Feedback
Table Of Contents
enrollment terminal (ca-trustpoint)
enrollment url (ca-trustpoint)
eap
Note
This command is removed effective with Cisco IOS Release 12.4(6)T.
To specify Extensible Authentication Protocol- (EAP-) specific parameters, use the eap command in identity profile configuration mode. To disable the parameters that were set, use the no form of this command.
eap {username name | password password}
no eap {username name | password password}
Syntax Description
username name
Username that will be sent to Request-Id packets.
password password
Password that should be used when replying to an Message Digest 5 (MD5) challenge.
Defaults
EAP parameters are not set.
Command Modes
Identity profile configuration
Command History
Usage Guidelines
Use this command if your router is configured as a supplicant. This command provides the means for configuring the identity and the EAP MD5 password that will be used by 802.1X to authenticate.
Examples
The following example shows that the EAP username "user1" has been configured:
Router(config)# identity profile dot1xRouter(config-identity-prof)# eap username user1Related Commands
enable
To enter privileged EXEC mode, or any other security level set by a system administrator, use the enable command in user EXEC or privileged EXEC mode.
enable [privilege-level] [view [view-name]]
Syntax Description
Defaults
Privilege-level 15 (privileged EXEC)
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
Entering privileged EXEC mode enables the use of privileged commands. Because many of the privileged commands set operating parameters, privileged access should be password-protected to prevent unauthorized use. If the system administrator has set a password with the enable password global configuration command, you are prompted to enter the password before being allowed access to privileged EXEC mode. The password is case sensitive.
If an enable password has not been set, only enable mode can be accessed through the console connection.
Security levels can be set by an administrator using the enable password and privilege level commands. Up to 16 privilege levels can be specified, using the numbers 0 through 15. Using these privilege levels, the administrator can allow or deny access to specific commands. Privilege level 0 is associated with user EXEC mode, and privilege level 15 is associated with privileged EXEC mode.
For more information on defined privilege levels, see the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference publications.
If a level is not specified when entering the enable command, the user will enter the default mode of privileged EXEC (level 15).
Accessing a CLI View
CLI views restrict user access to specified CLI and configuration information. To configure and access CLI views, users must first enter into root view, which is accomplished via the enable view command (without the view-name argument). Thereafter, users are prompted for a password, which is the same password as the privilege level 15 password.
The view-name argument is used to switch from one view to another view.
To prevent dictionary attacks, a user is prompted for a password even if an incorrect view name is given. The user is denied access only after an incorrect view name and password are given.
Examples
In the following example, the user enters privileged EXEC mode using the enable command. The system prompts the user for a password before allowing access to the privileged EXEC mode. The password is not printed to the screen. The user then exits back to user EXEC mode using the disable command. Note that the prompt for user EXEC mode is the greater than symbol (>), and the prompt for privileged EXEC mode is the number sign (#).
Router> enablePassword: <password1>Router# disableRouter>This following example shows which commands are available inside the CLI view "first" after the user has logged into this view:
Router# enable view firstPassword:00:28:23:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.Router# ?Exec commands:configure Enter configuration modeenable Turn on privileged commandsexit Exit from the EXECshow Show running system informationRouter# show ?ip IP informationparser Display parser informationversion System hardware and software statusRouter# show ip ?access-lists List IP access listsaccounting The active IP accounting databasealiases IP alias tablearp IP ARP tableas-path-access-list List AS path access listsbgp BGP informationcache IP fast-switching route cachecasa display casa informationcef Cisco Express Forwardingcommunity-list List community-listdfp DFP informationdhcp Show items in the DHCP databasedrp Director response protocoldvmrp DVMRP informationeigrp IP-EIGRP show commandsextcommunity-list List extended-community listflow NetFlow switchinghelper-address helper-address tablehttp HTTP informationigmp IGMP informationirdp ICMP Router Discovery Protocol...The following command shows how to issue the enable view command to switch from the root view to the CLI view "first":
Router# enable viewRouter#01:08:16:%PARSER-6-VIEW_SWITCH:successfully set to view 'root'.Router#! Enable the show parser view command from the root viewRouter# show parser viewCurrent view is 'root'! Enable the show parser view command from the root view to display all viewsRouter# show parser view allViews Present in System:View Name: firstView Name: second! Switch to the CLI view "first."Router# enable view firstRouter#01:08:09:%PARSER-6-VIEW_SWITCH:successfully set to view 'first'.! Enable the show parser view command from the CLI view "first."Router# show parser viewCurrent view is 'first'Related Commands
enable password
To set a local password to control access to various privilege levels, use the enable password command in global configuration mode. To remove the password requirement, use the no form of this command.
