Cisco Ios Security

Cisco IOS Security Command ReferenceApril 2011

Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco IOS Security Command Reference 2011 Cisco Systems, Inc. All rights reserved.

CONTENTSIntroductionSEC1 SEC-1 SEC-2 SEC-9 SEC-11

Security Commands aaa accounting

aaa accounting (IKEv2 profile) aaa accounting connection h323 aaa accounting delay-start aaa accounting gigawords aaa accounting-listSEC-17

SEC-13 SEC-15 SEC-16

aaa accounting include auth-profile aaa accounting jitter maximum aaa accounting nestedSEC-19 SEC-21

SEC-18

aaa accounting redundancy

aaa accounting resource start-stop group aaa accounting resource stop-failure group aaa accounting send stop-record always

SEC-23 SEC-25 SEC-27 SEC-28 SEC-35

aaa accounting send stop-record authentication aaa accounting session-duration ntp-adjusted aaa accounting suppress null-username aaa accounting update aaa attributeSEC-39 SEC-40 SEC-42 SEC-37 SEC-36

aaa attribute list

aaa authentication (IKEv2 profile) aaa authentication (WebVPN) aaa authentication arapSEC-46

SEC-44

aaa authentication attempts login aaa authentication auto (WebVPN)

SEC-48 SEC-49

Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

aaa authentication banner aaa authentication dot1x

SEC-50 SEC-52 SEC-54 SEC-56

aaa authentication enable default aaa authentication fail-message aaa authentication login aaa authentication nasi aaa authentication ppp aaa authentication sgbpSEC-59 SEC-63

aaa authentication eou default enable group radiusSEC-57

aaa authentication password-promptSEC-68 SEC-71

SEC-66

aaa authentication suppress null-username aaa authentication username-prompt aaa authorizationSEC-76 SEC-80 SEC-82 SEC-84

SEC-73

SEC-74

aaa authorization (IKEv2 profile)

aaa authorization cache filterserver aaa authorization config-commands aaa authorization console aaa authorization listSEC-86 SEC-88

aaa authorization reverse-access aaa authorization template aaa cache filter aaa cache profile aaa configurationSEC-93 SEC-95

SEC-89

SEC-92

aaa cache filterserver


aaa dnis map accounting network aaa dnis map authentication group aaa group server diameter aaa group server ldap aaa group server radius aaa group server tacacs+ aaa interceptSEC-113

aaa dnis map authorization network groupSEC-106 SEC-108 SEC-109 SEC-111

aaa local authentication attempts max-fail aaa max-sessionsSEC-117 SEC-118

SEC-115

aaa memory threshold

April 2011

iv

aaa nas cisco-nas-port use-async-info aaa nas port extended aaa nas port option82 aaa new-model aaa password aaa pod server aaa preauth aaa processesSEC-121 SEC-123 SEC-125

SEC-120

aaa nas redirected-stationSEC-127 SEC-129 SEC-131 SEC-133 SEC-135

aaa route download aaa service-profile aaa session-id aaa session-mib aaa user profile

SEC-137 SEC-139

aaa server radius dynamic-authorSEC-141 SEC-142 SEC-144 SEC-146

aaa traceback recordingSEC-147

access (firewall farm) access (server farm) access (virtual server) access-class access-enableSEC-154

SEC-149 SEC-151 SEC-152

SEC-156 SEC-158

access-group (identity policy) access-group modeSEC-159

access-list (IP extended) access-list (IP standard) access-list (NLSP) access-list compiled

SEC-160 SEC-172

SEC-175 SEC-178 SEC-179

access-list compiled data-link limit memory access-list compiled ipv4 limit memory access-list dynamic-extend access-list remark access-profile access-restrict access-template accountingSEC-184 SEC-185 SEC-188 SEC-190 SEC-183

SEC-181

SEC-192

April 2011

v

accounting (gatekeeper) accounting (line)SEC-196

SEC-194

accounting (server-group)

SEC-198 SEC-201 SEC-202

accounting acknowledge broadcast accounting dhcp source-ip aaa list acl (ISAKMP) acl (WebVPN) action-type activate addressSEC-203 SEC-205 SEC-206

SEC-208 SEC-209

add (WebVPN)

SEC-210 SEC-212

address (IKEv2 keyring) address ipv4 addressed-keySEC-214

address ipv4 (GDOI)

SEC-215

SEC-217 SEC-219 SEC-221

administrator authentication list administrator authorization list alertSEC-223 SEC-224

alert (zone-based policy) alert-severity algorithm allow-mode appl (webvpn)SEC-226 SEC-228

all (profile map configuration)SEC-230 SEC-231

SEC-229

appfw policy-name

SEC-233 SEC-234

application (application firewall policy) application redundancy arap authentication ase collector ase enable ase groupSEC-241 SEC-242 SEC-244 SEC-245 SEC-240 SEC-237 SEC-238

ase signature extraction attribute (server-group) attribute mapSEC-247

attribute nas-port format

SEC-248

April 2011

vi

attribute type audit filesize audit interval audit-trail audit-trail (zone) authentication

SEC-250 SEC-252 SEC-254


authentication (IKE policy) authentication (IKEv2 profile) authentication bind-first authentication command

SEC-266 SEC-267 SEC-269 SEC-270

authentication command bounce-port ignore authentication command disable-port ignore authentication compareSEC-271 SEC-272

authentication control-direction authentication event fail

authentication critical recovery delaySEC-274

SEC-273

authentication event no-response action

SEC-275 SEC-276 SEC-277

authentication event server alive action reinitialize authentication event server dead action authorize authentication fallback authentication host-mode authentication open authentication order authentication periodic authentication priority authentication terminalSEC-278 SEC-279 SEC-280

authentication list (tti-registrar)SEC-282 SEC-283 SEC-284

authentication port-control

SEC-285

SEC-287 SEC-289 SEC-290 SEC-291

authentication timer inactivity authentication timer restart authentication trustpoint authentication violation authentication url authorizationSEC-298

authentication timer reauthenticateSEC-292 SEC-293 SEC-295

SEC-296

April 2011

vii

authorization (server-group) authorization (tti-registrar) authorization address ipv4 authorization identity authoization list (global) authorization username authorize accept identity auth-type auto-enroll auto-rollover auto secureSEC-315 SEC-317

SEC-300 SEC-302 SEC-304

SEC-305 SEC-307 SEC-308

authorization list (tti-registrar)

SEC-310 SEC-312

authorization username (tti-registrar)SEC-314

auth-type (ISG)


auto-update client backoff exponential backup-gateway banner base-dn binary file block count browser-proxy ca trust-pointSEC-330

SEC-328

banner (WebVPN)SEC-332

SEC-331

bidirectional

SEC-333 SEC-335 SEC-337

bind authenticate

SEC-338 SEC-340

browser-attribute importSEC-341 SEC-342

cache authentication profile (server group configuration) cache authorization profile (server group configuration) cache clear age cache disable cache max cache refreshSEC-346 SEC-347 SEC-348

SEC-344 SEC-345

cache expiry (server group configuration)SEC-349 SEC-350 SEC-351

call admission limit

April 2011

viii

call guard-timer category (ips) cdp-url certificate cifs-url-list cipherkey ciphervalue citrix enabledSEC-355

SEC-352 SEC-354

SEC-357 SEC-359

chain-validationSEC-362 SEC-364

SEC-365 SEC-367

cisco (ips-auto-update)SEC-368

class type inspect class type urlfilter

SEC-369 SEC-371 SEC-373 SEC-376 SEC-379 SEC-380

class-map type inspect class-map type urlfilter

clear aaa cache filterserver acl clear aaa cache filterserver group clear aaa cache groupSEC-381

clear aaa counters servers clear aaa local user lockout clear access-list counters clear access-template clear appfw dns cache clear ase signatures

SEC-382 SEC-383

clear aaa local user fail-attemptsSEC-385

SEC-384


clear authentication sessions clear crypto ctcpSEC-394 SEC-395

clear crypto call admission statistics clear crypto datapath clear crypto gdoi

clear crypto engine accelerator counterSEC-399

SEC-396

clear crypto gdoi ks cooperative role clear crypto ikev2 sa clear crypto ikev2 stat clear crypto isakmpSEC-402 SEC-403

SEC-401

clear crypto ipsec client ezvpnSEC-406

SEC-404

April 2011

ix

clear crypto sa

SEC-408 SEC-411 SEC-413

clear crypto session clear crypto pki crls clear dmvpn session clear dmvpn statistics clear dot1x clear eap clear eouSEC-418 SEC-419 SEC-420

clear crypto pki benchmarksSEC-414 SEC-415

SEC-417

clear ip access-list counters clear ip access-template clear ip admission cache clear ip audit configuration clear ip audit statistics clear ip auth-proxy cache clear ip inspect ha

SEC-422

SEC-423 SEC-425 SEC-426

SEC-427 SEC-428 SEC-429

clear ip auth-proxy watch-listSEC-431

clear ip inspect session clear ip ips configuration clear ip ips statistics clear ip sdeeSEC-435

SEC-432 SEC-433

SEC-434

clear ip trigger-authentication clear ip urlfilter cache clear kerberos creds clear ldap serverSEC-437 SEC-438

