Ios Sec Comm Ref

8/20/2019 Ios Sec Comm Ref

1/537

170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.com

Cisco Systems, Inc.Corporate Headquarters

Tel:800 553-NETS (6387)408 526-4000

Fax: 408 526-4100

Cisco IOS

Security

Command ReferenceRelease 12.2

Customer Order Number: DOC-7811748=

Text Part Number: 78-11748-02


2/537

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MAN UAL ARE SUBJECT TO CHANGE WITHOUT

NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE

PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR

APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATIONPACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO

LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of

UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED

“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,

INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDI RECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL

DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DA MAGE TO DATA ARISING OUT OF THE USE OR

INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAG ES.

AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink , the Cisco NetWorks logo, the Cisco

Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare,

FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX,the Networkers logo, Packet , PIX, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and

WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering

the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Inter network Expert logo,

Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub,

FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, Swit chProbe, TeleRouter,

and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.

All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner

does not imply a partnership r elationship between Cisco and any other company. (0102R)

Cisco IOS Security Command Reference

© 2001– 2006 Cisco Systems, Inc.

All rights reserved.


3/537

C O N T E N T S

iii


78-11748-02

About Cisco IOS Software Documentation v

Using Cisco IOS Software xiii

Authentication, Authorization, and Accounting

Authentication Commands SR-3

Authorization Commands SR-69

Accounting Commands SR-85

Security Server Protocols

RADIUS Commands SR-113

TACACS+ Commands SR-167

Kerberos Commands SR-185

Traffic Filtering and Firewalls

Lock-and-Key Commands SR-201

Reflexive Access List Commands SR-209

TCP Intercept Commands SR-219

Context-Based Access Control Commands SR-239

Cisco IOS Firewall Intrusion Detection System Commands SR-271

Authentication Proxy Commands SR-289

Port to Application Mapping Commands SR-299

IP Security and Encryption


4/537

Contents

iv


78-11748-02

IPSec Network Security Commands SR-309

Certification Authority Interoperability Commands SR-361

Internet Key Exchange Security Protocol Commands SR-399

Other Security Features

Passwords and Privileges Commands SR-445

IP Security Options Commands SR-465

Unicast Reverse Path Forwarding Commands SR-493

Secure Shell Commands SR-499

Index


5/537

v


78-11748-02

About Cisco IOS Software Documentation

This chapter discusses the objectives, audience, organization, and conventions of Cisco IOS software

documentation. It also provides sources for obtaining documentation from Cisco Systems.

Documentation ObjectivesCisco IOS software documentation describes the tasks and commands necessary to configure and

maintain Cisco networking devices.

AudienceThe Cisco IOS software documentation set is intended primarily for users who configure and maintain

Cisco networking devices (such as routers and switches) but who may not be familiar with the tasks,

the relationship between tasks, or the Cisco IOS software commands necessary to perform particular

tasks. The Cisco IOS software documentation set is also intended for those users experienced with

Cisco IOS software who need to know about new features, new configuration options, and new softwarecharacteristics in the current Cisco IOS software release.

Documentation OrganizationThe Cisco IOS software documentation set consists of documentation modules and master indexes. In

addition to the main documentation set, there are supporting documents and resources.

Documentation Modules

The Cisco IOS documentation modules consist of configuration guides and corresponding commandreference publications. Chapters in a configuration guide describe protocols, configuration tasks, and

Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a

command reference publication provide complete Cisco IOS command syntax information. Use each

configuration guide in conjunction with its corresponding command reference publication.


6/537


Documentation Organization

vi


78-11748-02

Figure 1 shows the Cisco IOS software documentation modules.

Note The abbreviations (for example, FC and FR) next to the book icons are page designators,

which are defined in a key in the index of each document to help you with navigation. The

bullets under each module list the major technology areas discussed in the corresponding

books.

Figure 1 Cisco IOS Software Documentation Modules

Cisco IOSIP ConfigurationGuide

IPC

Cisco IOSConfigurationFundamentalsConfigurationGuide

Cisco IOSConfigurationFundamentalsCommandReference

Module FC/FR:

Cisco IOS UserInterfaces

• File Management• System Management

Cisco IOSIP CommandReference,Volume 2 of 3:RoutingProtocols

Module IPC/IP1R/IP2R/IP3R:

• IP Addressing and Services• IP Routing Protocols• IP Multicast

Cisco IOSAppleTalk andNovell IPXConfigurationGuide

Cisco IOSAppleTalk andNovell IPXCommandReference

Module P2C/P2R:

• AppleTalk• Novell IPX

Cisco IOSApollo Domain,Banyan VINES,DECnet, ISOCLNS, and XNSConfigurationGuide

Cisco IOSApollo Domain,Banyan VINES,DECnet, ISOCLNS, and XNSCommandReference

Module P3C/P3R:

• Apollo Domain• Banyan VINES• DECnet• ISO CLNS• XNS

Cisco IOSWide-AreaNetwork ingConfigurationGuide

Cisco IOSWide-AreaNetwork ingCommandReference

Module WC/WR:• ATM• Broadband Access• Frame Relay• SMDS• X.25 and LAPB

Cisco IOSSecurityConfigurationGuide

Cisco IOSSecurityCommandReference

Module SC/SR:• AAA Security Services• Security Server Protocols• Traffic Filtering and Firewalls• IP Security and Encryption• Passwords and Privileges• Neighbor Router Authentication• IP Security Options• Supported AV Pairs

Cisco IOSInterfaceConfigurationGuide

Cisco IOSInterfaceCommandReference

Module IC/IR:• LAN Interfaces• Serial Interfaces• Logical Interfaces

4 7 9 5 3

FC

FR

IP2R

WC

WR

SC

SR

MWC

MWR

Cisco IOSMobileWirelessConfigurationGuide

Cisco IOSMobileWirelessCommandReference

Module MWC/MWR:• General Packet

Radio Service

IC

IR

Cisco IOSIP CommandReference,Volume 1 of 3:Addressingand Services

Cisco IOSIP CommandReference,Volume 3 of 3:Multicast

P2C

P2R

IP1R

IP3R

P3C

P3R


7/537



vii


78-11748-02

Cisco IOSVoice, Video,and FaxConfigurationGuide

Cisco IOSVoice, Video,and FaxCommandReference

Module VC/VR:

• Voice over IP• Call Control Signalling• Voice over

Frame Relay• Voice over ATM• Telephony Applications• Trunk Management• Fax, Video, and

Modem Support

Cisco IOSQuality ofServiceSolutionsConfigurationGuide

Cisco IOSQuality ofServiceSolutionsCommandReference

Module QC/QR:

• Packet Classification• Congestion Management• Congestion Avoidance• Policing and Shaping• Signalling• Link Efficiency

Mechanisms

Module DC/DR:

• Preparing for Dial Access• Modem and Dial Shelf Configuration

and Management• ISDN Configuration• Signalling Configuration• Dial-on-Demand Routing

Configuration• Dial-Backup Configuration• Dial-Related Addressing Services• Virtual Templates, Profiles, and

Networks• PPP Configuration• Callback and Bandwidth Allocation

Configuration• Dial Access Specialized Features• Dial Access Scenarios

Module BC/B1R:

• TransparentBridging

• SRB• Token Ring

Inter-Switch Link• Token Ring Route

Switch Module• RSRB• DLSw+• Serial Tunnel and

Block Serial Tunnel• LLC2 and SDLC• IBM Network

Media Translation• SNA Frame Relay

Access• NCIA Client/Server• Airline Product Set

Module BC/B2R:

• DSPU and SNAService Point

• SNA SwitchingServices

• Cisco TransactionConnection

• Cisco MainframeChannel Connection

• CLAW and TCP/IPOffload

• CSNA, CMPC,and CMPC+

• TN3270 Server

Cisco IOSSwitchingServicesConfigurationGuide

Cisco IOSSwitchingServicesCommandReference

Module XC/XR:

• Cisco IOSSwitching Paths

• NetFlow Switching• Multiprotocol Label Switching• Multilayer Switching• Multicast Distributed Switching• Virtual LANs• LAN Emulation

4 7 9 5 4

Cisco IOSBridging andIBM Network ingConfigurationGuide

Cisco IOSBridgingand IBMNetwork ingCommandReference,Volume 1 of 2

Cisco IOSBridgingand IBMNetwork ingCommandReference,Volume 2 of 2

XC

DC

DR

TC

TR

BC

XR

B1R B2R

QC

QR

VC

VR

Cisco IOSTerminalServicesConfigurationGuide

Cisco IOSTerminalServicesCommandReference

Module TC/TR:

• ARA• LAT• NASI

• Telnet• TN3270• XRemote• X.28 PAD• Protocol Translation

Cisco IOSDialTechnologiesConfigurationGuide

Cisco IOSDialTechnologiesCommandReference


8/537



viii


78-11748-02

Master Indexes

Two master indexes provide indexing information for the Cisco IOS software documentation set:

an index for the configuration guides and an index for the command references. Individual books also

contain a book-specific index.

The master indexes provide a quick way for you to find a command when you know the command namebut not which module contains the command. When you use the online master indexes, you can click

the page number for an index entry and go to that page in the online document.

Supporting Documents and Resources

The following documents and resources support the Cisco IOS software documentation set:

Cisco IOS Command Summary (three volumes)—This publication explains the function and syntax

of the Cisco IOS software commands. For more information about defaults and usage guidelines,

refer to the Cisco IOS command reference publications.

• Cisco IOS System Error Messages—This publication lists and describes Cisco IOS system error

messages. Not all system error messages indicate problems with your system. Some are purely

informational, and others may help diagnose problems with communications lines, internal

hardware, or the system software.

• Cisco IOS Debug Command Reference—This publication contains an alphabetical listing of the

debug commands and their descriptions. Documentation for each command includes a brief

description of its use, command syntax, usage guidelines, and sample output.

• Dictionary of Internetworking Terms and Acronyms—This Cisco publication compiles and defines

the terms and acronyms used in the internetworking industry.

• New feature documentation—The Cisco IOS software documentation set documents the mainline

release of Cisco IOS software (for example, Cisco IOS Release 12.2). New software features are

introduced in early deployment releases (for example, the Cisco IOS “T” release train for 12.2,

12.2(x)T). Documentation for these new features can be found in standalone documents called“feature modules.” Feature module documentation describes new Cisco IOS software and hardware

networking functionality and is available on Cisco.com and the Documentation CD-ROM.

• Release notes—This documentation describes system requirements, provides information about

new and changed features, and includes other useful information about specific software releases.

See the section “Using Software Release Notes” in the chapter “Using Cisco IOS Software” for

more information.

• Caveats documentation—This documentation provides information about Cisco IOS software

defects in specific software releases.

• RFCs—RFCs are standards documents maintained by the Internet Engineering Task Force (IETF).

Cisco IOS software documentation references supported RFCs when applicable. The full text of

referenced RFCs may be obtained on the World Wide Web at http://www.rfc-editor.org/.• MIBs—MIBs are used for network monitoring. For lists of supported MIBs by platform and

release, and to download MIB files, see the Cisco MIB website on Cisco.com at

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.


9/537


New and Changed Information

ix


78-11748-02

New and Changed InformationThe following is new information since the last release of the Cisco IOS Security Command Reference

• A new chapter titled "Secure Shell Commands" has been added to the section "Other Security

Features." This chapter describes the SSH commands.

• The chapter titled “Cisco Encryption Technology Commands” has been deleted from the section

“IP Security and Encryption.” This functionality is no longer supported. For information regarding

CET commands, refer to Cisco IOS Security Command Reference, Release 12.1 or earlier.

Document ConventionsWithin Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco

products (for example, routers, access servers, and switches). Routers, access servers, and other

networking devices that support Cisco IOS software are shown interchangeably within examples. These

products are used only for illustrative purposes; that is, an example that shows one product does not

necessarily indicate that other products are not supported.The Cisco IOS documentation set uses the following conventions:

Command syntax descriptions use the following conventions:

Nested sets of square brackets or braces indicate optional or required choices within optional or

required elements. For example:

Convention Description

^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D

means hold down the Control key while you press the D key. Keys are indicated in capital letters but

are not case sensitive.

string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP

community string to public, do not use quotation marks around the string or the string will include the

quotation marks.


boldface Boldface text indicates commands and keywords that you enter literally as shown.

italics Italic text indicates arguments for which you supply values.

[x] Square brackets enclose an optional element (keyword or argument).

| A vertical line indicates a choice within an optional or required set of keywords or arguments.

[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional

choice.

{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.


[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.


10/537


Obtaining Documentation

x


78-11748-02

Examples use the following conventions:

The following conventions are used to attract the attention of the reader:

Caution Means reader be careful. In this situation, you might do something that could result in

equipment damage or loss of data.

