-
null
Symbols
<cr> xv
? command xiv
A
AAA (authentication, authorization, and accounting)
resource accounting SR-94, SR-96
aaa accounting command SR-86
aaa accounting connection h323 command SR-90
aaa accounting delay-start command SR-92
aaa accounting nested command SR-93
aaa accounting resource start-stop group command SR-94
aaa accounting resource stop-failure group command SR-96
aaa accounting send stop-record authentication failure command SR-98
aaa accounting suppress null-username command SR-99
aaa accounting update command SR-100
aaa authentication arap command SR-4
aaa authentication banner command SR-6
aaa authentication enable default command SR-8
aaa authentication fail-message command SR-10
aaa authentication login command SR-12
aaa authentication nasi command SR-14
aaa authentication password-prompt command SR-16
aaa authentication ppp command SR-18
aaa authentication username-prompt command SR-20
aaa authorization command SR-70
aaa authorization config-commands command SR-74
aaa authorization console command SR-76
aaa authorization reverse-access command SR-77
aaa dnis map accounting network command SR-102
aaa dnis map authentication login group command SR-22
aaa dnis map authentication ppp group command SR-24
aaa dnis map authorization network group command SR-80
aaa group server radius command SR-114
aaa group server tacacs+ command SR-169
aaa nas port extended command SR-116
aaa nas redirected-station command SR-26
aaa new-model command SR-28
aaa pod server command SR-29
aaa preauth command SR-31
aaa processes command SR-33
aaa session-mib command SR-80, SR-104
access-enable command SR-202
access-list dynamic-extend command SR-204
access lists
dynamic, extending SR-204
reflexive SR-209
See also IPSec
access lists, clearing temporary entries SR-202
access-profile command SR-35
replace command form (caution) SR-36
using per-user configuration (caution) SR-36
access-template command SR-205
accounting (AAA) command SR-105
accounting (gatekeeper) command SR-107
address command SR-400
addressed-key command SR-402
AESOs (Auxiliary Extended Security Options), attaching to interfaces SR-474
algorithms
encryption
See IKE, algorithms
hash
See IKE, algorithms
arap authentication command SR-38
using list-names (caution) SR-38
authentication
See also IKE, extended authentication
authentication (IKE policy) command SR-404
authentication, CAs SR-368
authorization command SR-82
C
ca-identity mode, enabling SR-377
call guard-timer command SR-118
carriage return (<cr>) xv
CAs (certification authorities)
authenticating SR-368
enrolling SR-374
identity, deleting SR-377
locations, specifying SR-388
public keys SR-368
trusted root
PROXY SR-379
querying SR-379
SCEP SR-379
TFTP SR-379
URLs, specifying SR-388
See also Certification Authority Interoperability
cautions
access-profile command
replace command form SR-36
using per-user configuration SR-36
arap authentication command, using list-names SR-38
enable password command, using encryption-type SR-447
enable secret command, using encryption-type SR-449
Java blocking SR-251
key config-key command, unrecoverable DES key SR-197
login authentication command, using list-names SR-47
nasi authentication command, using list-names SR-49
ppp authentication command
using list-names (caution) SR-52
service password-encryption command, security level SR-457
cautions, usage in text x
CBAC (Context-based Access Control)
alert messages, enabling SR-240
application-layer protocols, configuring SR-251
audit trail messages
(example) SR-240
enabling SR-241
configurations, viewing SR-267
denial-of-service attacks, detection of SR-261
disabling SR-266
fragment inspection, configuring SR-253
H.323 inspection, configuring SR-252
half-open sessions
deleting, high threshold SR-244, SR-255
deleting, low threshold SR-246, SR-257
description SR-244
TCP threshold SR-261
inspection rules
applying (example) SR-243
defining SR-248