SEC-436

SEC-439 SEC-440 SEC-441

clear logging ip access-list cache clear policy-firewallSEC-442

clear parameter-map type protocol-info clear policy-firewall stats vrf clear policy-firewall stats zone clear port-security clear radiusSEC-447 SEC-449 SEC-450 SEC-444

clear policy-firewall stats vrf global

SEC-445

SEC-446

clear radius local-server clear webvpn nbns

SEC-451

April 2011

x

clear webvpn session clear webvpn stats clear zone-pair clid clientSEC-455 SEC-457

SEC-452 SEC-453

SEC-454

client authentication list client configuration group client pki authorization list client rekey encryption client rekey hash commands (view) configuration url content-length controlSEC-480

SEC-459 SEC-461 SEC-462 SEC-463

client configuration address

SEC-464

SEC-466 SEC-467

client transform-sets

SEC-468 SEC-472 SEC-474

configuration version

SEC-475 SEC-477

content-type-verification

copy (consent-parameter-map) copy idconf copy ips-sdf crlSEC-489 SEC-491 SEC-493 SEC-495 SEC-497 SEC-484 SEC-486

SEC-482

crl best-effort crl optional crl query

crl-cache delete-after crl-cache none crypto aaa attribute list crypto ca authenticate crypto ca cert validate

SEC-499 SEC-501 SEC-504 SEC-506 SEC-508 SEC-510 SEC-513

crypto ca certificate chain crypto ca certificate map

crypto ca certificate query (ca-trustpoint) crypto ca certificate query (global) crypto ca crl requestSEC-516

SEC-515

April 2011

xi

crypto ca enroll

SEC-517 SEC-520 SEC-523

crypto ca export pem crypto ca export pkcs12 crypto ca identity crypto ca import


crypto ca import pem crypto ca import pkcs12 crypto ca trusted-root crypto ca trustpoint crypto connect vlan crypto ctcp crypto-engineSEC-540

crypto ca profile enrollmentSEC-534

SEC-533

crypto call admission limit

SEC-536

SEC-538

crypto dynamic-map

SEC-542

SEC-545 SEC-546

crypto engine accelerator crypto engine aim crypto engine em crypto engine nm crypto engine slot crypto gdoi gm crypto gdoi group crypto identitySEC-548 SEC-549

crypto engine mode vrf crypto engine onboard

SEC-550

SEC-552 SEC-553

SEC-554 SEC-555

crypto engine slot (interface)SEC-558 SEC-560 SEC-561

crypto ikev2 authorization policy crypto ikev2 certificate-cache crypto ikev2 cookie-challenge crypto ikev2 diagnose crypto ikev2 dpd crypto ikev2 http-url crypto ikev2 keyring crypto ikev2 limitSEC-568 SEC-570

SEC-563 SEC-565

SEC-566

crypto ikev2 fragmentation

SEC-572

SEC-573 SEC-574 SEC-577

April 2011

xii

crypto ikev2 name mangler crypto ikev2 nat crypto ikev2 policy crypto ikev2 profile crypto ikev2 proposal crypto ikev2 windowSEC-581 SEC-583 SEC-585

SEC-579


crypto ipsec client ezvpn (global) crypto ipsec client ezvpn (interface) crypto ipsec client ezvpn connect crypto ipsec client ezvpn xauth crypto ipsec df-bit (global) crypto ipsec df-bit (interface) crypto ipsec default transform-set

SEC-607 SEC-608 SEC-610 SEC-611

crypto ipsec fragmentation (global) crypto ipsec fragmentation (interface) crypto ipsec ipv4-deny crypto ipsec optional crypto ipsec profileSEC-613

crypto ipsec nat-transparencySEC-617

SEC-615

crypto ipsec optional retry

SEC-618


crypto ipsec security-association idle-time crypto ipsec security-association lifetime

crypto ipsec security-association replay disable crypto ipsec server send-update crypto ipsec transform-setSEC-628

crypto ipsec security-association replay window-sizeSEC-629 SEC-635

crypto isakmp aggressive-mode disable

crypto isakmp client configuration address-pool local crypto isakmp client configuration browser-proxy crypto isakmp client configuration group crypto isakmp client firewall crypto isakmp default policy crypto isakmp enable crypto isakmp identity crypto isakmp fragmentationSEC-643 SEC-645 SEC-639

SEC-636

SEC-637

SEC-648 SEC-650

SEC-651

April 2011

xiii

crypto isakmp invalid-spi-recovery crypto isakmp keepalive crypto isakmp key crypto isakmp peer crypto isakmp policy crypto isakmp profile crypto key decrypt rsa crypto key encrypt rsaSEC-654 SEC-657

SEC-653

crypto isakmp nat keepaliveSEC-662 SEC-664

SEC-660


crypto key export rsa pem crypto key generate rsa crypto key import rsa pem crypto key lock rsa crypto key move rsa crypto key storage crypto key unlock rsa crypto key zeroize rsa crypto keyring crypto logging ezvpn crypto logging ikev2 crypto logging session crypto map (global IPsec) crypto map (interface IPsec) crypto map (Xauth)

crypto key generate ec keysize

SEC-678 SEC-684

SEC-687 SEC-689 SEC-691

crypto key pubkey-chain rsaSEC-693

SEC-695 SEC-697

crypto key zeroize pubkey-chainSEC-698 SEC-700 SEC-701 SEC-702 SEC-703

SEC-704 SEC-710

SEC-713 SEC-715

crypto map client configuration address crypto map gdoi fail-close crypto map (isakmp) crypto map isakmp-profile crypto map local-addressSEC-716 SEC-717 SEC-719 SEC-720

crypto map redundancy replay-interval

SEC-722 SEC-724 SEC-725

crypto mib ipsec flowmib history failure size crypto mib ipsec flowmib history tunnel size

April 2011

xiv

crypto pki authenticate crypto pki benchmark crypto pki cert validate crypto pki certificate map


crypto pki certificate chain

crypto pki certificate query (ca-trustpoint) crypto pki certificate storage crypto pki crl cache crypto pki crl request crypto pki enroll crypto pki export pem crypto pki export pkcs12 crypto pki import crypto pki import pem crypto pki import pkcs12 crypto pki serverSEC-760 SEC-763 SEC-764 SEC-765 SEC-742 SEC-744 SEC-740

SEC-745 SEC-748 SEC-751

SEC-753 SEC-754 SEC-756 SEC-758

crypto pki profile enrollment crypto pki server grant crypto pki server info crl

crypto pki server info requests crypto pki server reject crypto pki server remove crypto pki server revoke crypto pki server start crypto pki server stop crypto pki server trim

crypto pki server password generateSEC-769 SEC-770

SEC-768

crypto pki server request pkcs10SEC-775 SEC-777 SEC-778 SEC-779

SEC-771

crypto pki server trim generate expired-list crypto pki server unrevoke crypto pki token change-pin crypto pki token label crypto pki token lock crypto pki token loginSEC-784 SEC-785

SEC-782

crypto pki token encrypted-user-pinSEC-788 SEC-790 SEC-792

SEC-786

April 2011

xv

crypto pki token logout


crypto pki token max-retries

crypto pki token removal timeout crypto pki token secondary config crypto pki token secondary unconfig crypto pki token unlock crypto pki token user-pin crypto pki trustpointSEC-801 SEC-803

SEC-804 SEC-807 SEC-809

crypto provisioning petitioner crypto provisioning registrar crypto wui tti petitioner crypto wui tti registrar crypto xauth csd enable ctcp port ctype dataSEC-817 SEC-819 SEC-820

SEC-812 SEC-814


database archive database level database url

database username default (ca-trustpoint) default-group-policy denySEC-839

deadtime (server-group configuration)SEC-837 SEC-838

deny (Catalyst 6500 series switches) deny (IP)SEC-862 SEC-872 SEC-875

SEC-851

deny (MAC ACL) deny (WebVPN)

description (dot1x credentials) description (identify zone) description (identity policy) description (identity profile) description (IKEv2 keyring) description (isakmp peer)

SEC-877


April 2011

xvi

destination host destination realm dhcp (IKEv2) dhcp timeout dialer aaa

SEC-884 SEC-885 SEC-886

device (identity profile)SEC-888

dhcp server (isakmp)SEC-892

SEC-890

SEC-891

diameter origin host diameter origin realm diameter peer diameter timer

SEC-894 SEC-895

SEC-896 SEC-897

diameter redundancy

SEC-898 SEC-900 SEC-901

diameter vendor supported disable open-media-channel disconnect ssh dnSEC-904 SEC-906 SEC-903

dn (IKEv2)

dnis (AAA preauthentication) dnis (RADIUS) dnsSEC-912 SEC-914 SEC-909

SEC-907

dnis bypass (AAA preauthentication configuration) dnsix-dmdp retries dnsix-nat primary dnsix-nat secondary dnsix-nat source dns-timeout domain (AAA)

SEC-911

dnsix-nat authorized-redirectionSEC-916 SEC-917

SEC-915

SEC-918 SEC-919

dnsix-nat transmit-countSEC-920 SEC-922

domain (isakmp-group) dot1x control-direction dot1x credentials

SEC-924 SEC-926

SEC-929 SEC-931 SEC-932

dot1x critical (global configuration) dot1x critical (interface configuration) dot1x defaultSEC-933

April 2011

xvii

dot1x guest-vlan dot1x host-mode dot1x initialize

SEC-935 SEC-937

dot1x guest-vlan supplicantSEC-938 SEC-940

dot1x mac-auth-bypass dot1x max-reauth-req dot1x max-req dot1x max-start dot1x multi-hosts dot1x paeSEC-953 SEC-945 SEC-948