Note Means reader take note. Notes contain helpful suggestions or references to materials not

contained in this manual.

Timesaver Means the described action saves time. You can save time by performing the action

described in the paragraph.

Obtaining DocumentationThe following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

The most current Cisco documentation is available on the World Wide Web at the following website:

http://www.cisco.com

Translated documentation is available at the following website:

http://www.cisco.com/public/countries_languages.html

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships

with your product. The Documentation CD-ROM is updated monthly and may be more current than

printed documentation. The CD-ROM package is available as a single unit or through an

annual subscription.


screen Examples of information displayed on the screen are set in Courier font.

boldface screen Examples of text that you must enter are set in Courier bold font.< > Angle brackets enclose text that is not printed to the screen, such as passwords.

! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also

displayed by the Cisco IOS software for certain processes.)

[ ] Square brackets enclose default responses to system prompts.


11/537


Documentation Feedback

xi


78-11748-02

Ordering Documentation

Cisco documentation can be ordered in the following ways:

• Registered Cisco Direct Customers can order Cisco product documentation from the Networking

Products MarketPlace:

http://www.cisco.com/cgi-bin/order/order_root.pl

• Registered Cisco.com users can order the Documentation CD-ROM through the online

Subscription Store:

http://www.cisco.com/go/subscription

• Nonregistered Cisco.com users can order documentation through a local account representative by

calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by

calling 800 553-NETS(6387).

Documentation FeedbackIf you are reading Cisco product documentation on the World Wide Web, you can submit technical

comments electronically. Click Feedback in the toolbar and select Documentation. After you complete

the form, click Submit to send it to Cisco.

You can e-mail your comments to [email protected].

To submit your comments by mail, use the response card behind the front cover of your document, or

write to the following address:

Cisco Systems, Inc.

Document Resource Connection

170 West Tasman Drive

San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical AssistanceCisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can

obtain documentation, troubleshooting tips, and sample configurations from online tools. For

Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, openaccess to Cisco information and resources at anytime, from anywhere in the world. This highly

integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline

business processes and improve productivity. Through Cisco.com, you can find information about Cisco

and our networking solutions, services, and programs. In addition, you can resolve technical issues with

online technical support, download and test software packages, and order Cisco learning materials and

merchandise. Valuable online skill assessment, training, and certification programs are also available.


12/537


Obtaining Technical Assistance

xii


78-11748-02

Customers and partners can self-register on Cisco.com to obtain additional personalized information

and services. Registered users can order products, check on the status of an order, access technical

support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to the following website:

http://www.cisco.com

Technical Assistance Center

The Cisco TAC website is available to all customers who need technical assistance with a Cisco product

or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC

website:

http://www.cisco.com/tacP3 and P4 level problems are defined as follows:

• P3—Your network performance is degraded. Network functionality is noticeably impaired, but

most business operations continue.

• P4—You need information or assistance on Cisco product capabilities, product installation, or basic

product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to the following website:

http://www.cisco.com/register/

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered

users can open a case online by using the TAC Case Open tool at the following website:http://www.cisco.com/tac/caseopen

Contacting TAC by Telephone

If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and

immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following

website:

http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml

P1 and P2 level problems are defined as follows:

• P1—Your production network is down, causing a critical impact to business operations if service

is not restored quickly. No workaround is available.

• P2—Your production network is severely degraded, affecting significant aspects of your business

operations. No workaround is available.


13/537

xiii


78-11748-02

Using Cisco IOS Software

This chapter provides helpful tips for understanding and configuring Cisco IOS software using the

command-line interface (CLI). It contains the following sections:

• Understanding Command Modes

• Getting Help

• Using the no and default Forms of Commands

• Saving Configuration Changes

• Filtering Output from the show and more Commands

• Identifying Supported Platforms

For an overview of Cisco IOS software configuration, refer to the Cisco IOS Configuration

Fundamentals Configuration Guide.

For information on the conventions used in the Cisco IOS software documentation set, see the chapter

“About Cisco IOS Software Documentation” located at the beginning of this book.

Understanding Command ModesYou use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes,

the commands available to you at any given time depend on the mode you are currently in. Entering a

question mark (?) at the CLI prompt allows you to obtain a list of commands available for each

command mode.

When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited

subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally

by using a password. From privileged EXEC mode you can issue any EXEC command—user or

privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time

commands. For example, show commands show important status information, and clear commands

clear counters or interfaces. The EXEC commands are not saved when the software reboots.

Configuration modes allow you to make changes to the running configuration. If you later save the

running configuration to the startup configuration, these changed commands are stored when the

software is rebooted. To enter specific configuration modes, you must start at global configuration

mode. From global configuration mode, you can enter interface configuration mode and a variety of

other modes, such as protocol-specific modes.

ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a

valid software image is not found when the software boots or if the configuration file is corrupted at

startup, the software might enter ROM monitor mode.


14/537


Getting Help

xiv


78-11748-02

Table 1 describes how to access and exit various common command modes of the Cisco IOS software.

It also shows examples of the prompts displayed for each mode.

For more information on command modes, refer to the “Using the Command-Line Interface” chapter in

the Cisco IOS Configuration Fundamentals Configuration Guide.

Getting HelpEntering a question mark (?) at the CLI prompt displays a list of commands available for each command

mode. You can also get a list of keywords and arguments associated with any command by using the

context-sensitive help feature.

To get help specific to a command mode, a command, a keyword, or an argument, use one of the

following commands:

Table 1 Accessing and Exiting Command Modes

Command

Mode Access Method Prompt Exit Method

User EXEC Log in. Router> Use the logout command.

Privileged

EXEC

From user EXEC mode,

use the enable EXEC

command.

Router# To return to user EXEC mode, use the disable

command.

Global

configuration

From privileged EXEC

mode, use the configure

terminal privileged

EXEC command.

Router(config)# To return to privileged EXEC mode from global

configuration mode, use the exit or end command,

or press Ctrl-Z.

Interface

configuration

From global

configuration mode,

specify an interface usingan interface command.

Router(config-if)# To return to global configuration mode, use the exit

command.

To return to privileged EXEC mode, use the end

command, or press Ctrl-Z.

ROM monitor From privileged EXEC

mode, use the reload

EXEC command. Press

the Break key during the

first 60 seconds while the

system is booting.

> To exit ROM monitor mode, use the continue

command.

