cisco ios security
TRANSCRIPT
Cisco IOS Security Command ReferenceApril 2011
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco IOS Security Command Reference 2011 Cisco Systems, Inc. All rights reserved.
CONTENTSIntroductionSEC1 SEC-1 SEC-2 SEC-9 SEC-11
Security Commands aaa accounting
aaa accounting (IKEv2 profile) aaa accounting connection h323 aaa accounting delay-start aaa accounting gigawords aaa accounting-listSEC-17
SEC-13 SEC-15 SEC-16
aaa accounting include auth-profile aaa accounting jitter maximum aaa accounting nestedSEC-19 SEC-21
SEC-18
aaa accounting redundancy
aaa accounting resource start-stop group aaa accounting resource stop-failure group aaa accounting send stop-record always
SEC-23 SEC-25 SEC-27 SEC-28 SEC-35
aaa accounting send stop-record authentication aaa accounting session-duration ntp-adjusted aaa accounting suppress null-username aaa accounting update aaa attributeSEC-39 SEC-40 SEC-42 SEC-37 SEC-36
aaa attribute list
aaa authentication (IKEv2 profile) aaa authentication (WebVPN) aaa authentication arapSEC-46
SEC-44
aaa authentication attempts login aaa authentication auto (WebVPN)
SEC-48 SEC-49
Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
aaa authentication banner aaa authentication dot1x
SEC-50 SEC-52 SEC-54 SEC-56
aaa authentication enable default aaa authentication fail-message aaa authentication login aaa authentication nasi aaa authentication ppp aaa authentication sgbpSEC-59 SEC-63
aaa authentication eou default enable group radiusSEC-57
aaa authentication password-promptSEC-68 SEC-71
SEC-66
aaa authentication suppress null-username aaa authentication username-prompt aaa authorizationSEC-76 SEC-80 SEC-82 SEC-84
SEC-73
SEC-74
aaa authorization (IKEv2 profile)
aaa authorization cache filterserver aaa authorization config-commands aaa authorization console aaa authorization listSEC-86 SEC-88
aaa authorization reverse-access aaa authorization template aaa cache filter aaa cache profile aaa configurationSEC-93 SEC-95
SEC-89
SEC-92
aaa cache filterserver
SEC-96 SEC-98 SEC-100 SEC-102 SEC-104
aaa dnis map accounting network aaa dnis map authentication group aaa group server diameter aaa group server ldap aaa group server radius aaa group server tacacs+ aaa interceptSEC-113
aaa dnis map authorization network groupSEC-106 SEC-108 SEC-109 SEC-111
aaa local authentication attempts max-fail aaa max-sessionsSEC-117 SEC-118
SEC-115
aaa memory threshold
April 2011
iv
aaa nas cisco-nas-port use-async-info aaa nas port extended aaa nas port option82 aaa new-model aaa password aaa pod server aaa preauth aaa processesSEC-121 SEC-123 SEC-125
SEC-120
aaa nas redirected-stationSEC-127 SEC-129 SEC-131 SEC-133 SEC-135
aaa route download aaa service-profile aaa session-id aaa session-mib aaa user profile
SEC-137 SEC-139
aaa server radius dynamic-authorSEC-141 SEC-142 SEC-144 SEC-146
aaa traceback recordingSEC-147
access (firewall farm) access (server farm) access (virtual server) access-class access-enableSEC-154
SEC-149 SEC-151 SEC-152
SEC-156 SEC-158
access-group (identity policy) access-group modeSEC-159
access-list (IP extended) access-list (IP standard) access-list (NLSP) access-list compiled
SEC-160 SEC-172
SEC-175 SEC-178 SEC-179
access-list compiled data-link limit memory access-list compiled ipv4 limit memory access-list dynamic-extend access-list remark access-profile access-restrict access-template accountingSEC-184 SEC-185 SEC-188 SEC-190 SEC-183
SEC-181
SEC-192
April 2011
v
accounting (gatekeeper) accounting (line)SEC-196
