This command was modified to support fallback to LOCAL.
Usage Guidelines
The aaa authentication console command enables or disables authentication on entry to privileged mode, lets you require authentication verification to access the FWSM via the specified type of connection, or supports administrative authentication fallback.
Telnet access requires previous use of the telnet command. SSH access requires previous use of the ssh command.
Using the aaa authentication console command requires that you have previously used the aaa-server command to designate an authentication server, unless you have specified LOCAL as the server-group protocol. The aaa authentication console command supports RADIUS and TACACS+ groups.
Except as noted in "Defaults," if you are using HTTP authentication, the FWSM requires authentication verification of the HTTP server through the aaa authentication http console command.
When an administrator requests an action that requires authentication, the FWSM initiates an authentication session with servers from the server group specified. If the system is unable to communicate with any server from this group.
To configure administrative authentication to support fallback to the local user database if all servers in the specified server group are unavailable, use the aaa authentication command with the LOCAL option specified. This feature is disabled by default.
The maximum username prompt for HTTP authentication is 30 characters. The maximum password length is 16 characters.
As the following table shows, the action of the prompts for authenticated access to the FWSM console differ, depending on the option you choose with the aaa authentication console command.
enable
3 tries before access is denied
ssh
3 tries before access is denied
telnet
Continual until success
http
Continual until success
The ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if a aaa authentication ssh console server-tag command statement is not defined, you can gain access to the FWSM console with the username pix and with the FWSM Telnet password (set with the passwd command). If the aaa command is defined, but the SSH authentication requests time out (which implies the AAA servers may be down or not available), you can gain access to the FWSM using administrator username and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
The prompts users see requesting AAA credentials differ among the services that can access the FWSM for authentication: Telnet, FTP, HTTP, and HTTPS:
•
•
authentication-user-name@remote-system-user-nameauthentication-password@remote-system-passwordIf you daisy-chain FWSMs, Telnet authentication works in the same way as a single unit, but FTP and HTTP users must enter each password and username with an additional "at" (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit, depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
•
The FWSM accepts only 7-bit characters during authentication. After authentication, the client and server can negotiate for 8 bits, if required. During authentication, the FWSM negotiates only Go-Ahead, Echo, and NVT (network virtual terminal).
HTTP Authentication
When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users might be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the FWSM authentication credentials.
Microsoft Internet Information Service (IIS) servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the FWSM username-password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, the FWSM provides the virtual http command, which redirects the initial connection of the browser to another IP address, authenticates the user, then redirects the browser back to the URL that the user originally requested.
Once authenticated, a user never has to reauthenticate, no matter how low the FWSM uauth timeout is set, because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can be cleared only when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
Multimedia applications such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS NetMeeting silently start the HTTP service before an H.323 session is established from the inside to the outside.
Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.
Note
TACACS+ and RADIUS servers
You can have up to 15 single-mode groups or 4 multi-mode groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. The servers can be either TACACS+ or RADIUS servers. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.
The FWSM displays the same timeout message for both RADIUS and TACACS+. The message "aaa server host machine not responding" displays when either of the following occurs:
•
•
Examples
The following examples show the use of the aaa authentication console command.
Example 1:
The following example shows use of the aaa authentication console command for a Telnet connection to a RADIUS server with the server tag "radius":
hostname(config)# aaa authentication telnet console radiusExample 2:
The following example identifies the server group "AuthIn" for administrative authentication.
hostname(config)# aaa authentication enable console AuthInExample 3:
The following example shows use of the aaa authentication console command with fallback to the LOCAL user database if all the servers in the group "svrgrp1" fail:
hostname(config)# aaa-server svrgrp1 protocol tacacshostname(config)# aaa authentication ssh console svrgrp1 LOCALRelated Commands
aaa authentication include, exclude
To include or exclude user authentication for traffic through the FWSM, use the aaa authentication include or exclude command in global configuration mode. To disable user authentication, use the no form of this command.
aaa authentication include | exclude authentication-service interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag
no aaa authentication include | exclude authentication-service interface-name local-ip local-mask [foreign-ip foreign-mask] server-tag
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Authentication lets you control access by requiring a valid username and password. You can configure the FWSM to authenticate the following items:
•
–
–
–
–
•
•
Each authentication server has a single pool of users. If you use the same server for multiple authentication rules and types, then a user needs to authenticate only one time for all rules and types, until the session expires. For example, if you configure the FWSM to authenticate Telnet and FTP, and a user successfully authenticates for Telnet, then as long as the session exists, the user does not also have to authenticate for FTP.