removing SR-243
viewing SR-267
Java
blocking SR-249
(caution) 1
inspection, configuring SR-251
RPC inspection, configuring SR-252
SMTP inspection, configuring SR-252
TCP inspection, configuring SR-251
timeouts
DNS idle, specifying SR-242
FIN-exchange, specifying SR-259
overriding SR-252
synwait, specifying SR-263
TCP idle, specifying SR-260
UDP idle, specifying SR-264
UDP inspection, configuring SR-251
CEP (Certificate Enrollment Protocol), specifying SR-391
certificate chain configuration mode, enabling SR-370
certificate command SR-362
certificates
adding SR-362
requesting SR-374
requests
resending, number of times SR-384
resending, wait period SR-386
retrieving SR-372
revoking SR-374
storing SR-372
verifying SR-379
viewing SR-394
Certification Authority Interoperability
CA authentication SR-368
challenge password SR-374
commands SR-361
NVRAM memory usage SR-372
See also CAs; certificates; CRLs; RSA keys
changed information in this release ix
Cisco IOS configuration changes, saving xviii
clear access-template command SR-207
clear crypto isakmp command SR-406
clear crypto sa command SR-310
clear ip audit configuration command SR-272
clear ip audit statistics command SR-273
clear ip auth-proxy cache command SR-290
clear ip trigger-authentication command SR-40
clear kerberos creds command SR-186
clid command SR-119
command modes, understanding xiii to xiv
commands
context-sensitive help for abbreviating xiv
default form, using xvii
no form, using xvii
command syntax
conventions ix
displaying (example) xv
config-isakmp command mode, enabling SR-414
configurations, saving xviii
crl optional command SR-364
crl query command SR-366
CRLs (certificate revocation lists)
retrieving SR-372
storing SR-372
crypto ca authenticate command SR-368
crypto ca certificate chain command SR-370
crypto ca certificate query command SR-372
crypto ca crl request command SR-373
crypto ca enroll command SR-374
crypto ca identity command SR-377
crypto ca trusted-root command SR-379
crypto dynamic-map command SR-312
crypto engine accelerator command SR-315
crypto ipsec security-association lifetime command SR-316
crypto ipsec transform-set command SR-318
crypto isakmp client configuration address-pool local command SR-407
crypto isakmp enable command SR-408
crypto isakmp identity command SR-409
crypto isakmp keepalive command SR-411
crypto isakmp key command SR-412
crypto isakmp policy command SR-414
crypto key generate rsa command SR-416
crypto key pubkey-chain rsa command SR-419
crypto key zeroize rsa command SR-381
crypto map (IPSec global) command SR-322
crypto map (IPSec interface) command SR-327
crypto map client authentication list command SR-421
crypto map client configuration address command SR-423
crypto map isakmp authorization list command SR-424
crypto map local-address command SR-329
crypto transform configuration mode, enabling SR-320
ctype command SR-121
D
deadtime (server-group configuration) command SR-123
dialer aaa command SR-124
Diffie-Hellman
See IKE DH
disconnect ssh command SR-500
dnis (AAA preauthentication) command SR-41
dnis (AAA preauthentication configuration) command SR-126
dnis bypass (AAA preauthentication configuration) command SR-128
DNS idle timeout, specifying SR-242
DNSIX (Department of Defense Intelligence Information System Network Security for Information Exchange)
collection center, specifying SR-467
enabling SR-470
hosts that receive messages
alternate SR-469
primary SR-468
number of records in a packet, specifying SR-471
retransmit count SR-466
dnsix-dmdp retries command SR-466
dnsix-nat authorized-redirection command SR-467
dnsix-nat primary command SR-468
dnsix-nat secondary command SR-469
dnsix-nat source command SR-470
dnsix-nat transmit-count command SR-471
documentation
conventions ix
feedback, providing xi
online, accessing x
ordering xi
Documentation CD-ROM x
documents and resources, supporting viii