SEC-194
accounting (server-group)
SEC-198 SEC-201 SEC-202
accounting acknowledge broadcast accounting dhcp source-ip aaa list acl (ISAKMP) acl (WebVPN) action-type activate addressSEC-203 SEC-205 SEC-206
SEC-208 SEC-209
add (WebVPN)
SEC-210 SEC-212
address (IKEv2 keyring) address ipv4 addressed-keySEC-214
address ipv4 (GDOI)
SEC-215
SEC-217 SEC-219 SEC-221
administrator authentication list administrator authorization list alertSEC-223 SEC-224
alert (zone-based policy) alert-severity algorithm allow-mode appl (webvpn)SEC-226 SEC-228
all (profile map configuration)SEC-230 SEC-231
SEC-229
appfw policy-name
SEC-233 SEC-234
application (application firewall policy) application redundancy arap authentication ase collector ase enable ase groupSEC-241 SEC-242 SEC-244 SEC-245 SEC-240 SEC-237 SEC-238
ase signature extraction attribute (server-group) attribute mapSEC-247
attribute nas-port format
SEC-248
April 2011
vi
attribute type audit filesize audit interval audit-trail audit-trail (zone) authentication
SEC-250 SEC-252 SEC-254
SEC-256 SEC-258 SEC-260 SEC-262 SEC-264
authentication (IKE policy) authentication (IKEv2 profile) authentication bind-first authentication command
SEC-266 SEC-267 SEC-269 SEC-270
authentication command bounce-port ignore authentication command disable-port ignore authentication compareSEC-271 SEC-272
authentication control-direction authentication event fail
authentication critical recovery delaySEC-274
SEC-273
authentication event no-response action
SEC-275 SEC-276 SEC-277
authentication event server alive action reinitialize authentication event server dead action authorize authentication fallback authentication host-mode authentication open authentication order authentication periodic authentication priority authentication terminalSEC-278 SEC-279 SEC-280
authentication list (tti-registrar)SEC-282 SEC-283 SEC-284
authentication port-control
SEC-285
SEC-287 SEC-289 SEC-290 SEC-291
authentication timer inactivity authentication timer restart authentication trustpoint authentication violation authentication url authorizationSEC-298
authentication timer reauthenticateSEC-292 SEC-293 SEC-295
SEC-296
April 2011
vii
authorization (server-group) authorization (tti-registrar) authorization address ipv4 authorization identity authoization list (global) authorization username authorize accept identity auth-type auto-enroll auto-rollover auto secureSEC-315 SEC-317
SEC-300 SEC-302 SEC-304
SEC-305 SEC-307 SEC-308
authorization list (tti-registrar)
SEC-310 SEC-312
authorization username (tti-registrar)SEC-314
auth-type (ISG)
SEC-318 SEC-320 SEC-322 SEC-324 SEC-326
auto-update client backoff exponential backup-gateway banner base-dn binary file block count browser-proxy ca trust-pointSEC-330
SEC-328
banner (WebVPN)SEC-332
SEC-331
bidirectional
SEC-333 SEC-335 SEC-337
bind authenticate
SEC-338 SEC-340
browser-attribute importSEC-341 SEC-342
cache authentication profile (server group configuration) cache authorization profile (server group configuration) cache clear age cache disable cache max cache refreshSEC-346 SEC-347 SEC-348
SEC-344 SEC-345
cache expiry (server group configuration)SEC-349 SEC-350 SEC-351
call admission limit
April 2011
viii
call guard-timer category (ips) cdp-url certificate cifs-url-list cipherkey ciphervalue citrix enabledSEC-355
SEC-352 SEC-354
SEC-357 SEC-359
chain-validationSEC-362 SEC-364
SEC-365 SEC-367
cisco (ips-auto-update)SEC-368
class type inspect class type urlfilter
SEC-369 SEC-371 SEC-373 SEC-376 SEC-379 SEC-380