enable password [level level] {password | [encryption-type] encrypted-password}
no enable password [level level]
Syntax Description
Defaults
No password is defined. The default is level 15.
Command Modes
Global configuration
Command History
Usage Guidelines
Caution
Use this command with the level option to define a password for a specific privilege level. After you specify the level and the password, give the password to the users who need to access this level. Use the privilege level configuration command to specify commands accessible at various levels.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste into this command a password that has already been encrypted by a Cisco router.
Caution
If the service password-encryption command is set, the encrypted form of the password you create with the enable password command is displayed when a more nvram:startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
•
•
•
•
–
–
–
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example enables the password "password1" for privilege level 2:
enable password level 2 password1The following example sets the encrypted password "$1$i5Rkls3LoyxzS8t9", which has been copied from a router configuration file, for privilege level 2 using encryption type 7:
enable password level 2 5 $1$i5Rkls3LoyxzS8t9Related Commands
enable secret
To specify an additional layer of security over the enable password command, use the enable secret command in global configuration mode. To turn off the enable secret function, use the no form of this command.
enable secret [level level] {password | [encryption-type] encrypted-password}
no enable secret [level level]
Syntax Description
Defaults
No password is defined. The default level is 15.
Command Modes
Global configuration
Command History
Usage Guidelines
Caution
Use this command to provide an additional layer of security over the enable password. The enable secret command provides better security by storing the enable secret password using a non-reversible cryptographic function. The added layer of security encryption provides is useful in environments where the password crosses the network or is stored on a TFTP server.
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste into this command an encrypted password that you copied from a router configuration file.
Caution
If you use the same password for the enable password and enable secret commands, you receive an error message warning that this practice is not recommended, but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.
Note
If service password-encryption is set, the encrypted form of the password you create here is displayed when a more nvram:startup-config command is entered.
You can enable or disable password encryption with the service password-encryption command.
An enable password is defined as follows:
•
•
•
•
–
–
–
When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt.
Examples
The following example specifies the enable secret password of "password1":
enable secret password1After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.
Password: password1The following example enables the encrypted password "$1$FaD0$Xyti5Rkls3LoyxzS8", which has been copied from a router configuration file, for privilege level 2 using encryption type 5:
enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8Related Commands
enable
Enters privileged EXEC mode.
enable password
Sets a local password to control access to various privilege levels.
encryption (IKE policy)
To specify the encryption algorithm within an Internet Key Exchange (IKE) policy, use the encryption command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the encryption algorithm to the default value, use the no form of this command.
encryption {des | 3des | aes | aes 192 | aes 256}
no encryption
Syntax Description
Defaults
The 56-bit DES-CBC encryption algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the encryption algorithm to be used in an IKE policy.
If a user enters an IKE encryption method that the hardware does not support, a warning message will be displayed immediately after the encryption command is entered.
Examples
The following example configures an IKE policy with the 3DES encryption algorithm (all other parameters are set to the defaults):
crypto isakmp policyencryption 3desexitThe following example is a sample warning message that is displayed when a user enters an IKE encryption method that the hardware does not support:
encryption aes 256WARNING:encryption hardware does not support the configuredencryption method for ISAKMP policy 1Related Commands
enrollment
To specify the enrollment parameters of your certification authority (CA), use the enrollment command in ca-trustpoint configuration mode. To remove any of the configured parameters, use the no form of this command.
enrollment [mode] [retry minutes] [retry number] url url
no enrollment [mode] [retry minutes] [retry number] url url
Syntax Description
Defaults
RA mode is turned off until you enable the mode keyword.