Command Purpose

help Provides a brief description of the help system in any command mode.

abbreviated-command-entry ? Provides a list of commands that begin with a particular character string. (No space

between command and question mark.)

abbreviated-command-entry Completes a partial command name.

? Lists all commands available for a particular command mode.

command ? Lists the keywords or arguments that you must enter next on the command line.

(Space between command and question mark.)


15/537


Getting Help

xv


78-11748-02

Example: How to Find Command Options

This section provides an example of how to display syntax for a command. The syntax can consist of

optional or required keywords and arguments. To display keywords and arguments for a command, enter

a question mark (?) at the configuration prompt or after entering part of a command followed by a space.

The Cisco IOS software displays a list and brief description of available keywords and arguments. Forexample, if you were in global configuration mode and wanted to see all the keywords or arguments for

the arap command, you would type arap ?.

The symbol in command help output stands for “carriage return.” On older keyboards, the carriage

return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The

symbol at the end of command help output indicates that you have the option to press Enter to

complete the command and that the arguments and keywords in the list preceding the symbol are

optional. The symbol by itself indicates that no more arguments or keywords are available and that

you must press Enter to complete the command.

Table 2 shows examples of how you can use the question mark (?) to assist you in entering commands.

The table steps you through configuring an IP address on a serial interface on a Cisco 7206 router that

is running Cisco IOS Release 12.0(3).

Table 2 How to Find Command Options

Command Comment

Router> enable

Password:

Router#

Enter the enable command and

password to access privileged EXEC

commands. You are in privileged

EXEC mode when the prompt changes

to Router#.

Router# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#

Enter the configure terminal

privileged EXEC command to enter

global configuration mode. You are in

global configuration mode when theprompt changes to Router(config)#.

Router(config)# interface serial ?

Serial interface number

Router(config)# interface serial 4 ?

/

Router(config)# interface serial 4/ ?

Serial interface number

Router(config)# interface serial 4/0

Router(config-if)#

Enter interface configuration mode by

specifying the serial interface that you

want to configure using the interface

serial global configuration command.

Enter ? to display what you must enter

next on the command line. In this

example, you must enter the serial

interface slot number and port number,

separated by a forward slash.

You are in interface configuration mode

when the prompt changes toRouter(config-if)#.


16/537


Getting Help

xvi


78-11748-02

Router(config-if)# ?

Interface configuration commands:

.

.

.

ip Interface Internet Protocol config commands

keepalive Enable keepalive

lan-name LAN Name command

llc2 LLC2 Interface Subcommands

load-interval Specify interval for load calculation for an

interface

locaddr-priority Assign a priority group

logging Configure logging for interface

loopback Configure internal loopback on an interface

mac-address Manually set interface MAC address

mls mls router sub/interface commands

mpoa MPOA interface configuration commands

mtu Set the interface Maximum Transmission Unit (MTU)

netbios Use a defined NETBIOS access list or enablename-caching

no Negate a command or set its defaults

nrzi-encoding Enable use of NRZI encoding

ntp Configure NTP

.

.

.

Router(config-if)#

Enter ? to display a list of all the

interface configuration commands

available for the serial interface. Thisexample shows only some of the

available interface configuration

commands.

Router(config-if)# ip ?

Interface IP configuration subcommands:

access-group Specify access control for packets

accounting Enable IP accounting on this interface

address Set the IP address of an interface

authentication authentication subcommands

bandwidth-percent Set EIGRP bandwidth limitbroadcast-address Set the broadcast address of an interface

cgmp Enable/disable CGMP

directed-broadcast Enable forwarding of directed broadcasts

dvmrp DVMRP interface commands

hello-interval Configures IP-EIGRP hello interval

helper-address Specify a destination address for UDP broadcasts

hold-time Configures IP-EIGRP hold time

.

.

.

Router(config-if)# ip

Enter the command that you want to

configure for the interface. This

example uses the ip command.


next on the command line. This

example shows only some of the

available interface IP configuration

commands.

Table 2 How to Find Command Options (continued)

Command Comment


17/537


Using the no and default Forms of Commands

xvii


78-11748-02

Using the no and default Forms of Commands

Almost every configuration command has a no form. In general, use the no form to disable a function.Use the command without the no keyword to reenable a disabled function or to enable a function that

is disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no

ip routing command; to reenable IP routing, use the ip routing command. The Cisco IOS software

command reference publications provide the complete syntax for the configuration commands and

describe what the no form of a command does.

Configuration commands also can have a default form, which returns the command settings to the

default values. Most commands are disabled by default, so in such cases using the default form has the

same result as using the no form of the command. However, some commands are enabled by default and

Router(config-if)# ip address ?

A.B.C.D IP address

negotiated IP Address negotiated over PPP

Router(config-if)# ip address

Enter the command that you want to

configure for the interface. This

example uses the ip address command.Enter ? to display what you must enter


example, you must enter an IP address

or the negotiated keyword.

A carriage return () is not

displayed; therefore, you must enter

additional keywords or arguments to

complete the command.

Router(config-if)# ip address 172.16.0.1 ?

A.B.C.D IP subnet mask

Router(config-if)# ip address 172.16.0.1

Enter the keyword or argument you

want to use. This example uses the

172.16.0.1 IP address.



example, you must enter an IP subnet

mask.

A is not displayed; therefore, you

must enter additional keywords or

arguments to complete the command.

Router(config-if)# ip address 172.16.0.1 255.255.255.0 ?

secondary Make this IP address a secondary address

Router(config-if)# ip address 172.16.0.1 255.255.255.0

Enter the IP subnet mask. This example

uses the 255.255.255.0 IP subnet mask.



example, you can enter the secondary keyword, or you can press Enter.

A is displayed; you can press

Enter to complete the command, or

you can enter another keyword.

Router(config-if)# ip address 172.16.0.1 255.255.255.0

Router(config-if)#

In this example, Enter is pressed to

complete the command.

Table 2 How to Find Command Options (continued)

Command Comment


18/537


Saving Configuration Changes

xviii


78-11748-02

have variables set to certain default values. In these cases, the default form of the command enables the

command and sets the variables to their default values. The Cisco IOS software command reference

publications describe the effect of the default form of a command if the command functions differently

than the no form.

Saving Configuration ChangesUse the copy system:running-config nvram:startup-config command to save your configuration

changes to the startup configuration so that the changes will not be lost if the software reloads or a

power outage occurs. For example:

Router# copy system:running-config nvram:startup-config

Building configuration...