To include or exclude traffic for authentication, you must designate an authentication server with the aaa-server command before using the aaa authentication command. Each combination of local and foreign IP addresses can have one aaa authentication command for inbound connections and one for outbound connections. A session whose IP address is identified by the aaa-server authentication command starts a connection through FTP, Telnet, HTTP, or HTTPS and is prompted for a username and password. If the username and password are verified by the designated authentication server, the FWSM allows further traffic between the authenticating host and the client address.
Use the interface-name, local-ip, and foreign-ip variables to define where access is sought and from whom. The address for local-ip is always on the highest security level interface and foreign-ip is always on the lowest.
Note
You cannot use aaa include or exclude commands in the same configuration as aaa match commands.
For the local and foreign IP address masks, you can use 0 as a shorthand representation if the IP address is 0.0.0.0. Use 255.255.255.255 for a host.
The authentication servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The FWSM proxies FTP, HTTP, HTTPS, and Telnet to display the credentials prompts.
Note
local access authentication
To configure a AAA server (TACACS+, RADIUS, or LOCAL) to authenticate administrators, choose one of the following access authentication service options: telnet for Telnet access, ssh for SSH access, http for HTTP access, and enable for enable-mode access.
cut-through authentication
For cut-through proxy and "to the box" authentication, you can also use the local FWSM user authentication database by specifying the server group tag LOCAL. If LOCAL is specified for server-tag and the local user credential database is empty, the following warning message appears:
Warning:local database is empty! Use 'username' command to define local users.Conversely, if the local database becomes empty when LOCAL is still present in the command, the following warning message appears:
Warning:Local user database is empty and there are still commands using 'LOCAL' for authentication.The cut-through authentication service options are as follows: telnet, ftp, http, https, icmp/type, proto, tcp/port, and udp/port. The variable proto can be any supported IP protocol value or name: for example, ip or igmp. Only Telnet, FTP, HTTP, or HTTPS traffic triggers interactive user authentication.
The authentication ports that the FWSM supports for AAA are fixed:
•
•
•
•
For this reason, do not use Static PAT to reassign ports for services you want to authenticate. In other words, when the port to authenticate is not one of the three known ports, the FWSM rejects the connection instead of authenticating it.
You can enter an ICMP message type number for type to include or exclude that specific ICMP message type from authentication. For example, icmp/8 includes or excludes type 8 (echo request) ICMP messages.
The tcp/0 option enables authentication for all TCP traffic, which includes FTP, HTTP, HTTPS, and Telnet. When a specific port is specified, only the traffic with a matching destination port is included or excluded for authentication. Note that FTP, Telnet, HTTP, and HTTPS are equivalent to tcp/21, tcp/23, tcp/80, and tcp/443, respectively.
If you specify ip, all IP traffic is included or excluded for authentication, depending on whether include or exclude is specified. When all IP traffic is included for authentication, following are the expected behaviors:
•
•
Enabling Authentication
The aaa authentication command enables or disables the following features:
•
•
The prompts users see requesting AAA credentials differ among the services that can access the FWSM for authentication.
Note
You can specify an interface name with the aaa authentication command. For example, if you specified aaa authentication include tcp outside 0 0 server-tag, the FWSM authenticates a TCP connection originating on the outside interface.
Note
TACACS+ and RADIUS servers
You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each group can have up to 16 servers in single mode or 4 servers in multi-mode. The servers can be either TACACS+ or RADIUS servers—set with the aaa-server command. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
The FWSM permits only one authentication type per network. For example, if one network connects through the FWSM using TACACS+ for authentication, another network connecting through the FWSM can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.
Note
Examples
The following examples show some uses of the aaa authentication command:
Example 1:
The following example includes for authentication TCP traffic on the outside interface, with a local IP address of 192.168.0.0 and a netmask of 255.255.0.0, with a remote/foreign IP address of all hosts, and using a server named "tacacs+". The second command line excludes Telnet traffic on the outside interface with a local address of 192.168.38.0, with a remote/foreign IP address of all hosts:
hostname(config)# aaa authentication include tcp outside 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+hostname(config)# aaa authentication exclude telnet outside 192.168.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+Example 2:
The following examples demonstrate ways to use the interface-name parameter. The FWSM has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
This example enables authentication for connections originated from the inside network to the outside network:
