- Securing User Services Overview
- Autosecure
-
-
-
- Configuring RADIUS
- AAA Dead-Server Detection
- ACL Default Direction
- Attribute Screening for Access Requests
- Enable Multilink PPP via RADIUS for Preauthentication User
- Enhanced Test Command
- Framed-Route in RADIUS Accounting
- Offload Server Accounting Enhancement
- Per VRF AAA
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Attribute Screening
- RADIUS Centralized Filter Management
- RADIUS Debug Enhancements
- RADIUS Logical Line ID
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Route Download
- RADIUS Support of 56-Bit Acct Session-Id
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
- RADIUS Server Reorder on Failure
- Tunnel Authentication via RADIUS on Tunnel Terminator
-
-
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor Specific Attributes
- Local AAA Server
- Per-User QoS via AAA Policy Name
- RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
- RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
- RADIUS Attribute 82: Tunnel Assignment ID
- RADIUS Attribute 104
- RADIUS Progress Codes
- RADIUS Timeout Set During Pre-Authentication
- RADIUS Tunnel Attribute Extensions
- V.92 Reporting Using RADIUS Attribute v.92-info
-
- Cisco IOS Login Enhancements (Login Block)
- Cisco IOS Resilient Configuration
- Image Verification
- IP Source Tracker
- Role-Based CLI Access
Image Verification
The Image Verification feature allows users to automatically verify the integrity of Cisco IOS images. Thus, users can be sure that the image is protected from accidental corruption, which can occur at any time during transit, starting from the moment the files are generated by Cisco until they reach the user. The efficiency of Cisco IOS routers is also improved because the routers can now automatically detect when the integrity of an image is accidentally corrupted as a result of transmission errors or disk corruption.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Image Verification" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
•Restrictions for Image Verification
•Information About Image Verification
•How to Use Image Verification
•Configuration Examples for Image Verification
•Feature Information for Image Verification
Restrictions for Image Verification
Cisco IOS Release 12.2(18)S and 12.0(26)S Only
Image Verification is applied to and attempted on any file; however, if the file is not an image file, image verification will not occur and you will see the following error, "SIGNATURE-NOT-FOUND."
Cisco IOS Release 12.3(4)T Only
Image Verification is applied only to image files. If any other file type is copied or verified, you will not receive a warning that image verification did occur, and the command (copy or verify) will silently succeed.
Note The Image Verification feature can only be used to check the integrity of a Cisco IOS software image that is stored on a Cisco IOS device. It cannot be used to check the integrity of an image on a remote file system or an image running in memory.
Information About Image Verification
How Image Verification Works
Because a production image undergoes a sequence of transfers before it is copied into the memory of a router, the integrity of the image is at risk of accidental corruption every time a transfer occurs. When downloading an image from Cisco.com, a user can run a message-digest5 (MD5) hash on the downloaded image and verify that the MD5 digest posted on Cisco.com is the same as the MD5 digest that is computed on the user's server. However, many users choose not to run an MD5 digest because it is 128-bits long and the verification is manual. Image verification allows the user to automatically validate the integrity of all downloaded images, thereby, significantly reducing user interaction.
How to Use Image Verification
This section contains the following procedures:
•Globally Verifying the Integrity of an Image
•Verifying the Integrity of an Image That Is About to Be Copied
•Verifying the Integrity of an Image That Is About to Be Reloaded
Globally Verifying the Integrity of an Image
The file verify auto command enables image verification globally; that is, all images that are to be copied (via the copy command) or reloaded (via the reload command) are automatically verified. Although both the copy and reload commands have a /verify keyword that enables image verification, you must issue the keyword each time you want to copy or reload an image. The file verify auto command enables image verification by default, so you no longer have to specify image verification multiple times.
If you have enabled image verification by default but prefer to disable verification for a specific image copy or reload, the /noverify keyword, along with either the copy or the reload command, will override the file verify auto command.
Use this task to enable automatic image verification.
SUMMARY STEPS
1. enable
2. configure terminal
3. file verify auto
4. exit
DETAILED STEPS
What to Do Next
After issuing the file verify auto command, you do not have to issue the /verify keyword with the copy or the reload command because each image that is copied or reloaded will be automatically verified.
Verifying the Integrity of an Image That Is About to Be Copied
When issuing the copy command, you can verify the integrity of the copied file by entering the /verify keyword. If the integrity check fails, the copied file will be deleted. If the file that is about to be copied does not have an embedded hash (an old image), you will be prompted whether or not to continue with the copying process. If you choose to continue, the file will be successfully copied; if you choose not to continue, the copied file will be deleted.