It might take a minute or two to save the configuration. After the configuration has been saved, the

following output appears:

[OK]

Router#

On most platforms, this task saves the configuration to NVRAM. On the Class A Flash file system

platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment

variable. The CONFIG_FILE variable defaults to NVRAM.

Filtering Output from the show and more CommandsIn Cisco IOS Release 12.0(1)T and later releases, you can search and filter the output of show and more

commands. This functionality is useful if you need to sort through large amounts of output or if you

want to exclude output that you need not see.

To use this functionality, enter a show or more command followed by the “pipe” character (|); one of

the keywords begin, include, or exclude; and a regular expression on which you want to search or filter

(the expression is case-sensitive):

command | {begin | include | exclude} regular-expression

The output matches certain lines of information in the configuration file. The following example

illustrates how to use output modifiers with the show interface command when you want the output to

include only lines in which the expression “protocol” appears:

Router# show interface | include protocol

FastEthernet0/0 is up, line protocol is up

Serial4/0 is up, line protocol is up

Serial4/1 is up, line protocol is up

Serial4/2 is administratively down, line protocol is down

Serial4/3 is administratively down, line protocol is down

For more information on the search and filter functionality, refer to the “Using the Command-Line

Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.


19/537


Identifying Supported Platforms

xix


78-11748-02

Identifying Supported PlatformsCisco IOS software is packaged in feature sets consisting of software images that support specific

platforms. The feature sets available for a specific platform depend on which Cisco IOS software

images are included in a release. To identify the set of software images available in a specific release

or to find out if a feature is available in a given Cisco IOS software image, see the following sections:• Using Feature Navigator

• Using Software Release Notes

Using Feature Navigator

Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software

images support a particular set of features and which features are supported in a particular Cisco IOS

image.

Feature Navigator is available 24 hours a day, 7 days a week. To access Feature Navigator, you must

have an account on Cisco.com. If you have forgotten or lost your account information, e-mail theContact Database Administration group at [email protected]. If you do not have an account on

Cisco.com, go to http://www.cisco.com/register and follow the directions to establish an account.

To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or

later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable

JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For

JavaScript support and enabling instructions for other browsers, check with the browser vendor.

Feature Navigator is updated when major Cisco IOS software releases and technology releases occur.

You can access Feature Navigator at the following URL:

http://www.cisco.com/go/fn

Using Software Release NotesCisco IOS software releases include release notes that provide the following information:

• Platform support information

• Memory recommendations

• Microcode support information

• Feature set tables

• Feature descriptions

• Open and resolved severity 1 and 2 caveats for all platforms

Release notes are intended to be release-specific for the most current release, and the informationprovided in these documents may not be cumulative in providing information about features that first

appeared in previous releases.


20/537


Identifying Supported Platforms

xx


78-11748-02


21/537

Authentication,

Authorization, and

Accounting


22/537


23/537

SR-3


78-11748-02

Authentication Commands

This chapter describes the commands used to configure both AAA and non-AAA authentication

methods. Authentication identifies users before they are allowed access to the network and network

services. Basically, the Cisco IOS software implementation of authentication is divided into two main

categories:

• AAA Authentication Methods• Non-AAA Authentication Methods

Authentication, for the most part, is implemented through the AAA security services. We recommend

that, whenever possible, AAA be used to implement authentication.

For information on how to configure authentication using either AAA or non-AAA methods, refer to the

chapter “Configuring Authentication” in the Cisco IOS Security Configuration Guide. For configuration

examples using the commands in this chapter, refer to the section “Authentication Examples” located at

the end of the chapter “Configuring Authentication” in the Cisco IOS Security Configuration Guide.


24/537


aaa authentication arap

SR-4


78-11748-02

aaa authentication arapTo enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk

Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To

disable this authentication, use the no form of this command.

aaa authentication arap {default | list-name} method1 [method2...]

no aaa authentication arap {default | list-name} method1 [method2...]

Syntax Description

Defaults If the default list is not set, only the local user database is checked. This has the same effect as thefollowing command:

aaa authentication arap default local

Command Modes Global configuration

Command History

Usage Guidelines The list names and default that you set with the aaa authentication arap command are used with thearap authentication command. Note that ARAP guest logins are disabled by default when you enable

AAA. To allow guest logins, you must use either the guest or auth-guest method listed in Table 3. You

can only use one of these methods; they are mutually exclusive.

Create a list by entering the aaa authentication arap list-name method command, where list-name is

any character string used to name this list (such as MIS-access). The method argument identifies the list

of methods the authentication algorithm tries in the given sequence. See Table 3 for descriptions of

method keywords.

To create a default list that is used if no list is specified in the arap authentication command, use the

default keyword followed by the methods you want to be used in default situations.

The additional methods of authentication are used only if the previous method returns an error, not if it

fails.

Use the more system:running-config command to view currently configured lists of authentication

methods.

default Uses the listed methods that follow this argument as the default list of

methods when a user logs in.

list-name Character string used to name the following list of authentication methods

tried when a user logs in.

method1 [method2...] At least one of the keywords described in Table 3.

Release Modification

10.3 This command was introduced.

12.0(5)T Group server and local-case support were added as method keywords for this

command.


25/537


aaa authentication arap

SR-5


78-11748-02

Note In Table 3, the group radius, group tacacs+, and group group-name methods refer to a set of

previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server

host commands to configure the host servers. Use the aaa group server radius and aaa group

server tacacs+ commands to create a named group of servers.

Examples The following example creates a list called MIS-access, which first tries TACACS+ authentication andthen none:

aaa authentication arap MIS-access group tacacs+ none

The following example creates the same list, but sets it as the default list that is used for all ARA protocol

authentications if no other list is specified:

aaa authentication arap default group tacacs+ none

Related Commands

Table 3 aaa authentication arap Methods

Keyword Description

guest Allows guest logins. This method must be the first method listed, but it can be

followed by other methods if it does not succeed.

auth-guest Allows guest logins only if the user has already logged in to EXEC. This method

must be the first method listed, but can be followed by other methods if it does not

succeed.

line Uses the line password for authentication.

local Uses the local username database for authentication.

local-case Uses case-sensitive local username authentication.

group radius Uses the list of all RADIUS servers for authentication.

group tacacs+ Uses the list of all TACACS+ servers for authentication.

group

group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by

the aaa group server radius or aaa group server tacacs+ command.

Command Description

aaa new-model Enables the AAA access control model.