SEC-941 SEC-943

SEC-950 SEC-951

dot1x multiple-hosts dot1x port-control

SEC-955 SEC-958 SEC-959

dot1x re-authenticate (EtherSwitch) dot1x reauthenticationSEC-961

dot1x re-authenticate (privileged EXEC) dot1x re-authentication (EtherSwitch) dot1x supplicant interface dot1x system-auth-control dot1x timeout dpdSEC-974 SEC-975 SEC-977 SEC-967 SEC-972 SEC-964 SEC-965

SEC-963

dot1x timeout (EtherSwitch) drop (type access-control) drop (zone-based policy) dtls port dynamic eapSEC-979 SEC-980

SEC-989 SEC-990

eap (IKEv2 profile) eckeypair enableSEC-992

email (IKEv2 profile)SEC-994

SEC-993

enable password enable secret enabled (IPS)

SEC-997

SEC-999 SEC-1002 SEC-1003 SEC-1005

encryption (IKE policy)

encryption (IKEv2 proposal)

April 2011

xviii

enforce-checksum engine (IPS) enrollment

SEC-1007

SEC-1008 SEC-1009 SEC-1011 SEC-1012 SEC-1014 SEC-1015 SEC-1016 SEC-1018 SEC-1019 SEC-1020 SEC-1021

enrollment command enrollment credential enrollment http-proxy enrollment mode ra enrollment profile enrollment retry count enrollment retry period enrollment selfsigned

enrollment terminal (ca-profile-enroll) enrollment terminal (ca-trustpoint) enrollment url (ca-identity) enrollment url (ca-trustpoint) eou allow eou default eou initialize eou logging eou max-retry eou port eou rate-limit eou revalidate eou timeout error-msg error-url evaluateSEC-1030 SEC-1031 SEC-1032 SEC-1033 SEC-1034 SEC-1035 SEC-1024

SEC-1022

enrollment url (ca-profile-enroll)

SEC-1025

SEC-1027

eou clientless

SEC-1036 SEC-1037 SEC-1038 SEC-1040 SEC-1042 SEC-1043 SEC-1044 SEC-1046 SEC-1048

event-action filter-hash filter-id firewall filter-version

exclusive-domainSEC-1051

SEC-1050

SEC-1052

SEC-1053

April 2011

xix

fpm package-group fpm package-info fqdn (IKEv2 profile) grant auto rollover grant auto trustpoint grant none grant ra-auto group(firewall) group (IKE policy)SEC-1060


SEC-1061 SEC-1062 SEC-1063

group (authentication) group (IKEv2 proposal) group (RADIUS) group-lock

SEC-1064 SEC-1066 SEC-1068

group (local RADIUS server)SEC-1070 SEC-1072

hash (ca-trustpoint) hash (cs-server) hash (IKE policy) heading hide-url-bar

SEC-1074

SEC-1075 SEC-1077

SEC-1079 SEC-1080 SEC-1081 SEC-1082

host (webvpn url rewrite) hostname (IKEv2 keyring) hostname (WebVPN) http proxy-server http-redirect

SEC-1084

SEC-1085

SEC-1086 SEC-1087

hw-module slot subslot only icmp idle-timeout ida-client server url identity localSEC-1089 SEC-1090

SEC-1091 SEC-1093 SEC-1095 SEC-1097

identity (IKEv2 keyring) identity (IKEv2 profile) identity address ipv4 identity number identity policy identity profile

SEC-1098 SEC-1099 SEC-1101 SEC-1103

identity profile eapoudp

April 2011

xx

idle-timeout (WebVPN) if-state nhrp import incomingSEC-1105 SEC-1106

SEC-1104

include-local-lan initiate mode inspect integrity

SEC-1107

SEC-1109 SEC-1111 SEC-1112

inservice (WebVPN)SEC-1113 SEC-1115

interface (RITE) interface (VASI)

SEC-1117 SEC-1119 SEC-1121 SEC-1124

interface virtual-template ip (webvpn url rewrite) ip access-group ip access-listSEC-1127 SEC-1125

ip access-list hardware permit fragments ip access-list logging interval ip access-list log-update ip access-list resequence ip-address (ca-trustpoint) ip address dhcp ip admissionSEC-1140 SEC-1144 SEC-1132 SEC-1133 SEC-1135

SEC-1130

ip access-list logging hash-generationSEC-1138

SEC-1137

ip address (WebVPN)SEC-1146

ip admission consent banner ip admission name ip auditSEC-1158 SEC-1159 SEC-1160 SEC-1161 SEC-1163 SEC-1164 SEC-1150

SEC-1148

ip admission proxy http ip audit attack ip audit info ip audit name ip audit notify ip audit po local

SEC-1155

ip audit po max-events ip audit po protected

SEC-1165 SEC-1166

April 2011

xxi

ip audit po remote ip audit signature ip audit smtp

SEC-1167 SEC-1169

SEC-1170 SEC-1171 SEC-1174

ip auth-proxy (global configuration) ip auth-proxy (interface configuration) ip auth-proxy auth-proxy-banner ip auth-proxy max-login-attempts ip auth-proxy nameSEC-1180 SEC-1183

SEC-1176 SEC-1178

ip auth-proxy watch-list

ip dhcp client broadcast-flag (interface) ip dhcp support tunnel unicast ip-extension ip http ezvpn ip inspectSEC-1187 SEC-1191 SEC-1193 SEC-1195 SEC-1196 SEC-1198 SEC-1200 SEC-1186

SEC-1185

ip inspect alert-off ip inspect audit trail

ip inspect dns-timeout ip inspect hashtable ip inspect log drop-pkt

ip inspect L2-transparent dhcp-passthroughSEC-1203 SEC-1206 SEC-1208

SEC-1201

ip inspect max-incomplete high ip inspect max-incomplete low ip inspect nameSEC-1210

ip inspect one-minute high ip inspect one-minute low ip inspect tcp finwait-time ip inspect tcp idle-time ip inspect tcp reassembly ip inspect tcp synwait-time ip inspect udp idle-time integritySEC-1241 SEC-1243

SEC-1222 SEC-1224 SEC-1226

ip inspect tcp block-non-sessionSEC-1230

SEC-1228

ip inspect tcp max-incomplete hostSEC-1234

SEC-1232

SEC-1236 SEC-1237

ip inspect tcp window-scale-enforcement looseSEC-1239

ip interface

April 2011

xxii

ip ips

SEC-1245 SEC-1247 SEC-1249 SEC-1251

ip ips auto-update ip ips config location ip ips enable-clidelta ip ips fail closed

ip ips deny-action ips-interfaceSEC-1253

ip ips event-action-rules

SEC-1254

SEC-1255 SEC-1256 SEC-1258

ip ips inherit-obsolete-tunings ip ips memory regex chaining ip ips memory threshold ip ips name ip ips notifySEC-1261 SEC-1263 SEC-1265 SEC-1267

SEC-1259

ip ips sdf location ip ips signature

ip ips signature-category ip ips signature-definition ip ips signature disable ip msdp border ip mtuSEC-1275

SEC-1269 SEC-1270 SEC-1271 SEC-1272

ip kerberos source-interfaceSEC-1273

ip nhrp cache non-authoritative ip nhrp nhs ip port-mapSEC-1278 SEC-1280

SEC-1277

ip radius source-interface ip reflexive-list timeout ip route (vasi) ip sdeeSEC-1290

SEC-1286 SEC-1288

ip scp server enableSEC-1293

SEC-1291

ip sdee events ip security add ip security aeso


ip security dedicated ip security eso-info ip security eso-max ip security eso-min

April 2011

xxiii

ip security extended-allowed ip security firstSEC-1309

SEC-1307

ip security ignore-authorities ip security ignore-cipso ip security multilevel ip security strip ip source-track ip security implicit-labelling ip security reserved-allowedSEC-1322 SEC-1324

SEC-1311

SEC-1313 SEC-1316

SEC-1318 SEC-1320

ip source-track address-limit ip source-track export-interval ip source-track syslog-interval ip sshSEC-1331 SEC-1332 SEC-1334

SEC-1326 SEC-1327 SEC-1329

ip ssh break-string ip ssh dh min size ip ssh dscp ip ssh port ip ssh maxstartups ip ssh precedence ip ssh pubkey-chain

SEC-1335 SEC-1336


ip ssh rsa keypair-name ip ssh source-interface ip ssh stricthostkeycheck ip ssh versionSEC-1345

ip tacacs source-interface ip tcp intercept drop-mode

SEC-1347 SEC-1349

ip tcp intercept connection-timeoutSEC-1350

ip tcp intercept finrst-timeout ip tcp intercept listSEC-1353

SEC-1352

ip tcp intercept max-incomplete

SEC-1355 SEC-1357 SEC-1359

ip tcp intercept max-incomplete high ip tcp intercept max-incomplete low ip tcp intercept modeSEC-1361 SEC-1363

ip tcp intercept one-minute

ip tcp intercept one-minute high

SEC-1365

April 2011

xxiv

ip tcp intercept one-minute low ip tcp intercept watch-timeout ip traffic-export apply ip traffic-export profileSEC-1370 SEC-1372

SEC-1367 SEC-1369

ip trigger-authentication (global) ip trigger-authentication (interface) ip urlfilter alertSEC-1378 SEC-1380 SEC-1381