class-map type inspect class-map type urlfilter
clear aaa cache filterserver acl clear aaa cache filterserver group clear aaa cache groupSEC-381
clear aaa counters servers clear aaa local user lockout clear access-list counters clear access-template clear appfw dns cache clear ase signatures
SEC-382 SEC-383
clear aaa local user fail-attemptsSEC-385
SEC-384
SEC-386 SEC-388 SEC-389 SEC-391 SEC-393
clear authentication sessions clear crypto ctcpSEC-394 SEC-395
clear crypto call admission statistics clear crypto datapath clear crypto gdoi
clear crypto engine accelerator counterSEC-399
SEC-396
clear crypto gdoi ks cooperative role clear crypto ikev2 sa clear crypto ikev2 stat clear crypto isakmpSEC-402 SEC-403
SEC-401
clear crypto ipsec client ezvpnSEC-406
SEC-404
April 2011
ix
clear crypto sa
SEC-408 SEC-411 SEC-413
clear crypto session clear crypto pki crls clear dmvpn session clear dmvpn statistics clear dot1x clear eap clear eouSEC-418 SEC-419 SEC-420
clear crypto pki benchmarksSEC-414 SEC-415
SEC-417
clear ip access-list counters clear ip access-template clear ip admission cache clear ip audit configuration clear ip audit statistics clear ip auth-proxy cache clear ip inspect ha
SEC-422
SEC-423 SEC-425 SEC-426
SEC-427 SEC-428 SEC-429
clear ip auth-proxy watch-listSEC-431
clear ip inspect session clear ip ips configuration clear ip ips statistics clear ip sdeeSEC-435
SEC-432 SEC-433
SEC-434
clear ip trigger-authentication clear ip urlfilter cache clear kerberos creds clear ldap serverSEC-437 SEC-438
SEC-436
SEC-439 SEC-440 SEC-441
clear logging ip access-list cache clear policy-firewallSEC-442
clear parameter-map type protocol-info clear policy-firewall stats vrf clear policy-firewall stats zone clear port-security clear radiusSEC-447 SEC-449 SEC-450 SEC-444
clear policy-firewall stats vrf global
SEC-445
SEC-446
clear radius local-server clear webvpn nbns
SEC-451
April 2011
x
clear webvpn session clear webvpn stats clear zone-pair clid clientSEC-455 SEC-457
SEC-452 SEC-453
SEC-454
client authentication list client configuration group client pki authorization list client rekey encryption client rekey hash commands (view) configuration url content-length controlSEC-480
SEC-459 SEC-461 SEC-462 SEC-463
client configuration address
SEC-464
SEC-466 SEC-467
client transform-sets
SEC-468 SEC-472 SEC-474
configuration version
SEC-475 SEC-477
content-type-verification
copy (consent-parameter-map) copy idconf copy ips-sdf crlSEC-489 SEC-491 SEC-493 SEC-495 SEC-497 SEC-484 SEC-486
SEC-482
crl best-effort crl optional crl query
crl-cache delete-after crl-cache none crypto aaa attribute list crypto ca authenticate crypto ca cert validate
SEC-499 SEC-501 SEC-504 SEC-506 SEC-508 SEC-510 SEC-513
crypto ca certificate chain crypto ca certificate map
crypto ca certificate query (ca-trustpoint) crypto ca certificate query (global) crypto ca crl requestSEC-516
SEC-515
April 2011
xi
crypto ca enroll
SEC-517 SEC-520 SEC-523
crypto ca export pem crypto ca export pkcs12 crypto ca identity crypto ca import
SEC-525 SEC-526 SEC-527 SEC-529 SEC-531
crypto ca import pem crypto ca import pkcs12 crypto ca trusted-root crypto ca trustpoint crypto connect vlan crypto ctcp crypto-engineSEC-540
crypto ca profile enrollmentSEC-534
SEC-533
crypto call admission limit
SEC-536
SEC-538
crypto dynamic-map
SEC-542
SEC-545 SEC-546
crypto engine accelerator crypto engine aim crypto engine em crypto engine nm crypto engine slot crypto gdoi gm crypto gdoi group crypto identitySEC-548 SEC-549
crypto engine mode vrf crypto engine onboard