dynamic ACL, extending SR-204
E
enable password command SR-446
using encryption-type (caution) SR-447
enable secret command SR-448
using encryption-type (caution) SR-449
encryption algorithm
See IKE, algorithms
encryption (IKE policy) command SR-426
enrollment mode ra command SR-383
enrollment retry-count command SR-384
enrollment retry-period command SR-386
enrollment url command SR-388
evaluate command SR-210
F
Feature Navigator
See platforms, supported
filtering output, show and more commands xviii
FIN-exchange timeout, specifying SR-259
G
gatekeeper, security, enabling SR-107
global configuration mode, summary of xiv
group (AAA preauthentication configuration) command SR-129
group (IKE policy) command SR-427
group tacacs+ (AAA preauthentication configuration) command SR-43
H
H.323 gatekeeper, enabling SR-107
hardware platforms
See platforms, supported
hash (IKE policy) command SR-428
hash algorithm
See IKE, algorithms
help command xiv
I
IKE (Internet Key Exchange) security protocol
AAA, querying SR-424
algorithms
encryption SR-426
hash SR-428
authentication methods, specifying SR-404
commands SR-399
connections, clearing SR-406
DH group identifier, specifying SR-427
disabling SR-408
enabling SR-408
extended authentication SR-421
group identifier, specifying SR-427
keys
See keys, preshared using AAA server
negotiations
states SR-437
policies
multiple SR-414
parameters, specifying SR-414
parameters, viewing SR-435
viewing SR-435
requirements
IPSec peers SR-408
See also IPSec; SAs
indexes, master viii
interface configuration mode, summary of xiv
IP
See IPSO
ip audit attack command SR-275
ip audit command SR-274
ip audit info command SR-276
ip audit name command SR-277
ip audit notify command SR-278
ip audit po local command SR-279
ip audit po max-events command SR-280
ip audit po protected command SR-281
ip audit po remote command SR-282
ip audit signature command SR-284
ip audit smtp command SR-285
ip auth-proxy (global) command SR-291
ip auth-proxy (interface) command SR-292
ip auth-proxy auth-proxy-banner command SR-293
ip auth-proxy name command SR-295
ip inspect (interface configuration) command SR-243
ip inspect alert-off command SR-240
ip inspect audit trail command SR-241
ip inspect dns-timeout command SR-242
ip inspect max-incomplete high command SR-244
ip inspect max-incomplete low command SR-246
ip inspect name command SR-248
ip inspect one-minute high command SR-255
ip inspect one-minute low command SR-257
ip inspect tcp finwait-time command SR-259
ip inspect tcp idle-time command SR-260
ip inspect tcp max-incomplete host command SR-261
ip inspect tcp synwait-time command SR-263
ip inspect udp idle-time command SR-264
ip port-map command SR-300
ip radius source-interface command SR-131
ip reflexive-list timeout command SR-212
IPSec (IPSec network security protocol)
commands SR-309
crypto access lists, specifying SR-331
crypto map entries
creating SR-322
lifetime values, overriding SR-341
specifying a peer SR-335
crypto maps
applying SR-327
creating SR-312
dynamic, viewing SR-349
interfaces, identifying SR-329
priorities SR-324
purpose SR-323
lifetimes, viewing SR-356
requirements, IKE SR-408
SAs
clearing SR-310
lifetimes, changing SR-316
requesting SR-339
viewing SR-354
session keys, specifying manually SR-344
transforms
allowed combinations SR-319
changing SR-320
selecting SR-320
transform sets
defining SR-318
mode, changing SR-333
specifying SR-347
viewing SR-357
ip security add command SR-472
ip security aeso command SR-474
ip security dedicated command SR-475
ip security eso-info command SR-477
ip security eso-max command SR-478
ip security eso-min command SR-480
ip security extended-allowed command SR-482
ip security first command SR-483
ip security ignore-authorities command SR-484
ip security implicit-labelling command SR-485
ip security multilevel command SR-487
ip security reserved-allowed command SR-489
ip security strip command SR-491