SEC-1375 SEC-1377

ip urlfilter allowmode ip urlfilter audit-trail ip urlfilter cache

SEC-1383 SEC-1385

ip urlfilter exclusive-domain ip urlfilter max-request ip urlfilter max-resp-pak ip urlfilter server vendor ip urlfilter source-interface ip urlfilter truncate ip urlfilter urlf-server-log

SEC-1387 SEC-1388 SEC-1389 SEC-1391


ip verify drop-rate compute interval ip verify drop-rate compute window ip verify drop-rate notify hold-down ip verify unicast notification threshold ip verify unicast reverse-path ip virtual-reassembly ip vrfSEC-1415 SEC-1417

SEC-1402 SEC-1406

ip verify unicast source reachable-viaSEC-1412

ip vrf forwarding

ip vrf forwarding (server-group) ip wccp web-cache accelerated ips signature update cisco ipv4 (ldap)SEC-1423 SEC-1424

SEC-1418 SEC-1420

SEC-1422

ipv6 crypto map issuer-name ivrfSEC-1427

isakmp authorization listSEC-1426

SEC-1425

keepalive (isakmp profile)

SEC-1428

April 2011

xxv

kerberos clients mandatory kerberos credentials forward kerberos instance map kerberos local-realm kerberos password kerberos preauth kerberos processes kerberos realm kerberos retry kerberos server

SEC-1429 SEC-1431

SEC-1432 SEC-1433

SEC-1434 SEC-1435 SEC-1437


kerberos srvtab entry kerberos srvtab remote kerberos timeout key (isakmp-group) key config-key keyring

SEC-1446 SEC-1448

SEC-1450 SEC-1451

key config-key password-encryptionSEC-1453 SEC-1454

keyring (IKEv2 profile) key-string (IKE) language ldap search ldap server length (RITE)SEC-1458

SEC-1456

ldap attribute-map

SEC-1459

SEC-1460 SEC-1461 SEC-1462 SEC-1464

lifetime (certificate server) lifetime (IKE policy) lifetime (IKEv2 profile) lifetime crlSEC-1469

SEC-1466 SEC-1468

lifetime enrollment-request list (LSP Attributes) list (WebVPN) li-viewSEC-1473 SEC-1472

SEC-1470

SEC-1471

load-balance (server-group) load classification local-addressSEC-1479 SEC-1482

SEC-1475

April 2011

xxvi

local-port (WebVPN) local priority

SEC-1484

SEC-1486 SEC-1488

lockdown (LSP Attributes) log (policy-map)SEC-1490

log (parameter-map type) log (type access-control) logging dmvpn logging enabledSEC-1495 SEC-1497

SEC-1491 SEC-1493

logging ip access-list cache (global configuration) logging ip access-list cache (interface configuration) login authentication login block-for login delay login-message login-photo logo mabSEC-1507 SEC-1509 SEC-1510 SEC-1502 SEC-1504

SEC-1498 SEC-1500

login quiet-mode access-classSEC-1512 SEC-1513 SEC-1515 SEC-1516 SEC-1518

mac access-group mac-address (RITE) map type mask-urlsSEC-1520

mask (policy-map) match access-group

SEC-1521

SEC-1522 SEC-1523 SEC-1526

match address (GDOI local server) match address (IPSec) match body regex match certificateSEC-1527

match authentication trustpointSEC-1531 SEC-1533

SEC-1529

match certificate (ca-trustpoint) match certificate (ISAKMP) match certificate override cdp match certificate override ocsp match certificate override sia match class-mapSEC-1545

SEC-1535

SEC-1538 SEC-1539 SEC-1541 SEC-1543

April 2011

xxvii

match class session match cmdSEC-1550

SEC-1547

match data-length match encrypted match file-transfer match header count match header regex match identity match (IKEv2 policy) match (IKEv2 profile)


match header length gtSEC-1564

SEC-1561

SEC-1566 SEC-1568 SEC-1571 SEC-1572

match invalid-command match login clear-text match message

SEC-1573 SEC-1575

match mime content-type regex match mime encoding match program-number match protocol (zone) match protocol h323-nxg match protocol-violation match recipient count gt match reply ehlo match req-respSEC-1577

SEC-1579 SEC-1580 SEC-1583

match protocol h323-annexe

SEC-1584 SEC-1585 SEC-1586

match recipient address regex match recipient invalid count gtSEC-1592 SEC-1594

SEC-1588 SEC-1590

match req-resp body length

SEC-1595 SEC-1596 SEC-1599

match req-resp header content-type match req-resp protocol-violation match requestSEC-1602 SEC-1604 SEC-1606 SEC-1608 SEC-1610

match req-resp header transfer-encoding

SEC-1601

match request length match request method

match request not regex match request port-misuse

April 2011

xxviii

match request regex match response

SEC-1611

SEC-1613 SEC-1615 SEC-1616

match response body java-applet match response status-line regex match search-file-nameSEC-1617

match sender address regex match server-domain urlf-glob match server-response any match service match text-chat match url match url category match url reputation match user-group max-destination max-header-length max-incomplete max-logins max-request max-resp-pak max-uri-length max-users mime-typeSEC-1624 SEC-1626

SEC-1619 SEC-1621

SEC-1623

SEC-1627 SEC-1629 SEC-1630

match url-keyword urlf-globSEC-1633 SEC-1635 SEC-1636 SEC-1638

SEC-1632

SEC-1640 SEC-1642 SEC-1643 SEC-1644

max-retry-attemptsSEC-1647

SEC-1645

max-users (WebVPN)SEC-1650

SEC-1649

mls acl tcam default-result mls acl tcam share-global mls acl vacl apply-self mls aclmerge algorithm mls ip acl port expand mls ip inspect mls rate-limit allSEC-1659 SEC-1660

SEC-1652 SEC-1653

mls acl tcam override dynamic dhcp-snoopingSEC-1654 SEC-1655 SEC-1656 SEC-1658

mls rate-limit layer2

SEC-1662

April 2011

xxix

mls rate-limit unicast l3-features mls rate-limit multicast ipv4 mls rate-limit multicast ipv6 mls rate-limit unicast acl mls rate-limit unicast cef mls rate-limit unicast ip mode (IPSec) mode ra mode secure mode sub-cs nameSEC-1680

SEC-1665

SEC-1666 SEC-1668

SEC-1671 SEC-1673 SEC-1675 SEC-1678

mls rate-limit unicast vacl-logSEC-1682 SEC-1684 SEC-1685

monitor event-trace dmvpnSEC-1689 SEC-1690 SEC-1691

SEC-1687

name (view) named-key nasSEC-1693

nasi authentication nat (IKEv2 profile) nbns-list nbns-server netmaskSEC-1698

SEC-1695 SEC-1697

nbns-list (policy group)SEC-1701 SEC-1703

SEC-1700

no crypto engine software ipsec no crypto xauth no ip inspectSEC-1705 SEC-1706 SEC-1707

SEC-1704

no ip ips sdf builtin object-group network object-group service ocsp url onSEC-1722

object-group (Catalyst 6500 series switches)SEC-1711 SEC-1714 SEC-1720

SEC-1708

occur-at (ips-auto-update)SEC-1723 SEC-1725 SEC-1727 SEC-1729

one-minute outgoing parameter

April 2011

xxx

parameter-map type


parameter-map type inspect

parameter-map type protocol-info parameter-map type inspect-vrf parameter-map type inspect-zone parameter-map type regex parameter-map type urlfilter parameter-map type urlfpolicy parameter-map type urlf-glob parser view pass passiveSEC-1757 SEC-1759

SEC-1742 SEC-1746

parameter-map type trend-global

SEC-1748 SEC-1750 SEC-1755

parser view superviewSEC-1761 SEC-1762

password (ca-trustpoint)

SEC-1763 SEC-1764 SEC-1765

password (dot1x credentials) password (line configuration) password 5SEC-1766

password encryption aes password logging peer address ipv4 peer (IKEv2 keyring) permitSEC-1777

SEC-1768

SEC-1770 SEC-1771

pattern (parameter-map)

SEC-1773 SEC-1775

permit (Catalyst 6500 series switches) permit (IP)SEC-1794 SEC-1807 SEC-1810 SEC-1814

SEC-1786

permit (MAC ACL) permit (reflexive) permit (webvpn acl) pfsSEC-1817

pki-server

SEC-1818 SEC-1819 SEC-1820

pki trustpoint policy

police (zone policy)SEC-1822

policy group

SEC-1824

April 2011

xxxi

policy-map type inspect pool (isakmp-group) portSEC-1834 SEC-1835

SEC-1826 SEC-1829

policy-map type inspect urlfilterSEC-1832

port-forward port-misuse

port-forward (policy group)SEC-1839 SEC-1841

SEC-1837

ppp accounting

ppp authentication ppp authorization ppp chap hostname ppp chap password ppp chap refuse ppp chap wait ppp eap identity ppp eap local ppp eap refuse ppp eap wait ppp link ppp pap refuse preempt ppp eap password

SEC-1842 SEC-1845

ppp authentication ms-chap-v2SEC-1847 SEC-1848 SEC-1850


SEC-1860 SEC-1861

SEC-1862 SEC-1864 SEC-1866

ppp pap sent-usernameSEC-1868 SEC-1869

pre-shared-key primary

pre-shared-key (IKEv2 keyring)SEC-1874 SEC-1875 SEC-1877 SEC-1878 SEC-1879 SEC-1881