SEC-550
SEC-552 SEC-553
SEC-554 SEC-555
crypto engine slot (interface)SEC-558 SEC-560 SEC-561
crypto ikev2 authorization policy crypto ikev2 certificate-cache crypto ikev2 cookie-challenge crypto ikev2 diagnose crypto ikev2 dpd crypto ikev2 http-url crypto ikev2 keyring crypto ikev2 limitSEC-568 SEC-570
SEC-563 SEC-565
SEC-566
crypto ikev2 fragmentation
SEC-572
SEC-573 SEC-574 SEC-577
April 2011
xii
crypto ikev2 name mangler crypto ikev2 nat crypto ikev2 policy crypto ikev2 profile crypto ikev2 proposal crypto ikev2 windowSEC-581 SEC-583 SEC-585
SEC-579
SEC-589 SEC-592 SEC-594 SEC-599 SEC-602 SEC-603 SEC-605
crypto ipsec client ezvpn (global) crypto ipsec client ezvpn (interface) crypto ipsec client ezvpn connect crypto ipsec client ezvpn xauth crypto ipsec df-bit (global) crypto ipsec df-bit (interface) crypto ipsec default transform-set
SEC-607 SEC-608 SEC-610 SEC-611
crypto ipsec fragmentation (global) crypto ipsec fragmentation (interface) crypto ipsec ipv4-deny crypto ipsec optional crypto ipsec profileSEC-613
crypto ipsec nat-transparencySEC-617
SEC-615
crypto ipsec optional retry
SEC-618
SEC-619 SEC-621 SEC-623 SEC-626 SEC-627
crypto ipsec security-association idle-time crypto ipsec security-association lifetime
crypto ipsec security-association replay disable crypto ipsec server send-update crypto ipsec transform-setSEC-628
crypto ipsec security-association replay window-sizeSEC-629 SEC-635
crypto isakmp aggressive-mode disable
crypto isakmp client configuration address-pool local crypto isakmp client configuration browser-proxy crypto isakmp client configuration group crypto isakmp client firewall crypto isakmp default policy crypto isakmp enable crypto isakmp identity crypto isakmp fragmentationSEC-643 SEC-645 SEC-639
SEC-636
SEC-637
SEC-648 SEC-650
SEC-651
April 2011
xiii
crypto isakmp invalid-spi-recovery crypto isakmp keepalive crypto isakmp key crypto isakmp peer crypto isakmp policy crypto isakmp profile crypto key decrypt rsa crypto key encrypt rsaSEC-654 SEC-657
SEC-653
crypto isakmp nat keepaliveSEC-662 SEC-664
SEC-660
SEC-667 SEC-670 SEC-671 SEC-673 SEC-676
crypto key export rsa pem crypto key generate rsa crypto key import rsa pem crypto key lock rsa crypto key move rsa crypto key storage crypto key unlock rsa crypto key zeroize rsa crypto keyring crypto logging ezvpn crypto logging ikev2 crypto logging session crypto map (global IPsec) crypto map (interface IPsec) crypto map (Xauth)
crypto key generate ec keysize
SEC-678 SEC-684
SEC-687 SEC-689 SEC-691
crypto key pubkey-chain rsaSEC-693
SEC-695 SEC-697
crypto key zeroize pubkey-chainSEC-698 SEC-700 SEC-701 SEC-702 SEC-703
SEC-704 SEC-710
SEC-713 SEC-715
crypto map client configuration address crypto map gdoi fail-close crypto map (isakmp) crypto map isakmp-profile crypto map local-addressSEC-716 SEC-717 SEC-719 SEC-720
crypto map redundancy replay-interval
SEC-722 SEC-724 SEC-725
crypto mib ipsec flowmib history failure size crypto mib ipsec flowmib history tunnel size
April 2011
xiv
crypto pki authenticate crypto pki benchmark crypto pki cert validate crypto pki certificate map
SEC-727 SEC-729 SEC-731 SEC-733 SEC-735 SEC-738
crypto pki certificate chain
crypto pki certificate query (ca-trustpoint) crypto pki certificate storage crypto pki crl cache crypto pki crl request crypto pki enroll crypto pki export pem crypto pki export pkcs12 crypto pki import crypto pki import pem crypto pki import pkcs12 crypto pki serverSEC-760 SEC-763 SEC-764 SEC-765 SEC-742 SEC-744 SEC-740