The router will send the CA another certificate request every 1 minute unless otherwise specified.
There is no limit to the number of retries unless you specify a number via retry number.
Your router does not know the CA URL until you specify it via url url.Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the mode keyword to specify the mode supported by the CA. This keyword is required if your CA system provides an RA.
Use the retry minutes option to change the retry period from the default of 1 minute between retries. After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. The router will continue to send requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries is exceeded. By default, the router will keep sending requests forever, unless you can change this parameter to a finite number using the retry number option.
Use the url url option to specify or change the URL of the CA. You can specify enrollment via SCEP (an HTTP URL) or TFTP (a TFTP URL).
TFTP enrollment is used to send the enrollment request and retrieve the certificate of the CA and the certificate of the router. If the file_specification is included in the URL, the router will append an extension onto the file specification. When the crypto ca authenticate command is entered, the router will retrieve the certificate of the CA from the specified TFTP server. As appropriate, the router will append the extension ".ca" to the filename or the fully qualified domain name (FQDN). (If the url url option does not include a file specification, the router's FQDN will be used.)
Note
Examples
The following example shows how to declare a CA named "ka" and specify the URL of the CA as "http://example:80":
crypto ca trustpoint kaenrollment url http://example:80Related Commands
crypto ca authenticate
Authenticates the CA (by getting the CA's certificate).
crypto ca trustpoint
Declares the CA that your router should use.
enrollment credential
To specify an existing trustpoint from another vendor that is to be enrolled with the Cisco IOS certificate server, use the enrollment credential command in ca-profile-enroll configuration mode.
enrollment credential label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Ca-profile-enroll configuration
Command History
Usage Guidelines
To configure a router that is already enrolled with a CA of another vendor that is to be enrolled with a Cisco IOS certificate server, you must configure a certificate enrollment profile (via the crypto pki profile enrollment command). Thereafter, you should issue the enrollment credential command, which specifies the trustpoint of another vendor that has to be enrolled with a Cisco IOS certificate server.
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue and thegrant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
enrollment mode ra
The enrollment mode ra command is replaced by the enrollment command. See the enrollment command for more information.
enrollment retry count
The enrollment retry count command is replaced by the enrollment command. See the enrollment command for more information.
enrollment retry period
The enrollment retry period command is replaced by the enrollment command. See the enrollment command for more information.
enrollment selfsigned
To specify self-signed enrollment for a trustpoint, use the enrollment selfsigned command in ca-trustpoint configuration mode. To delete self-signed enrollment from a trustpoint, use the no form of this command.
enrollment selfsigned
no enrollment selfsigned
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default behavior or values.
Command Modes
ca-trustpoint configuration (ca-trustpoint)
Command History
Usage Guidelines
Before you can use the enrollment selfsigned command, you must enable the crypto pki trustpoint command, which defines the trustpoint and enters ca-trustpoint configuration mode.
If you do not use this command, you should specify another enrollment method for the router by using an enrollment command such as enrollment url or enrollment terminal.
Examples
The following example shows a self-signed certificate being designated for a trustpoint named local:
crypto pki trustpoint localenrollment selfsignedRelated Commands
enrollment terminal (ca-trustpoint)
To specify manual cut-and-paste certificate enrollment, use the enrollment terminal command in ca-trustpoint configuration mode. To delete a current enrollment request, use the no form of this command.
enrollment terminal [pem]
no enrollment terminal [pem]
Syntax Description
Defaults
No default behavior or values
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
A user may want to manually cut-and-paste certificate requests and certificates when he or she does not have a network connection between the router and certification authority (CA). When this command is enabled, the router displays the certificate request on the console terminal, allowing the user to enter the issued certificate on the terminal.
The pem Keyword
Use the pem keyword to issue certificate requests (via the crypto ca enroll command) or receive issued certificates (via the crypto ca import certificate command) in PEM-formatted files through the console terminal. If the CA server does not support simple certificate enrollment protocol (SCEP), the certificate request can be presented to the CA server manually.