26/537


aaa authentication banner

SR-6


78-11748-02

aaa authentication bannerTo configure a personalized banner that will be displayed at user login, use the aaa authentication

banner command in global configuration mode. To remove the banner, use the no form of this command.

aaa authentication banner dstringd

no aaa authentication banner

Syntax Description

Defaults Not enabled


Command History

Usage Guidelines Use the aaa authentication banner command to create a personalized message that appears when a userlogs in to the system. This message or banner will replace the default message for user login.

To create a login banner, you need to configure a delimiting character, which notifies the system that the

following text string is to be displayed as the banner, and then the text string itself. The delimiting

character is repeated at the end of the text string to signify the end of the banner. The delimiting character

can be any character in the extended ASCII character set, but once defined as the delimiter, that character

cannot be used in the text string making up the banner.

Note The AAA authentication banner message is not displayed if TACACS+ is the first method in the method

list.

Examples The following example shows the default login message if aaa authentication banner is not configured.(RADIUS is specified as the default login authentication method.)

aaa new-model

aaa authentication login default group radius

d Any delimiting character at the beginning and end of the string that notifies the system

that the string is to be displayed as the banner. The delimiting character can be any

character in the extended ASCII character set, but once defined as the delimiter, that

character cannot be used in the text string making up the banner.

string Any group of characters, excluding the one used as the delimiter. The maximum

number of characters that you can display is 2996.


11.3(4)T This command was introduced.


27/537


aaa authentication banner

SR-7


78-11748-02

This configuration produces the following standard output:

User Verification Access

Username:

Password:

The following example configures a login banner (in this case, the phrase “Unauthorized use isprohibited.”) that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol

is used as the delimiter. (RADIUS is specified as the default login authentication method.)

aaa new-model

aaa authentication banner *Unauthorized use is prohibited.*


This configuration produces the following login banner:

Unauthorized use is prohibited.

Username:

Related Commands Command Description

aaa authentication fail-message Configures a personalized banner that will be displayed when

a user fails login.


28/537


aaa authentication enable default

SR-8


78-11748-02

aaa authentication enable defaultTo enable authentication, authorization, and accounting (AAA) authentication to determine if a user can

access the privileged command level, use the aaa authentication enable default command in global

configuration mode. To disable this authorization method, use the no form of this command.

aaa authentication enable default method1 [method2...]

no aaa authentication enable default method1 [method2...]

Syntax Description

Defaults If the default list is not set, only the enable password is checked. This has the same effect as thefollowing command:

aaa authentication enable default enable

On the console, the enable password is used if it exists. If no password is set, the process will succeed

anyway.


Command History

Usage Guidelines Use the aaa authentication enable default command to create a series of authentication methods thatare used to determine whether a user can access the privileged command level. Method keywords are

described in Table 3. The additional methods of authentication are used only if the previous method

returns an error, not if it fails. To specify that the authent ication should succeed even if all methods return

an error, specify none as the final method in the command line.

All aaa authentication enable default requests sent by the router to a RADIUS or TACACS+ server

include the username “$enab15$.”

If a default authentication routine is not set for a function, the default is none and no authentication is

performed. Use the more system:running-config command to view currently configured lists ofauthentication methods.

Note In Table 3, the group radius, group tacacs+, and group group-name methods refer to a set of previously

defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands

to configure the host servers. Use the aaa group server radius and aaa group server tacacs+

commands to create a named group of servers.




12.0(5)T Group server support was added as various method keywords for this

command.


29/537


aaa authentication enable default

SR-9


78-11748-02

Examples The following example creates an authentication list that first tries to contact a TACACS+ server. If noserver can be found, AAA tries to use the enable password. If this attempt also returns an error (because

no enable password is configured on the server), the user is allowed access with no authentication.

aaa authentication enable default group tacacs+ enable none

Related Commands

Table 4 aaa authentication enable default Methods

Keyword Description

enable Uses the enable password for authentication.

line Uses the line password for authentication.none Uses no authentication.


Note The RADIUS method does not work on a per-username basis.


group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by


Command Description

aaa authorization Sets parameters that restrict network access to a user.


enable password Sets a local password to control access to various privilege

levels.


30/537


aaa authentication fail-message

SR-10


78-11748-02

aaa authentication fail-messageTo configure a personalized banner that will be displayed when a user fails login, use the aaa

authentication fail-message command in global configuration mode. To remove the failed login

message, use the no form of this command.

aaa authentication fail-message dstringd

no aaa authentication fail-message

Syntax Description

Defaults Not enabled


Command History

Usage Guidelines Use the aaa authentication fail-message command to create a personalized message that appears whena user fails login. This message will replace the default message for failed login.

To create a failed-login banner, you need to configure a delimiting character, which notifies the system

that the following text string is to be displayed as the banner, and then the text string itself. The

delimiting character is repeated at the end of the text string to signify the end of the banner. The

delimiting character can be any character in the extended ASCII character set, but once defined as the

delimiter, that character cannot be used in the text string making up the banner.

Examples The following example shows the default login message and failed login message that is displayed if aaa

authentication banner and aaa authentication fail-message are not configured. (RADIUS is specifiedas the default login authentication method.)

aaa new-model


This configuration produces the following standard output:

User Verification Access

Username:

Password:

d The delimiting character at the beginning and end of the string that notifies the system

that the string is to be displayed as the banner. The delimiting character can be any

character in the extended ASCII character set, but once defined as the delimiter, that

character cannot be used in the text string making up the banner.

string Any group of characters, excluding the one used as the delimiter. The maximum

number of characters that you can display is 2996.




31/537


aaa authentication fail-message

SR-11


78-11748-02

% Authentication failed.

The following example configures both a login banner (“Unauthorized use is prohibited.”) and a

login-fail message (“Failed login. Try again.”). The login message will be displayed when a user logs in

to the system. The failed-login message will display when a user tries to log in to the system and fails.

(RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is

used as the delimiting character.aaa new-model

aaa authentication banner *Unauthorized use is prohibited.*

aaa authentication fail-message *Failed login. Try again.*


This configuration produces the following login and failed login banner:

Unauthorized use is prohibited.

Username:

Password:

Failed login. Try again.


aaa authentication banner Configures a personalized banner that will be displayed at user

login.


32/537


aaa authentication login

SR-12


78-11748-02

aaa authentication loginTo set authentication, authorization, and accounting (AAA) authentication at login, use the aaa

authentication login command in global configuration mode. To disable AAA authentication, use the

no form of this command.

aaa authentication login {default | list-name} method1 [method2...]

no aaa authentication login {default | list-name} method1 [method2...]