SEC-745 SEC-748 SEC-751
SEC-753 SEC-754 SEC-756 SEC-758
crypto pki profile enrollment crypto pki server grant crypto pki server info crl
crypto pki server info requests crypto pki server reject crypto pki server remove crypto pki server revoke crypto pki server start crypto pki server stop crypto pki server trim
crypto pki server password generateSEC-769 SEC-770
SEC-768
crypto pki server request pkcs10SEC-775 SEC-777 SEC-778 SEC-779
SEC-771
crypto pki server trim generate expired-list crypto pki server unrevoke crypto pki token change-pin crypto pki token label crypto pki token lock crypto pki token loginSEC-784 SEC-785
SEC-782
crypto pki token encrypted-user-pinSEC-788 SEC-790 SEC-792
SEC-786
April 2011
xv
crypto pki token logout
SEC-793 SEC-794 SEC-795 SEC-797 SEC-799
crypto pki token max-retries
crypto pki token removal timeout crypto pki token secondary config crypto pki token secondary unconfig crypto pki token unlock crypto pki token user-pin crypto pki trustpointSEC-801 SEC-803
SEC-804 SEC-807 SEC-809
crypto provisioning petitioner crypto provisioning registrar crypto wui tti petitioner crypto wui tti registrar crypto xauth csd enable ctcp port ctype dataSEC-817 SEC-819 SEC-820
SEC-812 SEC-814
SEC-821 SEC-823 SEC-825 SEC-827 SEC-829 SEC-833 SEC-835
database archive database level database url
database username default (ca-trustpoint) default-group-policy denySEC-839
deadtime (server-group configuration)SEC-837 SEC-838
deny (Catalyst 6500 series switches) deny (IP)SEC-862 SEC-872 SEC-875
SEC-851
deny (MAC ACL) deny (WebVPN)
description (dot1x credentials) description (identify zone) description (identity policy) description (identity profile) description (IKEv2 keyring) description (isakmp peer)
SEC-877
SEC-878 SEC-879 SEC-880 SEC-881 SEC-883
April 2011
xvi
destination host destination realm dhcp (IKEv2) dhcp timeout dialer aaa
SEC-884 SEC-885 SEC-886
device (identity profile)SEC-888
dhcp server (isakmp)SEC-892
SEC-890
SEC-891
diameter origin host diameter origin realm diameter peer diameter timer
SEC-894 SEC-895
SEC-896 SEC-897
diameter redundancy
SEC-898 SEC-900 SEC-901
diameter vendor supported disable open-media-channel disconnect ssh dnSEC-904 SEC-906 SEC-903
dn (IKEv2)
dnis (AAA preauthentication) dnis (RADIUS) dnsSEC-912 SEC-914 SEC-909
SEC-907
dnis bypass (AAA preauthentication configuration) dnsix-dmdp retries dnsix-nat primary dnsix-nat secondary dnsix-nat source dns-timeout domain (AAA)
SEC-911
dnsix-nat authorized-redirectionSEC-916 SEC-917
SEC-915
SEC-918 SEC-919
dnsix-nat transmit-countSEC-920 SEC-922
domain (isakmp-group) dot1x control-direction dot1x credentials
SEC-924 SEC-926
SEC-929 SEC-931 SEC-932
dot1x critical (global configuration) dot1x critical (interface configuration) dot1x defaultSEC-933
April 2011
xvii
dot1x guest-vlan dot1x host-mode dot1x initialize
SEC-935 SEC-937
dot1x guest-vlan supplicantSEC-938 SEC-940
dot1x mac-auth-bypass dot1x max-reauth-req dot1x max-req dot1x max-start dot1x multi-hosts dot1x paeSEC-953 SEC-945 SEC-948
SEC-941 SEC-943
SEC-950 SEC-951
dot1x multiple-hosts dot1x port-control
SEC-955 SEC-958 SEC-959
dot1x re-authenticate (EtherSwitch) dot1x reauthenticationSEC-961
dot1x re-authenticate (privileged EXEC) dot1x re-authentication (EtherSwitch) dot1x supplicant interface dot1x system-auth-control dot1x timeout dpdSEC-974 SEC-975 SEC-977 SEC-967 SEC-972 SEC-964 SEC-965
SEC-963
dot1x timeout (EtherSwitch) drop (type access-control) drop (zone-based policy) dtls port dynamic eapSEC-979 SEC-980
SEC-989 SEC-990