Note
Examples
The following example shows how to manually specify certificate enrollment via cut-and-paste. In this example, the CA trustpoint is "MS."
crypto ca trustpoint MSenrollment terminalcrypto ca authenticate MS!crypto ca enroll MScrypto ca import MS certificateRelated Commands
enrollment url (ca-identity)
The enrollment url (ca-identity) command is replaced by the enrollment url (ca-trustpoint) command. See the enrollment url (ca-trustpoint) command for more information.
enrollment url (ca-trustpoint)
To specify the enrollment parameters of a certification authority (CA), use the enrollment command in ca-trustpoint configuration mode. To remove any of the configured parameters, use the no form of this command.
enrollment [mode] [retry period minutes] [retry count number] url url [pem]
no enrollment [mode] [retry period minutes] [retry count number] url url [pem]
Syntax Description
mode
(Optional) Registration authority (RA) mode, if your CA system provides an RA. By default, RA mode is disabled.
retry period minutes
(Optional) Specifies the period in which the router will wait before sending the CA another certificate request. The default is 1 minute between retries. (Specify from 1 to 60 minutes.)
retry count number
(Optional) Specifies the number of times a router will resend a certificate request when it does not receive a response from the previous request. The default is 10 retries. (Specify from 1 to 100 retries.)
url url
URL of the file system where your router should send certificate requests. For enrollment method options, see Table 19.
pem
(Optional) Adds privacy-enhanced mail (PEM) boundaries to the certificate request.
Defaults
Your router does not know the CA URL until you specify it using url url.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the mode keyword to specify the mode supported by the CA. This keyword is required if your CA system provides an RA.
Use the retry period minutes option to change the retry period from the default of 1 minute between retries. After requesting a certificate, the router waits to receive a certificate from the CA. If the router does not receive a certificate within a period of time (the retry period), the router will send another certificate request. By default, the router will send a maximum of 10 requests until it receives a valid certificate, until the CA returns an enrollment error, or until the configured number of retries (specified via the retry count number option) is exceeded.
Use the pem keyword to issue certificate requests (using the crypto pki enroll command) or receive issued certificates (using the crypto pki import certificate command) in PEM-formatted files.
Note
Use the url url option to specify or change the URL of the CA. Table 19 lists the available enrollment methods.
Table 19 Certificate Enrollment Methods
bootflash
Enroll via bootflash: file system
cns
Enroll via Cisco Networking Services (CNS): file system
flash
Enroll via flash: file system
ftp
Enroll via FTP: file system
SCEP1
Enroll via Simple Certificate Enrollment Protocol (SCEP) (an HTTP URL)
null
Enroll via null: file system
nvram
Enroll via NVRAM: file system
rcp
Enroll via remote copy protocol (rcp): file system
scp
Enroll via secure copy protocol (scp): file system
system
Enroll via system: file system
TFTP2
Enroll via TFTP: file system
1 If you are using SCEP for enrollment, the URL must be in the form http://CA_name, where CA_name is the host Domain Name System (DNS) name or IP address of the CA.
2 If you are using TFTP for enrollment, the URL must be in the form tftp://certserver/file_specification. (The file_specification is optional. See the section "TFTP Certificate Enrollment" for additional information.)
TFTP Certificate Enrollment
TFTP enrollment is used to send the enrollment request and retrieve the certificate of the CA and the certificate of the router. If the file_specification is included in the URL, the router will append an extension onto the file specification. When the crypto pki authenticate command is entered, the router will retrieve the certificate of the CA from the specified TFTP server. As appropriate, the router will append the extension ".ca" to the filename or the fully qualified domain name (FQDN). (If the url url option does not include a file specification, the FQDN of the router will be used.)
Note
Examples
The following example shows how to declare a CA named "ka" and specify the URL of the CA as "http://address:80":
crypto pki trustpoint kaenrollment url http://address:80Related Commands
eou clientless
To set user group credentials for clientless hosts, use the eou clientless command in global configuration mode. To remove the user group credentials, use the no form of this command.
eou clientless {password password | username username}
no eou clientless {password | username}
Syntax Description
Defaults
Username and password values are clientless.