IPSO (IP Security Option)
authorities and bit patterns
(table) SR-476
definition SR-476
basic configuring SR-472
extended
configuring SR-474
defaults SR-477
maximum sensitivity levels SR-478
minimum sensitivity levels SR-480
labels, definition of SR-476
levels and bit patterns SR-475
ip ssh command SR-501
ip tacacs source-interface command SR-171
ip tcp intercept connection-timeout command SR-220
ip tcp intercept drop-mode command SR-221
ip tcp intercept finrst-timeout command SR-223
ip tcp intercept list command SR-224
ip tcp intercept max-incomplete high command SR-225
ip tcp intercept max-incomplete low command SR-227
ip tcp intercept mode command SR-229
ip tcp intercept one-minute high command SR-230
ip tcp intercept one-minute low command SR-232
ip tcp intercept watch-timeout command SR-234
ip trigger-authentication (global) command SR-44
ip trigger-authentication (interface) command SR-46
ip verify unicast reverse path command SR-494
ISAKMP
See IKE
K
kerberos clients mandatory command SR-187
kerberos credentials forward command SR-188
kerberos instance map command SR-189
kerberos local-realm command SR-190
kerberos preauth command SR-191
kerberos realm command SR-192
kerberos server command SR-193
kerberos srvtab entry command SR-194
kerberos srvtab remote command SR-196
key config-key command SR-197
unrecoverable DES key (caution) SR-197
keys
preshared
AAA server, configuring SR-424
deleting SR-412
masks SR-412
specifying (example) SR-412
key-string (IKE) command SR-429
L
lifetime (IKE policy) command SR-431
lock-and-key
idle timeouts SR-202
temporary entries
clearing manually SR-202, SR-207
creating manually SR-205
enabling SR-202
login authentication command SR-47
using list-names (caution) SR-47
M
match address (IPSec) command SR-331
memory usage, and Certification Authority Interoperability SR-372
MIB, descriptions online viii
mode (IPSec) command SR-333
modes
ca-identity, enabling SR-377
certificate chain configuration, enabling SR-370
query, enabling SR-372
RA, enabling SR-383
See command modes
trusted root, enabling SR-379
N
named-key command SR-433
nasi authentication command SR-49
using list-names
(caution) SR-49
new information in this release ix
no ip inspect command SR-266
notes, usage in text x
O
Oakley key exchange protocol
See IKE
P
PAM (port to application mapping)
commands SR-299
password command SR-451
password encryption SR-457
permit (reflexive) command SR-214
PFS (perfect forward secrecy), specifying SR-337
platforms, supported
Feature Navigator, identify using xix
release notes, identify using xix
ppp accounting command SR-108
ppp authentication command SR-51
using list-names (caution) SR-52
ppp authorization command SR-84
ppp chap hostname command SR-54
ppp chap password command SR-56
ppp chap refuse command SR-58
ppp chap wait command SR-60
ppp pap refuse command SR-62
ppp pap sent-username command SR-63
preauthentication
clid SR-119
ctype SR-121
dnis SR-126
privilege command SR-452
privileged EXEC mode, summary of xiv
privilege level (line) command SR-455
privilege level, displaying SR-459
privilege level command SR-455
prompts, system xiv
PROXY, specifying SR-392
public key configuration mode, enabling SR-419, SR-433
Q
query mode, enabling SR-372
query url command SR-389
question mark (?) command xiv
R
radius-server attribute 188 format non-standard command SR-138
radius-server attribute 32 include-in-access-req command SR-133
radius-server attribute 44 include-in-access-req command SR-134
radius-server attribute 55 include-in-acct-req command SR-135
radius-server attribute 69 clear command SR-137
radius-server attribute nas-port extended command SR-139
radius-server attribute nas-port format command SR-140
radius-server challenge-noecho command SR-142
radius-server configure-nas command SR-143
radius-server deadtime command SR-144
radius-server directed-request command SR-145