eap (IKEv2 profile) eckeypair enableSEC-992
email (IKEv2 profile)SEC-994
SEC-993
enable password enable secret enabled (IPS)
SEC-997
SEC-999 SEC-1002 SEC-1003 SEC-1005
encryption (IKE policy)
encryption (IKEv2 proposal)
April 2011
xviii
enforce-checksum engine (IPS) enrollment
SEC-1007
SEC-1008 SEC-1009 SEC-1011 SEC-1012 SEC-1014 SEC-1015 SEC-1016 SEC-1018 SEC-1019 SEC-1020 SEC-1021
enrollment command enrollment credential enrollment http-proxy enrollment mode ra enrollment profile enrollment retry count enrollment retry period enrollment selfsigned
enrollment terminal (ca-profile-enroll) enrollment terminal (ca-trustpoint) enrollment url (ca-identity) enrollment url (ca-trustpoint) eou allow eou default eou initialize eou logging eou max-retry eou port eou rate-limit eou revalidate eou timeout error-msg error-url evaluateSEC-1030 SEC-1031 SEC-1032 SEC-1033 SEC-1034 SEC-1035 SEC-1024
SEC-1022
enrollment url (ca-profile-enroll)
SEC-1025
SEC-1027
eou clientless
SEC-1036 SEC-1037 SEC-1038 SEC-1040 SEC-1042 SEC-1043 SEC-1044 SEC-1046 SEC-1048
event-action filter-hash filter-id firewall filter-version
exclusive-domainSEC-1051
SEC-1050
SEC-1052
SEC-1053
April 2011
xix
fpm package-group fpm package-info fqdn (IKEv2 profile) grant auto rollover grant auto trustpoint grant none grant ra-auto group(firewall) group (IKE policy)SEC-1060
SEC-1054 SEC-1055 SEC-1056 SEC-1057 SEC-1058
SEC-1061 SEC-1062 SEC-1063
group (authentication) group (IKEv2 proposal) group (RADIUS) group-lock
SEC-1064 SEC-1066 SEC-1068
group (local RADIUS server)SEC-1070 SEC-1072
hash (ca-trustpoint) hash (cs-server) hash (IKE policy) heading hide-url-bar
SEC-1074
SEC-1075 SEC-1077
SEC-1079 SEC-1080 SEC-1081 SEC-1082
host (webvpn url rewrite) hostname (IKEv2 keyring) hostname (WebVPN) http proxy-server http-redirect
SEC-1084
SEC-1085
SEC-1086 SEC-1087
hw-module slot subslot only icmp idle-timeout ida-client server url identity localSEC-1089 SEC-1090
SEC-1091 SEC-1093 SEC-1095 SEC-1097
identity (IKEv2 keyring) identity (IKEv2 profile) identity address ipv4 identity number identity policy identity profile
SEC-1098 SEC-1099 SEC-1101 SEC-1103
identity profile eapoudp
April 2011
xx
idle-timeout (WebVPN) if-state nhrp import incomingSEC-1105 SEC-1106
SEC-1104
include-local-lan initiate mode inspect integrity
SEC-1107
SEC-1109 SEC-1111 SEC-1112
inservice (WebVPN)SEC-1113 SEC-1115
interface (RITE) interface (VASI)
SEC-1117 SEC-1119 SEC-1121 SEC-1124
interface virtual-template ip (webvpn url rewrite) ip access-group ip access-listSEC-1127 SEC-1125
ip access-list hardware permit fragments ip access-list logging interval ip access-list log-update ip access-list resequence ip-address (ca-trustpoint) ip address dhcp ip admissionSEC-1140 SEC-1144 SEC-1132 SEC-1133 SEC-1135
SEC-1130
ip access-list logging hash-generationSEC-1138
SEC-1137
ip address (WebVPN)SEC-1146
ip admission consent banner ip admission name ip auditSEC-1158 SEC-1159 SEC-1160 SEC-1161 SEC-1163 SEC-1164 SEC-1150
SEC-1148
ip admission proxy http ip audit attack ip audit info ip audit name ip audit notify ip audit po local
SEC-1155
ip audit po max-events ip audit po protected
SEC-1165 SEC-1166
April 2011
xxi
ip audit po remote ip audit signature ip audit smtp
SEC-1167 SEC-1169
SEC-1170 SEC-1171 SEC-1174
ip auth-proxy (global configuration) ip auth-proxy (interface configuration) ip auth-proxy auth-proxy-banner ip auth-proxy max-login-attempts ip auth-proxy nameSEC-1180 SEC-1183
SEC-1176 SEC-1178
ip auth-proxy watch-list