Command Modes
Global configuration
Command History
Usage Guidelines
For this command to be effective, the eou allow command must also be enabled.
Examples
The following example shows that a clientless host with the username "user1" has been configured:
Router(config)# eou clientless username user1The following example shows that a clientless host with the password "password1" has been configured:
Router(config)# eou clientless password password1Related Commands
evaluate
To nest a reflexive access list within an access list, use the evaluate command in access-list configuration mode. To remove a nested reflexive access list from the access list, use the no form of this command.
evaluate name
no evaluate name
Syntax Description
name
The name of the reflexive access list that you want evaluated for IP traffic entering your internal network. This is the name defined in the permit (reflexive) command.
Defaults
Reflexive access lists are not evaluated.
Command Modes
Access-list configuration
Command History
Usage Guidelines
This command is used to achieve reflexive filtering, a form of session filtering.
Before this command will work, you must define the reflexive access list using the permit (reflexive) command.
This command nests a reflexive access list within an extended named IP access list.
If you are configuring reflexive access lists for an external interface, the extended named IP access list should be one which is applied to inbound traffic. If you are configuring reflexive access lists for an internal interface, the extended named IP access list should be one which is applied to outbound traffic. (In other words, use the access list opposite of the one used to define the reflexive access list.)
This command allows IP traffic entering your internal network to be evaluated against the reflexive access list. Use this command as an entry (condition statement) in the IP access list; the entry "points" to the reflexive access list to be evaluated.
As with all access list entries, the order of entries is important. Normally, when a packet is evaluated against entries in an access list, the entries are evaluated in sequential order, and when a match occurs, no more entries are evaluated. With a reflexive access list nested in an extended access list, the extended access list entries are evaluated sequentially up to the nested entry, then the reflexive access list entries are evaluated sequentially, and then the remaining entries in the extended access list are evaluated sequentially. As usual, after a packet matches any of these entries, no more entries will be evaluated.
Examples
The following example shows reflexive filtering at an external interface. This example defines an extended named IP access list inboundfilters, and applies it to inbound traffic at the interface. The access list definition permits all Border Gateway Protocol and Enhanced Interior Gateway Routing Protocol traffic, denies all Internet Control Message Protocol traffic, and causes all Transmission Control Protocol traffic to be evaluated against the reflexive access list tcptraffic.
If the reflexive access list tcptraffic has an entry that matches an inbound packet, the packet will be permitted into the network. tcptraffic only has entries that permit inbound traffic for existing TCP sessions.
interface Serial 1description Access to the Internet via this interfaceip access-group inboundfilters in!ip access-list extended inboundfilterspermit 190 any anypermit eigrp any anydeny icmp any anyevaluate tcptrafficRelated Commands
firewall are-u-there
To add the Firewall-Are-U-There attribute to the server group if your PC is running the Black Ice or Zone Alarm personal firewalls, use the firewall are-u-there command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To disable the Firewall-Are-U-There attribute, use the no form of this command.
firewall are-u-there
no firewall are-u-there
Syntax Description
This command has no arguments or keywords.
Defaults
The server will not send the Firewall-Are-U-There attribute to the client.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Usage Guidelines
The Firewall-Are-U-There attribute is sent by the Black Ice and Zone Alarm personal firewalls if they are prompted by the server. If connections to the Virtual Private Network (VPN) are for protected devices only, that is, if a PC is running one of these personal firewalls, you should add the attribute to the server group. Devices that do not have a personal firewall will not respond with their capabilities, and their connections will be dropped.
The Firewall-Are-U-There attribute is configured on a Cisco IOS router or in the RADIUS profile.
To configure the Firewall-Are-U-There attribute, use the firewall are-u-there command.
An example of an attribute-value (AV) pair for the Firewall-Are-U-There attribute is as follows:
ipsec:firewall=1
You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the firewall are-u-there command.