Syntax Description

Defaults If the default list is not set, only the local user database is checked. This has the same effect as thefollowing command:

aaa authentication login default local

Note On the console, login will succeed without any authentication checks if default is not set.


Command History

Usage Guidelines The default and optional list names that you create with the aaa authentication login command are usedwith the login authentication command.

Create a list by entering the aaa authentication login list-name method command for a particular

protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.

Method keywords are described in Table 5.

To create a default list that is used if no list is assigned to a line, use the login authentication command

with the default argument followed by the methods you want to use in default situations.


fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the

final method in the command line.

default Uses the listed authentication methods that follow this argument as the

default list of methods when a user

logs in.

list-name Character string used to name the list of authentication methods activated

when a user logs in.




12.0(5)T Group server and local-case support were added as method keywords for this

command.


33/537


aaa authentication login

SR-13


78-11748-02

If authentication is not specifically set for a line, the default is to deny access and no authentication is

performed. Use the more system:running-config command to display currently configured lists of

authentication methods.


previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-serverhost commands to configure the host servers. Use the aaa group server radius and aaa group


Examples The following example creates an AAA authentication list called MIS-access. This authentication firsttries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to

use the enable password. If this attempt also returns an error (because no enable password is configured

on the server), the user is allowed access with no authentication.

aaa authentication login MIS-access group tacacs+ enable none

The following example creates the same list, but it sets it as the default list that is used for all login

authentications if no other list is specified:

aaa authentication login default group tacacs+ enable none

The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol

when using Telnet to connect to the router:

aaa authentication login default krb5

Related Commands

Table 5 aaa authentication login Methods

Keyword Description


krb5 Uses Kerberos 5 for authentication.

krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to

the router.




none Uses no authentication.





Command Description


login authentication Enables AAA authentication for logins.


34/537


aaa authentication nasi

SR-14


78-11748-02

aaa authentication nasiTo specify authentication, authorization, and accounting (AAA) authentication for Netware

Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa

authentication nasi command in global configuration mode. To disable authentication for NASI clients,

use the no form of this command.

aaa authentication nasi {default | list-name} method1 [method2...]

no aaa authentication nasi {default | list-name} method1 [method2...]

Syntax Description

Defaults If the default list is not set, only the local user database is selected. This has the same effect as thefollowing command:

aaa authentication nasi default local


Command History

Usage Guidelines The default and optional list names that you create with the aaa authentication nasi command are usedwith the nasi authentication command.

Create a list by entering the aaa authentication nasi command, where list-name is any character string

that names the list (such as MIS-access). The method argument identifies the list of methods the

authentication algorithm tries in the given sequence. Method keywords are described in Table 6.

To create a default list that is used if no list is assigned to a line with the nasi authentication command,

use the default argument followed by the methods that you want to use in default situations.

The remaining methods of authentication are used only if the previous method returns an error, not if it

fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the

final method in the command line.

If authentication is not specifically set for a line, the default is to deny access and no authentication is



default Makes the listed authentication methods that follow this argument the default

list of methods used when a user logs in.

list-name Character string used to name the list of authentication methods activated

when a user logs in.

method1 [method2...] At least one of the methods described in Table 6.



12.0(5)T Group server support and local-case were added as method keywords for this

command.


35/537


aaa authentication nasi

SR-15


78-11748-02





Examples The following example creates an AAA authentication list called list1. This authentication first tries tocontact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the

enable password. If this attempt also returns an error (because no enable password is configured on the

server), the user is allowed access with no authentication.

aaa authentication nasi list1 group tacacs+ enable none

The following example creates the same list, but sets it as the default list that is used for all loginauthentications if no other list is specified:

aaa authentication nasi default group tacacs+ enable none

Related Commands

Table 6 aaa authentication nasi Methods

Keyword Description










Command Description

ip trigger-authentication (global) Enables the automated part of double

authentication at a device.

ipx nasi-server enable Enables NASI clients to connect to

asynchronous devices attached to a router.

nasi authentication Enables AAA authentication for NASI clients

connecting to a router.show ipx nasi connections Displays the status of NASI connections.

show ipx spx-protocol Displays the status of the SPX protocol stack

and related counters.


36/537


aaa authentication password-prompt

SR-16


78-11748-02

aaa authentication password-promptTo change the text displayed when users are prompted for a password, use the aaa authentication

password-prompt command in global configuration mode. To return to the default password prompt

text, use the no form of this command.

aaa authentication password-prompt text-string

no aaa authentication password-prompt text-string

Syntax Description

Defaults There is no user-defined text-string, and the password prompt appears as “Password.”


Command History

Usage Guidelines Use the aaa authentication password-prompt command to change the default text that the Cisco IOSsoftware displays when prompting a user to enter a password. This command changes the password

prompt for the enable password as well as for login passwords that are not supplied by remote securityservers. The no form of this command returns the password prompt to the default value:

Password:

The aaa authentication password-prompt command does not change any dialog that is supplied by a

remote TACACS+ server.

The aaa authentication password-prompt command works when RADIUS is used as the login method.

The password prompt that is defined in the command will be shown even when the RADIUS server is

unreachable. The aaa authentication password-prompt command does not work with TACACS+.

TACACS+ supplies the network access server (NAS) with the password prompt to display to the users.

If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that

prompt instead of the one defined in the aaa authentication password-prompt command. If the

TACACS+ server is not reachable, the password prompt that is defined in the aaa authenticationpassword-prompt command may be used.

Examples The following example changes the text for the password prompt:

aaa authentication password-prompt “Enter your password now:”

text-string String of text that will be displayed when the user is prompted to enter a

password. If this text-string contains spaces or unusual characters, it must be

enclosed in double-quotes (for example, “Enter your password:”).




37/537


aaa authentication password-prompt

SR-17


78-11748-02


aaa authentication

username-prompt

Changes the text displayed when users are prompted to enter

a username.



levels.


38/537


aaa authentication ppp

SR-18


78-11748-02

aaa authentication pppTo specify one or more authentication, authorization, and accounting (AAA) authentication methods for

use on serial interfaces that are running PPP, use the aaa authentication ppp command in global

configuration mode. To disable authentication, use the no form of this command.

aaa authentication ppp {default | list-name} method1 [method2...]

no aaa authentication ppp {default | list-name} method1 [method2...]