ip dhcp client broadcast-flag (interface) ip dhcp support tunnel unicast ip-extension ip http ezvpn ip inspectSEC-1187 SEC-1191 SEC-1193 SEC-1195 SEC-1196 SEC-1198 SEC-1200 SEC-1186
SEC-1185
ip inspect alert-off ip inspect audit trail
ip inspect dns-timeout ip inspect hashtable ip inspect log drop-pkt
ip inspect L2-transparent dhcp-passthroughSEC-1203 SEC-1206 SEC-1208
SEC-1201
ip inspect max-incomplete high ip inspect max-incomplete low ip inspect nameSEC-1210
ip inspect one-minute high ip inspect one-minute low ip inspect tcp finwait-time ip inspect tcp idle-time ip inspect tcp reassembly ip inspect tcp synwait-time ip inspect udp idle-time integritySEC-1241 SEC-1243
SEC-1222 SEC-1224 SEC-1226
ip inspect tcp block-non-sessionSEC-1230
SEC-1228
ip inspect tcp max-incomplete hostSEC-1234
SEC-1232
SEC-1236 SEC-1237
ip inspect tcp window-scale-enforcement looseSEC-1239
ip interface
April 2011
xxii
ip ips
SEC-1245 SEC-1247 SEC-1249 SEC-1251
ip ips auto-update ip ips config location ip ips enable-clidelta ip ips fail closed
ip ips deny-action ips-interfaceSEC-1253
ip ips event-action-rules
SEC-1254
SEC-1255 SEC-1256 SEC-1258
ip ips inherit-obsolete-tunings ip ips memory regex chaining ip ips memory threshold ip ips name ip ips notifySEC-1261 SEC-1263 SEC-1265 SEC-1267
SEC-1259
ip ips sdf location ip ips signature
ip ips signature-category ip ips signature-definition ip ips signature disable ip msdp border ip mtuSEC-1275
SEC-1269 SEC-1270 SEC-1271 SEC-1272
ip kerberos source-interfaceSEC-1273
ip nhrp cache non-authoritative ip nhrp nhs ip port-mapSEC-1278 SEC-1280
SEC-1277
ip radius source-interface ip reflexive-list timeout ip route (vasi) ip sdeeSEC-1290
SEC-1286 SEC-1288
ip scp server enableSEC-1293
SEC-1291
ip sdee events ip security add ip security aeso
SEC-1295 SEC-1296 SEC-1298 SEC-1300 SEC-1302 SEC-1303 SEC-1305
ip security dedicated ip security eso-info ip security eso-max ip security eso-min
April 2011
xxiii
ip security extended-allowed ip security firstSEC-1309
SEC-1307
ip security ignore-authorities ip security ignore-cipso ip security multilevel ip security strip ip source-track ip security implicit-labelling ip security reserved-allowedSEC-1322 SEC-1324
SEC-1311
SEC-1313 SEC-1316
SEC-1318 SEC-1320
ip source-track address-limit ip source-track export-interval ip source-track syslog-interval ip sshSEC-1331 SEC-1332 SEC-1334
SEC-1326 SEC-1327 SEC-1329
ip ssh break-string ip ssh dh min size ip ssh dscp ip ssh port ip ssh maxstartups ip ssh precedence ip ssh pubkey-chain
SEC-1335 SEC-1336
SEC-1337 SEC-1339 SEC-1340 SEC-1341 SEC-1343 SEC-1344
ip ssh rsa keypair-name ip ssh source-interface ip ssh stricthostkeycheck ip ssh versionSEC-1345
ip tacacs source-interface ip tcp intercept drop-mode
SEC-1347 SEC-1349
ip tcp intercept connection-timeoutSEC-1350
ip tcp intercept finrst-timeout ip tcp intercept listSEC-1353
SEC-1352
ip tcp intercept max-incomplete
SEC-1355 SEC-1357 SEC-1359
ip tcp intercept max-incomplete high ip tcp intercept max-incomplete low ip tcp intercept modeSEC-1361 SEC-1363
ip tcp intercept one-minute
ip tcp intercept one-minute high
SEC-1365
April 2011
xxiv
ip tcp intercept one-minute low ip tcp intercept watch-timeout ip traffic-export apply ip traffic-export profileSEC-1370 SEC-1372
SEC-1367 SEC-1369
ip trigger-authentication (global) ip trigger-authentication (interface) ip urlfilter alertSEC-1378 SEC-1380 SEC-1381
SEC-1375 SEC-1377
ip urlfilter allowmode ip urlfilter audit-trail ip urlfilter cache
SEC-1383 SEC-1385