SEC-1871

priority(firewall) private-hosts

private-hosts layer3 private-hosts mac-list private-hosts mode private-hosts vlan-list privilegeSEC-1887

private-hosts promiscuous

SEC-1883

SEC-1885

April 2011

xxxii

privilege level

SEC-1892 SEC-1894 SEC-1895

profile (GDOI local server) proposal protocol proxySEC-1896 SEC-1897

profile (profile map configuration) protection (zone)SEC-1898 SEC-1899

qos-group (PVS Bundle Member) query certificate query url quitSEC-1907 SEC-1903 SEC-1905

SEC-1901

radius attribute nas-port-type

SEC-1908 SEC-1910 SEC-1911 SEC-1912

radius-server accounting system host-config radius-server attribute 11 default direction radius-server attribute 25 radius-server attribute 31SEC-1913 SEC-1914

radius-server attribute 188 format non-standard

radius-server attribute 31 mac format radius-server attribute 4SEC-1918

SEC-1916 SEC-1917

radius-server attribute 32 include-in-access-req radius-server attribute 44 extend-with-addr radius-server attribute 44 sync-with-client radius-server attribute 55 include-in-acct-req radius-server attribute 6SEC-1926 SEC-1928

SEC-1920 SEC-1921

radius-server attribute 44 include-in-access-req

SEC-1923 SEC-1924

radius-server attribute 61 extended radius-server attribute 69 clear radius-server attribute 77SEC-1931

SEC-1930

radius-server attribute 8 include-in-access-req radius-server attribute 30 original-called-number radius-server attribute data-rate send 0 radius-server attribute listSEC-1937

SEC-1933 SEC-1935

SEC-1936

radius-server attribute nas-port extended radius-server attribute nas-port format radius-server authorizationSEC-1945

SEC-1939 SEC-1940

April 2011

xxxiii

radius-server authorization missing Service-Type radius-server backoff exponential radius-server challenge-noecho radius-server configure-nas radius-server dead-criteria radius-server deadtimeSEC-1947 SEC-1949

SEC-1946

SEC-1950 SEC-1952

SEC-1954 SEC-1956 SEC-1959 SEC-1963

radius-server directed-request radius-server domain-stripping radius-server host radius-server key radius-server localSEC-1964

radius-server extended-portnames radius-server host non-standardSEC-1971

SEC-1969

radius-server load-balance

SEC-1973

SEC-1977 SEC-1979

radius local-server pac-generate expiry radius-server optional-passwords radius-server retransmitSEC-1981

SEC-1980

radius-server retry method reorder radius-server source-ports extended radius-server throttle radius-server timeoutSEC-1986 SEC-1988

SEC-1983 SEC-1985

radius-server transaction max-tries radius-server unique-ident radius-server vsa send rate-limit (firewall) rdSEC-1997 SEC-1999 SEC-2001 SEC-1990

SEC-1989

radius-server vsa disallow unknownSEC-1993 SEC-1995

SEC-1992

reauthentication time redirect (identity policy) redundancy (GDOI) redundancy group redundancy rii regenerate

SEC-2002 SEC-2003 SEC-2005

redundancy inter-deviceSEC-2007

redundancy statefulSEC-2011

SEC-2009

April 2011

xxxiv

regexp (profile map configuration) registration interface rekey address ipv4 rekey algorithm rekey lifetime rekey retransmit remarkSEC-2026 SEC-2015 SEC-2017 SEC-2019 SEC-2021

SEC-2013

rekey authentication

SEC-2022 SEC-2023 SEC-2024

rekey transport unicast

replay counter window-size replay time window-size request-method request-timeout reset (policy-map) responder-only retired (IPS) reverse-route rootSEC-2044 SEC-2046 SEC-2047 SEC-2048 SEC-2049 SEC-2050 SEC-2051 SEC-2052 SEC-2053 SEC-2030 SEC-2032 SEC-2033

SEC-2027 SEC-2029

reset (zone-based policy)SEC-2035 SEC-2036 SEC-2038

SEC-2034

revocation-check root CEP root TFTP rsakeypair rsa-pubkey sa ipsec

SEC-2042

root PROXY

sa receive-only save-password scheme search-filter

SEC-2055 SEC-2057 SEC-2058 SEC-2059

secondary-color secretSEC-2060

secondary-text-color secret-keySEC-2062

secure boot-config

SEC-2064

April 2011

xxxv

secure boot-image secure cipher

SEC-2066

SEC-2068 SEC-2070 SEC-2071

security (Diameter peer) security ipsec self-identitySEC-2072

security authentication failure rate security passwords min-lengthSEC-2075

SEC-2074

serial-number (ca-trustpoint) serial-number (pubkey) serverSEC-2081 SEC-2082

SEC-2076

SEC-2077 SEC-2078

server (application firewall policy) server (ldap)

server (parameter-map) server (RADIUS) server (TACACS+) server address ipv4 server local server vendor

SEC-2083

SEC-2086 SEC-2088 SEC-2090

SEC-2091 SEC-2092 SEC-2094 SEC-2096

server-private (RADIUS) server-private (TACACS+) server-keySEC-2098 SEC-2099

service action

service password-encryption service password-recovery service-module ids bootmode service-policy (policy-map) service-policy (zones) service-policy inspect sessions maximum sessions rate

SEC-2101 SEC-2103 SEC-2111 SEC-2112

service-module ids heartbeat-resetSEC-2114 SEC-2116 SEC-2117 SEC-2118

service-policy type inspectSEC-2121

SEC-2119

set aggressive-mode client-endpoint set aggressive-mode password set groupSEC-2127

SEC-2123

SEC-2125

April 2011

xxxvi

set identity

SEC-2128 SEC-2130 SEC-2131

set ip access-group set isakmp-profile set nat demux set peer (IPsec) set pfsSEC-2137

SEC-2132 SEC-2134

set reverse-route

SEC-2140 SEC-2142 SEC-2144

set security-association idle-time set security-association lifetime

set security-association level per-host set security-association replay disable set security-policy limit set session-key set transform-set show aaa attributes show aaa cache group show aaa dead-criteria show aaa memorySEC-2152

SEC-2146 SEC-2150 SEC-2151

set security-association replay window-sizeSEC-2153 SEC-2156 SEC-2158

sgbp aaa authentication

SEC-2159 SEC-2162

show aaa cache filterserver

SEC-2164 SEC-2166 SEC-2168

show aaa local user lockoutSEC-2169

show aaa method-lists show aaa service-profiles show aaa servers show aaa user

SEC-2173 SEC-2177

SEC-2178 SEC-2182

show aaa subscriber profileSEC-2184

show access-group mode interface show access-lists compiled show access-lists show accounting show appfw show ase show auditSEC-2192 SEC-2195

SEC-2188

SEC-2189

SEC-2196 SEC-2198 SEC-2201 SEC-2203

show authentication interface

April 2011

xxxvii

show authentication registrations show authentication sessions show auto secure config show call admission statistics show class-map type inspect show class-map type urlfilter show crypto ace redundancy show crypto ca certificates show crypto ca crls show crypto ca roots show crypto ca timersSEC-2223 SEC-2224 SEC-2225 SEC-2210

SEC-2205

SEC-2206


show crypto ca trustpoints show crypto ctcpSEC-2229

SEC-2226 SEC-2227

show crypto call admission statistics show crypto datapathSEC-2231

show crypto debug-condition show crypto dynamic-map show crypto eliSEC-2237

SEC-2234 SEC-2236

show crypto eng qos show crypto engine


show crypto engine accelerator logs show crypto engine accelerator ring

show crypto engine accelerator sa-database show crypto engine accelerator statistic show crypto gdoi show crypto haSEC-2263 SEC-2266 SEC-2267 SEC-2268

SEC-2248

show crypto identity

show crypto ikev2 diagnose error show crypto ikev2 policy show crypto ikev2 profile show crypto ikev2 proposal show crypto ikev2 sa show crypto ikev2 stats show crypto ikev2 sessionSEC-2269

SEC-2271 SEC-2273

SEC-2275 SEC-2278 SEC-2281 SEC-2282

show crypto ipsec client ezvpn

April 2011

xxxviii

show crypto ipsec default transform-set show crypto ipsec saSEC-2287

SEC-2285

show crypto ipsec security-association idle-time show crypto ipsec security-association lifetime show crypto ipsec transform-set show crypto isakmp default policy show crypto isakmp key show crypto isakmp peers show crypto isakmp policy show crypto isakmp profile show crypto isakmp saSEC-2303 SEC-2304 SEC-2306 SEC-2309 SEC-2298 SEC-2300

SEC-2296 SEC-2297

SEC-2311 SEC-2314 SEC-2317

show crypto key mypubkey rsa show crypto map (IPsec)

show crypto key pubkey-chain rsaSEC-2320

show crypto mib ipsec flowmib endpoint show crypto mib ipsec flowmib failure show crypto mib ipsec flowmib global show crypto mib ipsec flowmib history


show crypto mib ipsec flowmib history failure size show crypto mib ipsec flowmib history tunnel size show crypto mib ipsec flowmib spiSEC-2335 SEC-2337 SEC-2340 SEC-2341 SEC-2344 SEC-2347 SEC-2351 SEC-2353

show crypto mib ipsec flowmib tunnel show crypto mib ipsec flowmib version show crypto mib isakmp flowmib failure show crypto mib isakmp flowmib global show crypto mib isakmp flowmib history show crypto mib isakmp flowmib peer show crypto mib isakmp flowmib tunnel show crypto pki benchmarks show crypto pki certificates show crypto pki counters show crypto pki crls show crypto pki serverSEC-2357 SEC-2360

show crypto pki certificates storageSEC-2366 SEC-2368 SEC-2370

SEC-2365

show crypto pki server certificates

SEC-2374

April 2011

xxxix

show crypto pki server crl show crypto pki timers show crypto pki token show crypto route show crypto ruleset show crypto session