radius-server extended-portnames command SR-147
radius-server host command SR-148
radius-server host non-standard command SR-151
radius-server key command SR-152
radius-server optional passwords command SR-154
radius-server retransmit command SR-155
radius-server timeout command SR-156
radius-server unique-ident command SR-157
radius-server vsa send command SR-158
RA mode, enabling SR-383
RAs (registration authorities), enabling SR-383
Reflexive Access Lists
configuring (examples) SR-211, SR-216
temporary entries SR-216
timeouts, global (examples) SR-212
release notes
See platforms, supported
RFC
full text, obtaining viii
ROM monitor mode, summary of xiv
root CEP command SR-391
root PROXY command SR-392
root TFTP command SR-393
RPC inspection
See CBAC, RPC inspection
RSA, encrypted nonces SR-404
RSA keys
deleting SR-381
IP address, specifying SR-400
manually specifying SR-419
public key record SR-368
remote peer, specifying SR-429
RSA signatures SR-404
S
SAs (security associations)
lifetimes, configuring SR-431
parameters SR-414
viewing SR-437
SCEP (Simple Certificate Enrollment Protocol) SR-391
server (RADIUS) command SR-160
server (TACACS+) command SR-173
server hosts, RADIUS SR-114
server hosts,TACACS+ SR-169
service password-encryption command SR-457
security level (caution) SR-457
set peer (IPSec) command SR-335
set peer command SR-335
set pfs command SR-337
set security-association level per-host command SR-339
set security-association lifetime command SR-341
set session-key command SR-344
set transform-set command SR-347
show accounting command SR-109
show crypto ca certificates command SR-394
show crypto ca crls command SR-396
show crypto ca roots command SR-397
show crypto dynamic-map command SR-349
show crypto engine accelerator logs command SR-351
show crypto engine accelerator sa-database command SR-353
show crypto ipsec sa command SR-354, SR-356
show crypto ipsec security-association lifetime command SR-356
show crypto ipsec transform-set command SR-357
show crypto isakmp policy command SR-435
show crypto isakmp sa command SR-437
show crypto key mypubkey rsa command SR-439
show crypto key pubkey-chain rsa command SR-440
show crypto map (IPSec) command SR-358
show dnsix command SR-492
show ip audit configuration command SR-286
show ip audit interface command SR-287
show ip audit statistics command SR-288
show ip auth-proxy command SR-297
show ip inspect command SR-267
show ip port-map command SR-304
show ip ssh command SR-502
show ip trigger-authentication command SR-65
show kerberos creds command SR-198
show ppp queues command SR-66
show privilege command SR-459
show radius statistics command SR-162
show ssh command SR-503
show tacacs command SR-174
show tcp intercept connections command SR-235
show tcp intercept statistics command SR-237
Skeme key exchange protocol
See IKE
spam attack SR-285
SSH (Secure Shell), description SR-499
ssh command SR-504
T
Tab key, command completion xiv
TACACS+
command comparison (table) SR-167
server hosts SR-169
tacacs-server administration command SR-176
tacacs-server directed-request command SR-177
tacacs-server dns-alias-lookup command SR-178
tacacs-server extended command SR-178
tacacs-server host command SR-179
tacacs-server key command SR-181
tacacs-server packet command SR-182
tacacs-server timeout command SR-183
TCP idle timeout, specifying SR-260
TCP Intercept
enabling SR-224
modes
intercept mode SR-229
watch mode SR-229
timeouts SR-223
TFTP (Trivial File Transfer Protocol), specifying SR-393
timeout intervals
See CBAC, timeouts
timeout login response command SR-68
traffic filtering SR-219
transport mode SR-334
trusted root
configuring SR-379
PROXY SR-379
querying SR-379
SCEP SR-379
TFTP SR-379
viewing SR-397
tunnel mode SR-334
U
UDP idle timeout, specifying SR-264
user EXEC mode, summary of xiv
username command SR-460
V
vpdn aaa attribute command SR-164
X
Xauth SR-421
See also IKE, extended authentication