Syntax Description

Defaults If the default list is not set, only the local user database is checked. This has the same effect as thatcreated by the following command:

aaa authentication ppp default local


Command History

Usage Guidelines The lists that you create with the aaa authentication ppp command are used with the pppauthentication command. These lists contain up to four authentication methods that are used when a

user tries to log in to the serial interface.

Create a list by entering the aaa authentication ppp list-name method command, where list-name is any

character string used to name this list (such as MIS-access). The method argument identifies the list of

methods that the authentication algorithm tries in the given sequence. You can enter up to four methods.

Method keywords are described in Table 7.


fails. Specify none as the final method in the command line to have authentication succeed even if all

methods return an error.

If authentication is not specifically set for a function, the default is none and no authentication is



default Uses the listed authentication methods that follow this keyword as the

default list of methods when a user logs in.

list-name Character string used to name the list of authentication methods tried when

a user logs in.

method1 [method2...] Identifies the list of methods that the authentication algorithm tries in the

given sequence. You must enter at least one method; you may enter up to four

methods. Method keywords are described in Table 7.



12.0(5)T Group server support and local-case were added as method keywords.


39/537


aaa authentication ppp

SR-19


78-11748-02





Examples The following example creates a AAA authentication list called MIS-access for serial lines that use PPP.This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is

allowed access with no authentication.

aaa authentication ppp MIS-access group tacacs+ none

Related Commands

Table 7 aaa authentication ppp Methods

Keyword Description

if-needed Does not authenticate if the user has already been authenticated on a tty line.

krb5 Uses Kerberos 5 for authentication (can be used only for Password

Authentication Protocol [PAP] authentication).








Command Description

aaa group server radius Groups different RADIUS server hosts into distinct lists and

distinct methods.

aaa group server tacacs+ Groups different server hosts into distinct lists and distinct

methods.


more system:running-config Displays the contents of the currently running configuration

file, the configuration for a specific interface, or map class

information.

ppp authentication Enables CHAP or PAP or both and specifies the order in which

CHAP and PAP authentication are selected on the interface.

radius-server host Specifies a RADIUS server host.

tacacs+-server host Specifies a TACACS host.


40/537


aaa authentication username-prompt

SR-20


78-11748-02

aaa authentication username-promptTo change the text displayed when users are prompted to enter a username, use the aaa authentication

username-prompt command in global configuration mode. To return to the default username prompt

text, use the no form of this command.

aaa authentication username-prompt text-string

no aaa authentication username-prompt text-string

Syntax Description

Defaults There is no user-defined text-string, and the username prompt appears as “Username.”


Command History

Usage Guidelines Use the aaa authentication username-prompt command to change the default text that the Cisco IOSsoftware displays when prompting a user to enter a username. The no form of this command returns the

username prompt to the default value:

Username:

Some protocols (for example, TACACS+) have the ability to override the use of local username prompt

information. Using the aaa authentication username-prompt command will not change the username

prompt text in these instances.

Note The aaa authentication username-prompt command does not change any dialog that is supplied by

a remote TACACS+ server.

Examples The following example changes the text for the username prompt:

aaa authentication username-prompt “Enter your name here:”

text-string String of text that will be displayed when the user is prompted to enter a

username. If this text-string contains spaces or unusual characters, it must be

enclosed in double-quotes (for example, “Enter your name:”).




41/537


aaa authentication username-prompt

SR-21


78-11748-02


aaa authentication

password-prompt

Changes the text that is displayed when users are prompted

for a password.



levels.


42/537


aaa dnis map authentication login group

SR-22


78-11748-02

aaa dnis map authentication login groupTo map a Dialed Number Information Service (DNIS) number to a particular authentication,

authorization, and accounting (AAA) server group for the login service (this server group will be used

for AAA authentication), use the aaa dnis map authentication login group command in global

configuration mode. To unmap this DNIS number from the defined server group, use the no form of thiscommand.

aaa dnis map dnis-number authentication login group server-group-name

no aaa dnis map dnis-number authentication login group server-group-name

Syntax Description

Defaults Disabled


Command History

Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group; thus, the server groupcan process the AAA authentication requests for login service for users dialing into the network using

that particular DNIS.

To use this command, you must first enable AAA, define an AAA server group, and enable DNIS

mapping.

Examples The following example shows how to map DNIS number 7777 to the RADIUS server group calledgroup1. group1 will use RADIUS server 172.30.0.0 for AAA authentication requests for login service

for users dialing in with DNIS 7777.

aaa new-model

radius-server host 172.30.0.0 auth-port 1645 key cisco1aaa group server radius group1

server 172.30.0.0

exit

aaa dnis map enable

aaa dnis map 7777 authentication login group group1

dnis-number Number of the DNIS.

server-group-name Character string used to name a group of security servers associated in a

server group.




43/537


aaa dnis map authentication login group

SR-23


78-11748-02


aaa dnis map accounting

network group

Maps a DNIS number to a particular accounting server group.

aaa dnis map enable Enables AAA server selection based on DNIS.

aaa group server Groups different server hosts into distinct lists and methods.


radius-server host Specifies a RADIUS server host.


44/537


aaa dnis map authentication ppp group

SR-24


78-11748-02

aaa dnis map authentication ppp groupTo map a Dialed Number Information Service (DNIS) number to a particular authentication server group

(this server group will be used for authentication, authorization, and accounting (AAA) authentication),

use the aaa dnis map authentication ppp group command in global configuration mode. To remove

the DNIS number from the defined server group, use the no form of this command.

aaa dnis map dnis-number authentication ppp group server-group-name

no aaa dnis map dnis-number authentication ppp group server-group-name

Syntax Description

Defaults Disabled


Command History

Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group, so that the server groupcan process authentication requests for users dialing in to the network using that particular DNIS. To usethis command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.

Examples The following example maps DNIS number 7777 to the RADIUS server group called group1. Servergroup group1 will use RADIUS server 172.30.0.0 for authentication requests for users dialing in with

DNIS 7777.

aaa new-model

radius-server host 172.30.0.0 auth-port 1645 key cisco1

aaa group server radius group1

server 172.30.0.0

aaa dnis map enable

aaa dnis map 7777 authentication ppp group group1

dnis-number Number of the DNIS.

server-group-name Character string used to name a group of security servers associated

in a server group.




45/537


aaa dnis map authentication ppp group

SR-25


78-11748-02


aaa dnis map accounting

network group

Maps a DNIS number to a particul

Date post:	07-Aug-2018
Category:	Documents
Upload:	lokesh
View:	215 times
Download:	0 times