SEC-2376 SEC-2377

show crypto pki server requestsSEC-2380 SEC-2381

show crypto pki trustpointsSEC-2388

SEC-2383

SEC-2389 SEC-2391 SEC-2396 SEC-2397

show crypto session group show crypto socket show crypto vlan show diameter peer show dmvpn show dnsix show dot1x show dss logSEC-2410 SEC-2411

show crypto session summarySEC-2398

show crypto tech-supportSEC-2402

SEC-2400

SEC-2403

SEC-2405

show dot1x (EtherSwitch)SEC-2420

SEC-2415

show eap registrations show eap sessions show eouSEC-2425

SEC-2421

SEC-2423

show epm session


show firewall vlan-group show fm private-hosts show fpm package-group show fpm package-info show idmgrSEC-2440

show interface virtual-access show ip access-lists show ip admissionSEC-2446 SEC-2449

SEC-2443

show ip audit configuration show ip audit interface show ip audit statistics show ip auth-proxy

SEC-2451

SEC-2452 SEC-2453

SEC-2454

April 2011

xl

show ip auth-proxy watch-list show ip bgp labels show ip inspect show ip interface show ip ipsSEC-2458

SEC-2456

show ip device tracking show ip inspect ha

SEC-2460

SEC-2462 SEC-2473 SEC-2476

SEC-2484 SEC-2488

show ip ips auto-update show ip ips category

SEC-2490 SEC-2496 SEC-2498

show ip ips event-action-rules show ip ips signature-category show ip nhrp nhs show ip port-map show ip sdeeSEC-2500 SEC-2503

SEC-2505 SEC-2508 SEC-2510 SEC-2512

show ip ips sig-clidelta show ip source-track show ip sshSEC-2513

show ip source-track export flows show ip traffic-export show ip trm config show ip urlfilterSEC-2514

show ip trigger-authenticationSEC-2518

SEC-2516

show ip trm subscription statusSEC-2522 SEC-2525 SEC-2527

SEC-2520

show ip urlfilter cache show ip urlfilter config show kerberos creds show ldap attributes show ldap server show login show mab

show ip virtual-reassembly

SEC-2529

SEC-2531 SEC-2532

SEC-2534 SEC-2536

show logging ip access-listSEC-2538 SEC-2541

show mac access-group interface show mac-address-tableSEC-2544

SEC-2543

show management-interface

SEC-2553

April 2011

xli

show mls rate-limit show object-group

SEC-2555 SEC-2558

show monitor event-trace dmvpnSEC-2560

show parameter-map type consent show parameter-map type inspect


show parameter-map type protocol-info show parameter-map type inspect-vrf show parameter-map type inspect-zone show parameter-map type regex show parameter-map type urlf-glob show parameter-map type urlfilter show parameter-map type urlfpolicy show parser viewSEC-2575

SEC-2570 SEC-2571

show parameter-map type trend-global

SEC-2572 SEC-2573 SEC-2574

show platform hardware qfp feature

SEC-2577 SEC-2581 SEC-2582

show platform hardware qfp act feature ipsec datapath memory show platform software ipsec f0 encryption-processor registers show policy-firewall config show policy-firewall mib show policy-firewall stats show policy-firewall session show policy-firewall stats vrf show policy-firewall stats zone show policy-firewall summary-log show policy-map type inspectSEC-2583 SEC-2586 SEC-2590 SEC-2593 SEC-2595 SEC-2597

show policy-firewall stats vrf global

SEC-2599 SEC-2601

SEC-2602 SEC-2604 SEC-2605 SEC-2610

show policy-map type inspect urlfilter show policy-map type inspect zone-pair show port-security show ppp queues show pppoe sessionSEC-2613 SEC-2615 SEC-2617

show policy-map type inspect zone-pair urlfilter

show private-hosts access-lists show private-hosts configuration

SEC-2620 SEC-2622 SEC-2624

show private-hosts interface configuration

April 2011

xlii

show private-hosts mac-list show privilegeSEC-2626

SEC-2625

show radius local-server statistics show radius server-group show radius statistics show radius table attributesSEC-2629 SEC-2631

SEC-2627

SEC-2634 SEC-2655

show redundancy application control-interface group show redundancy application data-interface show redundancy application faults group show redundancy application group show redundancy application if-mgr show redundancy application protocol show redundancy application transport show redundancy linecard-group show running-config show sasl show smm show ssh show tacacsSEC-2679 SEC-2681 SEC-2669 SEC-2676 SEC-2659 SEC-2663 SEC-2665 SEC-2667 SEC-2656 SEC-2657

SEC-2668

show running-config vrf show secure bootsetSEC-2682

show snmp mib nhrp statusSEC-2685

SEC-2684

show ssl-proxy module stateSEC-2689

SEC-2687

show tcp intercept connections show tcp intercept statistics show tech-supportSEC-2694

SEC-2691 SEC-2693

show tech-support ipsec show tunnel endpoints show usb controllers show usb device show usb driver show usb port show usb tree show usbtoken show user-group

SEC-2701 SEC-2704

SEC-2706


April 2011

xliii

show users show vasi pair

SEC-2719 SEC-2722 SEC-2724 SEC-2725 SEC-2728 SEC-2731 SEC-2733 SEC-2736 SEC-2737 SEC-2739 SEC-2742 SEC-2747 SEC-2749

show vlan group show vtemplate

show webvpn context show webvpn gateway show webvpn install show webvpn license show webvpn nbns show webvpn policy show webvpn session show webvpn sessions show webvpn statistics show webvpn stats show wlccp wds show zone security shutdown (firewall) signatureSEC-2771

SEC-2750 SEC-2764 SEC-2766 SEC-2767

show zone-pair security

SEC-2768 SEC-2769

shutdown (certificate server) smart-tunnel listSEC-2772

snmp-server enable traps ipsec snmp-server enable traps isakmp snmp-server enable traps nhrp snmp trap ip verify drop-rate source interfaceSEC-2781

SEC-2774 SEC-2776 SEC-2778 SEC-2780

source interface (Diameter peer) split-dns sshSEC-2785

SEC-2783 SEC-2784

source-interface (URL parameter-map)SEC-2787

ssid (local RADIUS server group) ssl encryption ssl truspoint sso-serverSEC-2794

SEC-2792

ssl-proxy module allowed-vlanSEC-2796 SEC-2797

SEC-2795

April 2011

xliv

status

SEC-2798 SEC-2799 SEC-2801

strict-http

subject-alt-name subject-name subnet-acl (IKEv2) subscriber service svc address-pool svc default-domain svc dns-server svc dpd-interval svc dtls svc homepage svc keepalive svc module

SEC-2803 SEC-2804 SEC-2806

subscriber access pppoe unique-key circuit-idSEC-2807 SEC-2809 SEC-2811

SEC-2812 SEC-2813

SEC-2814 SEC-2815 SEC-2816 SEC-2817

svc keep-client-installedSEC-2818 SEC-2819

svc msie-proxy svc mtu svc rekey svc split svc split dns

svc msie-proxy serverSEC-2822 SEC-2823 SEC-2824 SEC-2826

SEC-2821

svc wins-server


switchport port-security

switchport port-security aging

switchport port-security mac-address switchport port-security maximum switchport port-security violation tacacs-server administration tacacs-server directed-request tacacs-server dns-alias-lookup tacacs-server domain-stripping tacacs-server host tacacs-server key tacacs-server packetSEC-2846 SEC-2848 SEC-2850

SEC-2838 SEC-2839 SEC-2841 SEC-2842

April 2011

xlv

tacacs-server timeout target-value tcp idle-timeSEC-2852

SEC-2851

tcp finwait-time

SEC-2853

SEC-2855 SEC-2857 SEC-2859

tcp max-incomplete tcp syn-flood limit tcp synwait-time

tcp reassembly memory limitSEC-2860

tcp syn-flood rate per-destinationSEC-2863

SEC-2862

tcp window-scale-enforcement loose template (identity policy) template (identity profile) template config template fileSEC-2868 SEC-2872 SEC-2866 SEC-2867

SEC-2864

template http admin-introduction template http completion template http error template http start template location template username template variable p test aaa group test crypto self-test text-color throttleSEC-2890 SEC-2891 SEC-2876

SEC-2874

SEC-2875

template http introduction template http welcome

SEC-2877

SEC-2878 SEC-2879

SEC-2880 SEC-2882 SEC-2883

SEC-2885 SEC-2888 SEC-2889

test urlf cache snapshot

timeout (application firewall application-configuration) timeout (policy group) timeout file download timeout login response timeout retransmit timer (Diameter peer) timers delaySEC-2902 SEC-2895 SEC-2897 SEC-2898

SEC-2893

SEC-2899 SEC-2900

April 2011

xlvi

timers hellotime titleSEC-2906

SEC-2904

title-color

SEC-2907 SEC-2908 SEC-2910 SEC-2912

track (firewall) traffic-export transport port trm register

transfer-encoding typeSEC-2914

transport port (ldap)