Note
•
•
•
•
Examples
The following example shows that the Firewall-Are-U-There attribute has been configured:
crypto isakmp client configuration group group1firewall are-u-thereRelated Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
fqdn (crypto identity)
To associate the identity of the router with the host name that the peer used to authenticate itself, use the fqdn command in crypto identity configuration mode. To remove this command from your configuration, use the no form of this command.
fqdn name
no fqdn name
Syntax Description
Defaults
If this command is not enabled, the router can communicate with any encrypted interface that is not restricted on its IP address.
Command Modes
Crypto identity configuration
Command History
Usage Guidelines
Use the fqdn command to associate the identity of the router, which is defined in the crypto identity command, with the distinguished name (DN) in the certificate of the router. This command allows you set restrictions in the router configuration that prevent those peers with specific certificates, especially certificates with particular DNs, from having access to selected encrypted interfaces.
Note
Examples
The following example shows how to configure a crypto map that can be used only by peers that have been authenticated by hostname and if the certificate belongs to "example.com":
crypto map map-to-example-com 10 ipsec-isakmpset peer 172.21.115.119set transform-set my-transformsetmatch address 125identity to-example-com!crypto identity to-example-comfqdn example.comRelated Commands
grant auto trustpoint
To specify the certification authority (CA) trustpoint of another vendor from which the Cisco IOS certificate server will automatically grant certificate enrollment requests, use the grant auto trustpoint command in certificate server configuration mode.
grant auto trustpoint label
Syntax Description
Defaults
No default behavior or values.
Command Modes
Certificate server configuration
Command History
Usage Guidelines
After the network administrator for the server configures and authenticates a trustpoint for the CA of another vendor, the grant auto trustpoint command is issued to reference the newly created trustpoint and enroll the router with a Cisco IOS CA.
Note
The Cisco IOS certificate server will automatically grant only the requests from clients who were already enrolled with the CA of another vendor. All other requests must be manually granted—unless the server is set to be in auto grant mode (via the grant automatic command).
Caution
Examples
The following example shows how to configure a client router and a Cisco IOS certificate server to exchange enrollment requests via a certificate enrollment profile:
! Define the trustpoint "msca-root" that points to the non-Cisco IOS CA and enroll and ! authenticate the client with the non-Cisco IOS CA.crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllip-address FastEthernet2/0revocation-check crl!! Configure trustpoint "cs" for Cisco IOS CA.crypto pki trustpoint csenrollment profile cs1revocation-check crl!! Define enrollment profile "cs1," which points to Cisco IOS CA and mention (via the ! enrollment credential command) that "msca-root" is being initially enrolled with the ! Cisco IOS CA.crypto pki profile enrollment cs1enrollment url http://cs:80enrollment credential msca-root!! Configure the certificate server, and issue the grant auto trustpoint command to ! instruct the certificate server to accept enrollment request only from clients who are ! already enrolled with trustpoint "msca-root."crypto pki server csdatabase level minimumdatabase url nvram:issuer-name CN=csgrant auto trustpoint msca-root!crypto pki trustpoint csrevocation-check crlrsakeypair cs!crypto pki trustpoint msca-rootenrollment mode raenrollment url http://msca-root:80/certsrv/mscep/mscep.dllrevocation-check crlRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
group (authentication)
To specify the authentication, authorization, and accounting (AAA) TACACS+ server group to use for preauthentication, use the group command in AAA preauthentication configuration mode. To remove the group command from your configuration, use the no form of this command.
group {tacacs+ server-group}
no group {tacacs+ server-group}
Syntax Description
tacacs+
Uses a TACACS+ server for authentication.
server-group
Name of the server group to use for authentication.
Defaults
No method list is configured.
Command Modes
AAA preauthentication configuration
Command History
Usage Guidelines
You must configure the group command before you configure any other AAA preauthentication command (clid, ctype, dnis, or dnis bypass).
Examples
The following example enables Dialed Number Identification Service (DNIS) preauthentication using the abc123 server group and the password aaa-DNIS:
aaa preauthgroup abc123dnis password aaa-DNISRelated Commands
aaa preauth
Enters AAA preauthentication mode.
dnis (authentication)
Enables AAA preauthentication using DNIS.
group (IKE policy)
To specify the Diffie-Hellman group identifier within an Internet Key Exchange (IKE) policy, use the group command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the Diffie-Hellman group identifier to the default value, use the no form of this command.
group {1 | 2 | 5}
no group
Syntax Description
1
Specifies the 768-bit Diffie-Hellman group.