Without the /verify keyword, the copy command could copy a file that is not valid. Thus, after the copy command has been successfully executed, you can issue the verify command at any time to check the integrity of the files that are in the storage of the router.
Use this task to verify the integrity of an image before it is copied onto a router.
SUMMARY STEPS
1. enable
2. copy [/erase] [/verify | /noverify] source-url destination-url
3. verify [/md5 [md5-value]] filesystem:[file-url]
DETAILED STEPS
Verifying the Integrity of an Image That Is About to Be Reloaded
By issuing the reload command with the /verify keyword, the image that is about to be loaded onto your system will be checked for integrity. If the /verify keyword is specified, image verification will occur before the system initiates the reboot. Thus, if verification fails, the image will not be loaded.
Note Because different platforms obtain the file that is to be loaded in various ways, the file specified in BOOTVAR will be verified. If a file is not specified, the first file on each subsystem will be verified.
On certain platforms, because of variables such as the configuration register, the file that is verified may not be the file that is loaded.
Use this task to verify the integrity of an image before it is reloaded onto a router.
SUMMARY STEPS
1. enable
2. reload [
[warm] [/verify | /noverify] text |
[warm] [/verify | /noverify] in [hh:]mm [text] |
[warm] [/verify | /noverify] at hh:mm [month day | day month] [text] |
[warm] [/verify | /noverify] cancel]
DETAILED STEPS
Configuration Examples for Image Verification
•Global Image Verification: Example
•Image Verification via the copy Command: Example
•Image Verification via the reload Command: Example
•Verify Command Sample Output: Example
Global Image Verification: Example
The following example shows how to enable automatic image verification. After enabling this command, image verification will automatically occur for all images that are either copied (via the copy command) or reloaded (via the reload command).
Router(config)# file verify auto
Image Verification via the copy Command: Example
The following example shows how to specify image verification before copying an image:
Router# copy /verify tftp://10.1.1.1/jdoe/c7200-js-mz disk0:
Destination filename [c7200-js-mz]?
Accessing tftp://10.1.1.1/jdoe/c7200-js-mz...
Loading jdoe/c7200-js-mz from 10.1.1.1 (via FastEthernet0/0):!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 19879944 bytes]
19879944 bytes copied in 108.632 secs (183003 bytes/sec)
Verifying file integrity of disk0:/c7200-js-mz ..................................................................................
..................................................................................
..................................................................................
.........................Done!
Embedded Hash MD5 :CFA258948C4ECE52085DCF428A426DCD
Computed Hash MD5 :CFA258948C4ECE52085DCF428A426DCD
CCO Hash MD5 :44A7B9BDDD9638128C35528466318183
Signature Verified
Image Verification via the reload Command: Example
The following example shows how to specify image verification before reloading an image onto the router:
Router# reload /verify
Verifying file integrity of bootflash:c7200-kboot-mz.121-8a.E
%ERROR:Signature not found in file bootflash:c7200-kboot-mz.121-8a.E.
Signature not present. Proceed with verify? [confirm]
Verifying file disk0:c7200-js-mz ..........................................................................
............................................................Done!
Embedded Hash MD5 :CFA258948C4ECE52085DCF428A426DCD
Computed Hash MD5 :CFA258948C4ECE52085DCF428A426DCD
CCO Hash MD5 :44A7B9BDDD9638128C35528466318183
Signature Verified
Proceed with reload? [confirm]n
Verify Command Sample Output: Example
The following example shows how to specify image verification via the verify command:
Router# verify disk0:c7200-js-mz
%Filesystem does not support verify operations
Verifying file integrity of disk0:c7200-js-mz.......................................
...............................................................................Done!
Embedded Hash MD5 :CFA258948C4ECE52085DCF428A426DCD
Computed Hash MD5 :CFA258948C4ECE52085DCF428A426DCD
CCO Hash MD5 :44A7B9BDDD9638128C35528466318183
Signature Verified
Additional References
Related Documents
|
|
---|---|
Configuration tasks and information for loading, maintaining, and rebooting system images |
"Using the Cisco IOS Integrated File System" feature module in the Cisco IOS Configuration Fundamentals and Network Management Configuration Guide, Release 12.4T. |
Additional commands for loading, maintaining, and rebooting system images |
Cisco IOS Configuration Fundamentals Command Reference, Release 12.4T |
Standards
|
|
---|---|
None |
— |
MIBs
|
|
---|---|
•None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
None |
— |
Technical Assistance
Feature Information for Image Verification
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS, Catalyst OS, and Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.