SEC-2915

SEC-2916 SEC-2917

trustpoint (tti-petitioner) trustpoint signing tunnel mode tunnel protection udp idle-timeSEC-2920

SEC-2918

SEC-2924 SEC-2928

type echo protocol ipIcmpEchoSEC-2930 SEC-2932 SEC-2933

unmatched-action url (ips-auto-update) url rewrite urlfilter url-list url-text usage user url-profile

SEC-2934

SEC-2935 SEC-2936 SEC-2938 SEC-2940 SEC-2941 SEC-2942 SEC-2944 SEC-2945

user-group username

user-group loggingSEC-2946

username (dot1x credentials) username (ips-autoupdate) username secret viewSEC-2959 SEC-2955 SEC-2957

SEC-2952 SEC-2953

user-profile location

virtual-template (IKEv2 profile) vlan (local RADIUS server group)

SEC-2961 SEC-2962 SEC-2963

virtual-template (webvpn context)

April 2011

xlvii

vlan group

SEC-2965 SEC-2967 SEC-2969

vpdn aaa attribute vrf (isakmp profile) vrfname vrf-name webvpnSEC-2971 SEC-2972

web-agent-url

SEC-2973

SEC-2975 SEC-2976

webvpn-homepage webvpn cef webvpn context webvpn enable webvpn gateway webvpn install winsSEC-2989

SEC-2977 SEC-2978 SEC-2980

webvpn create templateSEC-2982

SEC-2983 SEC-2985

webvpn import svc profileSEC-2986

webvpn sslvpn-vif nat

SEC-2988

wlccp authentication-server client wlccp wds priority interface xauth userid mode zone pair security zone securitySEC-2996 SEC-2998

SEC-2991 SEC-2993

wlccp authentication-server infrastructureSEC-2994

zone-member securitySEC-3001

SEC-2999

April 2011

xlviii

IntroductionThe Cisco IOS Security Command Reference contains commands that are used to configure Cisco IOS security features for your Cisco networking devices; specifically, it contains commands used to perform the following functions:

Configure authentication, authorization, and accounting (AAA). Configure security server protocols such as RADIUS, TACACS+, and Kerberos.

Note

TACACS and Extended TACACS commands are included in Cisco IOS Release 12.2 software for backward compatibility with earlier Cisco IOS releases; however, these commands are no longer supported and are not documented for this release. Cisco recommends using only the TACACS+ security protocol with Release 12.1 and later of Cisco IOS software. Table 1 identifies Cisco IOS software commands available to the different versions of TACACS. Although TACACS+ is enabled through AAA and uses commands specific to AAA, there are some commands that are common to TACACS, Extended TACACS, and TACACS+. TACACS and Extended TACACS commands that are not common to TACACS+ are not documented in this release.Table 1 TACACS Command Comparison

Cisco IOS Command aaa accounting aaa authentication arap aaa authentication enable default aaa authentication login aaa authentication ppp aaa authorization aaa group server tacacs+ aaa new-model arap authentication arap use-tacacs enable last-resort

TACACS yes yes

Extended TACACS yes yes

TACACS+ yes yes yes yes yes yes yes yes yes

Cisco IOS Security Command Reference April 2011

SEC1

Introduction

Table 1

TACACS Command Comparison (continued)

Cisco IOS Command enable use-tacacs ip tacacs source-interface login authentication login tacacs ppp authentication ppp use-tacacs server tacacs-server administration tacacs-server directed-request tacacs-server dns-alias-lookup tacacs-server host tacacs-server key tacacs-server packet tacacs-server timeout

TACACS yes yes yes yes yes yes yes yes

Extended TACACS yes yes yes yes yes yes yes yes

TACACS+ yes yes yes no yes yes yes yes yes yes yes yes

Configure the following traffic filtering and firewall features: Context-Based Access Control (CBAC) Intrusion Detection System (IDS) Port to application mapping (PAM) Reflexive access lists TCP Intercept

Configure IP Security (IPSec) and encryption features such as public key infrastructure (PKI) and Internet Key Exchange (IKE). Configure additional security features such as passwords and privileges, IP Security Options (IPSO), Unicast Reverse Path Forwarding (uRPF), secure shell (SSH), and AutoSecure.

For information on how to configure Cisco IOS security features and configuration examples using the commands in this book, refer to the Cisco IOS Security Configuration Guide.

April 2011

SEC2

Security Commands

Cisco IOS Security Command Reference April 2011

SEC-1


aaa accountingTo enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode or template configuration mode. To disable AAA accounting, use the no form of this command. aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name} no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}Template Configuration Mode

aaa accounting {delay-start | send stop-record authentication} {failure | success remote-server} no aaa accounting {delay-start | send stop-record authentication} {failure | success remote-server}

Syntax Description

auth-proxy system

Provides information about all authenticated-proxy user events. Performs accounting for all system-level events not associated with users, such as reloads.Note

When system accounting is used and the accounting server is unreachable at system startup time, the system will not be accessible for approximately two minutes.

network

Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP). Runs accounting for the EXEC shell session. Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin. Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15. Provides information about all IEEE 802.1x-related user events. Uses the listed accounting methods that follow this keyword as the default list of methods for accounting services.

exec connection

commands level dot1x default

April 2011

SEC-2


list-name

Character string used to name the list of at least one of the following accounting methods:

group radiusUses the list of all RADIUS servers for authentication as defined by the aaa group server radius command. group tacacs+Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command. group group-nameUses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.

guarantee-first vrf vrf-name start-stop

Guarantees system accounting as the first record. (Optional) Specifies a virtual routing and forwarding (VRF) configuration.

VRF is used only with system accounting.

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. Sends a stop accounting record for all cases including authentication failures regardless of whether the aaa accounting send stop-record authentication failure command is configured. Disables accounting services on this line or interface. (Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group. Runs the accounting service for RADIUS.

stop-only

none broadcast

radius

April 2011

SEC-3


group group-name

Specifies the accounting method list. Enter at least one of the following keywords:

auth-proxyCreates a method list to provide accounting information about all authenticated hosts that use the authentication proxy service. commandsCreates a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level. connectionCreates a method list to provide accounting information about all outbound connections made from the network access server. execCreates a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times. networkCreates a method list to provide accounting information for SLIP, PPP, NCPs, and ARAP sessions. resourceCreates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated. tunnelCreates a method list to provide accounting records (Tunnel-Start, Tunnel-Stop, and Tunnel-Reject) for virtual private dialup network (VPDN) tunnel status changes. tunnel-linkCreates a method list to provide accounting records (Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject) for VPDN tunnel-link status changes.

delay-start send stop-record authentication failure success remote-server

Delays PPP network start records until peer IP address is known. Sends records to the accounting server. Generates stop records for a specified event. Generates stop records for authentication. Generates stop records for authentication failures. Generates stop records for authenticated users. Specifies that the users are successfully authenticated through access-accept, by a remote AAA server.

Defaults

AAA accounting is disabled.

Command Modes

Global configuration (config) Template configuration (config-template)

Command History

Release 12.0(5)T 12.1(1)T 12.1(5)T

Modification This command was modified. The Group server support was added. This command was modified. The broadcast keyword was added on the Cisco AS5300 and Cisco AS5800 universal access servers. This command was modified. The auth-proxy keyword was added.

April 2011

SEC-4


Release 12.2(1)DX 12.2(2)DD 12.2(4)B 12.2(13)T 12.2(15)B 12.3(4)T 12.2(28)SB 12.2(33)SRA 12.4(11)T 12.2(33)SXH 12.2(33)SXI Cisco IOS XE Release 2.6

Modification This command was modified. The vrf keyword and vrf-name argument were added on the Cisco 7200 series and Cisco 7401ASR series routers. This command was integrated into Cisco IOS Release 12.2(2)DD. This command was integrated into Cisco IOS Release 12.2(4)B. This command was modified. The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T. This command was modified. The tunnel and tunnel-link accounting methods were introduced. This command was modified. The tunnel and tunnel-link accounting methods were integrated into Cisco IOS Release 12.3(4)T. This command was integrated into Cisco IOS Release 12.2(28)SB. This command was integrated into Cisco IOS Release 12.2(33)SRA. The dot1x keyword was integrated into Cisco IOS Release 12.4(11)T. This command was integrated into Cisco IOS Release 12.2(33)SXH. This command was integrated into Cisco IOS Release 12.2(33)SXI. This command was integrated into Cisco IOS XE Release 2.6. The radius keyword was added.

Usage Guidelines

General Information

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. You must enable AAA services using the aaa new-model global configuration command. Table 1 contains descriptions of keywords for AAA accounting methods.Table 1 aaa accounting Methods

Keyword group radius group tacacs+ group group-name

Description Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command. Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command. Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.

In Table 1, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers. Cisco IOS software supports the following two methods of accounting:

RADIUSThe network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.

April 2011

SEC-5


TACACS+The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.

Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering values for the list-name argument where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method list keywords to identify the methods to be tried in sequence as given. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.

Note

System accounting does not use named accounting lists; you can define the default list only for system accounting. For minimal accounting, include the stop-only keyword to send a stop accounting record for all cases including authentication failures. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface. To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified. When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, see the appendix RADIUS Attributes in theCisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, see the appendix TACACS+ Attribute-Value Pairs in the Cisco IOS Security Configuration Guide.