2
Specifies the 1024-bit Diffie-Hellman group.
5
Specifies the 1536-bit Diffie-Hellman group.
Command Default
768-bit Diffie-Hellman (group 1)
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the Diffie-Hellman group to be used in an IKE policy.
Examples
The following example configures an IKE policy with the 1024-bit Diffie-Hellman group (all other parameters are set to the defaults):
crypto isakmp policy 15group 2exitRelated Commands
group-lock
The group-lock command attribute is used to check if a user attempting to connect to a group belongs to this group. This attribute is used in conjunction with the extended authentication (Xauth) username. The user name must include the group to which it belongs. The group is then matched against the VPN group name (ID_KEY_ID) that is passed during the Internet Key Exchange (IKE). If the groups do not match, then the client connection is terminated.
To allow the extended authentication (Xauth) username to be entered when preshared key authentication is used with IKE, use the group-lock command in Internet Security Association Key Management Protocol (ISAKMP) group configuration mode. To remove the group lock, use the no form of this command.
Note
group-lock
no group-lock
Syntax Description
This command has no arguments or keywords.
Defaults
Group lock is not configured.
Command Modes
ISAKMP group configuration (config-isakmp-group)
Command History
Usage Guidelines
The Group-Lock attribute can be used if preshared key authentication is used with IKE. When the user enables the group-lock command attribute, one of the following extended Xauth usernames can be entered:
name/group
name\group
name@group
name%group
where the \ / @ % are the delimiters. The group that is specified after the delimiter is then compared against the group identifier that is sent during IKE aggressive mode. The groups must match or the connection is rejected.
Caution
The Group-Lock attribute is configured on a Cisco IOS router or in the RADIUS profile. This attribute has local (gateway) significance only and is not passed to the client.
Note
The username in the local or RADIUS database must be of the following format:
username[/,\,%,@]group.
Examples
The following example shows how Group-Lock attribute is configured in the CLI using the group-lock command:
Note
crypto isakmp client configuration group ciscogroup-lockThe following example shows how an attribute-value (AV) pair for the User-VPN-Group attribute is added in the RADIUS configuration:
Note
ipsec:group-lock=1Related Commands
acl
Configures split tunneling.
crypto isakmp client configuration group
Specifies the DNS domain to which a group belongs.
hash (IKE policy)
To specify the hash algorithm within an Internet Key Exchange policy, use the hash command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the hash algorithm to the default SHA-1 hash algorithm, use the no form of this command.
hash {sha | md5}
no hash
Syntax Description
sha
Specifies SHA-1 (HMAC variant) as the hash algorithm.
md5
Specifies MD5 (HMAC variant) as the hash algorithm.
Defaults
The SHA-1 hash algorithm
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the hash algorithm to be used in an IKE policy.
Examples
The following example configures an IKE policy with the MD5 hash algorithm (all other parameters are set to the defaults):
crypto isakmp policy 15hash md5exitRelated Commands
hw-module slot subslot only
To change the mode of the Cisco 7600 SSC-400 card to allocate full buffers to the specified subslot, use the hw-module slot subslot only command in global configuration mode.
Note
hw-module slot slot subslot subslot only
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
Follow these guidelines and restrictions when configuring a Cisco 7600 SSC-400 and IPSec VPN SPAs using the hw-module slot subslot only command:
•
•
•
Module n will be reset? Confirm [n]:
The prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.
•
Examples
The following example allocates full buffers to the SPA that is installed in subslot 0 of the SIP located in slot 1 of the router and takes a reset action of the Cisco 7600 SSC-400:
Router(config)# hw-module slot 4 subslot 1 onlyModule 4 will be reset? Confirm [no]: yNote that the prompt will default to "N" (no). You must type "Y" (yes) to activate the reset action.
Related Commands
ip multicast-routing
Enables IP multicast routing.
ip pim
Enables PIM on an interface.