Note

The aaa accounting command cannot be used with TACACS or extended TACACS.Cisco Service Selection Gateway Broadcast Accounting

To configure Cisco Service Selection Gateway (SSG) broadcast accounting, use ssg_broadcast_accounting for the list-name argument. For more information about configuring SSG, see the chapter Configuring Accounting for SSG in the Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4.Layer 2 LAN Switch Port

You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of Update/Watchdog packets from this AAA client in your RADIUS server Network Configuration tab. Next, enable CVS RADIUS Accounting in your RADIUS server System Configuration tab. You must enable AAA before you can enter the aaa accounting command. To enable AAA and 802.1X (port-based authentication), use the following global configuration mode commands:

April 2011

SEC-6


aaa new-model aaa authentication dot1x default group radius dot1x system-auth-control

Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message. Use the aaa accounting system default start-stop group radius command to send start and stop accounting records after the router reboots. The start record is generated while the router is booted and the stop record is generated while the router is reloaded. The router generates a start record to reach the AAA server. If the AAA server is not reachable, the router retries sending the packet four times. The retry mechanism is based on the exponential backoff algorithm. If there is no response from the AAA server, the request will be dropped.Establishing a Session with a Router if the AAA Server is Unreachable

The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users may be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than three minutes. To establish a console or telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command.

Note

Entering the no aaa accounting system guarantee-first command is not the only condition by which the console or telnet session can be started. For example, if the privileged EXEC session is being authenticated by TACACS and the TACACS server is not reachable, then the session cannot start.

Examples

The following example shows how to define a default command accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.aaa accounting commands 15 default stop-only group tacacs+

The following example shows how to defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.aaa aaa aaa aaa new-model authentication login default group tacacs+ authorization auth-proxy default group tacacs+ accounting auth-proxy default start-stop group tacacs+

The following example shows how to define a default system accounting method list, where accounting services are provided by RADIUS security server server1 with a start-stop restriction. The aaa accounting command specifies accounting for VRF vrf1.aaa accounting system default vrf vrf1 start-stop group server1

The following example shows how to define a default IEEE 802.1x accounting method list, where accounting services are provided by a RADIUS server. The aaa accounting command activates IEEE 802.1x accounting.aaa aaa aaa aaa new model authentication dot1x default group radius authorization dot1x default group radius accounting dot1x default start-stop group radius

April 2011

SEC-7


The following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.)aaa accounting network tunnel start-stop group radius aaa accounting network session start-stop group radius

The following example shows how to delay PPP Network start record until peer IP address is known:Router# configure terminal Router(config)# aaa new-model Router(config)# template name Router(config-template)# aaa accounting delay-start

Related Commands

Command aaa authentication dot1x aaa authentication ppp aaa authorization aaa group server radius aaa group server tacacs+ aaa new-model auto command dot1x system-auth-control radius-server host show radius statistics tacacs-server host

Description Specifies one or more AAA methods for use on interfaces running IEEE 802.1X. Specifies one or more AAA authentication methods for use on serial interfaces running PPP. Sets parameters that restrict user access to a network. Groups different RADIUS server hosts into distinct lists and distinct methods. Groups different server hosts into distinct lists and distinct methods. Enables the AAA access control model. Configures the system to automatically execute a specific EXEC command when it connects to a port. Enables port-based authentication. Specifies a RADIUS server host. Displays the RADIUS statistics for accounting and authentication packets. Specifies a TACACS+ server host.

April 2011

SEC-8

Security Commands aaa accounting (IKEv2 profile)

aaa accounting (IKEv2 profile)To enable AAA accounting for IPsec sessions, use the aaa accounting command in IKEv2 profile configuration mode. To disable AAA accounting, use the no form of this command. aaa accounting [psk | cert | eap] list-name no aaa accounting [psk | cert | eap] list-name

Syntax Description

psk cert eap list-name

(Optional) Specifies a method list if the authentication method preshared key. (Optional) Specifies a method list if the authentication method is certificate based. (Optional) Specifies a method list if the authentication method is Extensible Authentication Protocol (EAP). Name of the AAA list.

Command Default

AAA accounting is disabled.

Command Modes

IKEv2 profile configuration (config-ikev2-profile)

Command History

Release 15.1(1)T Cisco IOS XE Release 3.3S

Modification This command was introduced. This command was integrated into Cisco IOS XE Release 3.3S.

Usage Guidelines

Use the aaa accounting command to enable and specify the method list for AAA accounting for IPsec sessions. The aaa accounting command can be specific to an authentication method or common to all authentication methods, but not both at the same time. If no method list is specified, the list is common across authentication methods.

Examples

The following example defines an AAA accounting configuration common to all authentication methods:Router(config-ikev2-profile)# aaa accounting common-list1

The following example configures an AAA accounting for each authentication method:Router(config-ikev2-profile)# aaa accounting psk psk-list1 Router(config-ikev2-profile)# aaa accounting cert cert-list1 Router(config-ikev2-profile)# aaa accounting eap eap-list1

April 2011

SEC-9

Security Commands aaa accounting (IKEv2 profile)

Related Commands

Command crypto ikev2 profile

Description Defines an IKEv2 profile.

April 2011

SEC-10

Security Commands aaa accounting connection h323

aaa accounting connection h323To define the accounting method list H.323 using RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command. aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname

Syntax Description

stop-only start-stop

Sends a stop accounting notice at the end of the requested user process. Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. Disables accounting services on this line or interface. (Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group. Specifies the server group to be used for accounting services. The following are valid server group names:

none broadcast

group groupname

string: Character string used to name a server group. radius: Uses list of all RADIUS hosts. tacacs+: Uses list of all TACACS+ hosts.

Defaults

No accounting method list is defined.

Command Modes

Global configuration

Command History

Release 11.3(6)NA2 12.2SX

Modification This command was introduced. This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.

April 2011

SEC-11

Security Commands aaa accounting connection h323

Examples

The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.aaa new model gw-accounting h323 aaa accounting connection h323 start-stop group radius

Related Commands

Command gw-accounting

Description Enables the accounting method for collecting call detail records.

April 2011

SEC-12

Security Commands aaa accounting delay-start

aaa accounting delay-startTo delay generation of accounting start records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command. aaa accounting delay-start [all] [vrf vrf-name] no aaa accounting delay-start [all] [vrf vrf-name]

Syntax Description

all vrf vrf-name

(Optional) Extends the delay of accounting start records to all Virtual Route Forwarding (VRF) and non-VRF users. (Optional) Extends the delay of accounting start records to individual VRF users.

Defaults

Accounting records are not delayed.

Command Modes


Command History

Release 12.1 12.2(1)DX 12.2(2)DD 12.2(4)B 12.2(13)T 12.3(1) 12.2(28)SB 12.2(33)SRA 12.2SX

Modification This command was introduced. The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR. This command was integrated into Cisco IOS Release 12.2(2)DD. This command was integrated into Cisco IOS Release 12.2(4)B. The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T. The all keyword was added. This command was integrated into Cisco IOS Release 12.2(28)SB. This command was integrated into Cisco IOS Release 12.2(33)SRA. This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. This command was integrated into Cisco IOS Release 12.2(33)SXH. This command was integrated into Cisco IOS Release 12.2(33)SXI.

12.2(33)SXH 12.2(33)SXI

Usage Guidelines

Use the aaa accounting delay-start command to delay generation of accounting start records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting start records for individual Virtual Private Network (VPN) routing and forwarding (VRF) users or use the all keyword for all VRF and non-VRF users.

April 2011

SEC-13

Security Commands aaa accounting delay-start

Note

The aaa accounting delay-start command applies only to non-VRF users. If you have a mix of VRF and non-VRF users, configure either aaa accounting delay-start (for non-VRF users) or aaa accounting delay-start vrf {vrf-name} (for VRF users) or aaa accounting delay-start all (for all VRF and non-VRF users).

Examples

The following example shows how to delay accounting start records until the IP address of the user is established:aaa new-model aaa authentication ppp default radius aaa accounting network default start-stop group radius aaa accounting delay-start radius-server host 172.16.0.0 non-standard radius-server key rad123

The following example shows that accounting start records are to be delayed to all VRF and non-VRF users:aaa new-model aaa authentication ppp default radius aaa accounting network default start-stop group radius aaa accounting delay-start all radius-server host 172.16.0.0 non-standard radius-server key rad123

Related Commands

Command aaa accounting aaa authentication ppp aaa authorization aaa new-model radius-server host tacacs-server host

Description Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+. Specifies one or more AAA authentication methods for use on serial interfaces running PPP. Sets parameters that restrict user access to a network. Enables the AAA access control model. Specifies a RADIUS server host. Specifies a TACACS+ server host.

April 2011

SEC-14

Security Commands aaa accounting gigawords

aaa accounting gigawordsTo enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.) aaa accounting gigawords no aaa accounting gigawords

Syntax Description

This command has no arguments or keywords.

Defaults

If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically enabled.

Command Modes


Command History

Release 12.2(13.7)T

Modification This command was introduced.

Usage Guidelines

The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady state. If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command, it takes a reload of the router to actually disable the use of the 64-bit counters.

Note

The aaa accounting gigawords command does not show up in the running configuration unless the no form of the command is used in the c

Date post:	03-Dec-2014
Category:	Documents
Upload:	tamrat-andarge
View:	165 times
Download:	1 times

Cisco Ios Security

Documents