ip urlfilter exclusive-domain ip urlfilter max-request ip urlfilter max-resp-pak ip urlfilter server vendor ip urlfilter source-interface ip urlfilter truncate ip urlfilter urlf-server-log
SEC-1387 SEC-1388 SEC-1389 SEC-1391
SEC-1392 SEC-1394 SEC-1395 SEC-1397 SEC-1399 SEC-1400
ip verify drop-rate compute interval ip verify drop-rate compute window ip verify drop-rate notify hold-down ip verify unicast notification threshold ip verify unicast reverse-path ip virtual-reassembly ip vrfSEC-1415 SEC-1417
SEC-1402 SEC-1406
ip verify unicast source reachable-viaSEC-1412
ip vrf forwarding
ip vrf forwarding (server-group) ip wccp web-cache accelerated ips signature update cisco ipv4 (ldap)SEC-1423 SEC-1424
SEC-1418 SEC-1420
SEC-1422
ipv6 crypto map issuer-name ivrfSEC-1427
isakmp authorization listSEC-1426
SEC-1425
keepalive (isakmp profile)
SEC-1428
April 2011
xxv
kerberos clients mandatory kerberos credentials forward kerberos instance map kerberos local-realm kerberos password kerberos preauth kerberos processes kerberos realm kerberos retry kerberos server
SEC-1429 SEC-1431
SEC-1432 SEC-1433
SEC-1434 SEC-1435 SEC-1437
SEC-1438 SEC-1440 SEC-1441 SEC-1443 SEC-1445
kerberos srvtab entry kerberos srvtab remote kerberos timeout key (isakmp-group) key config-key keyring
SEC-1446 SEC-1448
SEC-1450 SEC-1451
key config-key password-encryptionSEC-1453 SEC-1454
keyring (IKEv2 profile) key-string (IKE) language ldap search ldap server length (RITE)SEC-1458
SEC-1456
ldap attribute-map
SEC-1459
SEC-1460 SEC-1461 SEC-1462 SEC-1464
lifetime (certificate server) lifetime (IKE policy) lifetime (IKEv2 profile) lifetime crlSEC-1469
SEC-1466 SEC-1468
lifetime enrollment-request list (LSP Attributes) list (WebVPN) li-viewSEC-1473 SEC-1472
SEC-1470
SEC-1471
load-balance (server-group) load classification local-addressSEC-1479 SEC-1482
SEC-1475
April 2011
xxvi
local-port (WebVPN) local priority
SEC-1484
SEC-1486 SEC-1488
lockdown (LSP Attributes) log (policy-map)SEC-1490
log (parameter-map type) log (type access-control) logging dmvpn logging enabledSEC-1495 SEC-1497
SEC-1491 SEC-1493
logging ip access-list cache (global configuration) logging ip access-list cache (interface configuration) login authentication login block-for login delay login-message login-photo logo mabSEC-1507 SEC-1509 SEC-1510 SEC-1502 SEC-1504
SEC-1498 SEC-1500
login quiet-mode access-classSEC-1512 SEC-1513 SEC-1515 SEC-1516 SEC-1518
mac access-group mac-address (RITE) map type mask-urlsSEC-1520
mask (policy-map) match access-group
SEC-1521
SEC-1522 SEC-1523 SEC-1526
match address (GDOI local server) match address (IPSec) match body regex match certificateSEC-1527
match authentication trustpointSEC-1531 SEC-1533
SEC-1529
match certificate (ca-trustpoint) match certificate (ISAKMP) match certificate override cdp match certificate override ocsp match certificate override sia match class-mapSEC-1545
SEC-1535
SEC-1538 SEC-1539 SEC-1541 SEC-1543
April 2011
xxvii
match class session match cmdSEC-1550
SEC-1547
match data-length match encrypted match file-transfer match header count match header regex match identity match (IKEv2 policy) match (IKEv2 profile)
SEC-1552 SEC-1553 SEC-1555 SEC-1557 SEC-1559
match header length gtSEC-1564
SEC-1561
SEC-1566 SEC-1568 SEC-1571 SEC-1572
match invalid-command match login clear-text match message
SEC-1573 SEC-1575
match mime content-type regex match mime encoding match program-number match protocol (zone) match protocol h323-nxg match protocol-violation match recipient count gt match reply ehlo match req-respSEC-1577
SEC-1579 SEC-1580 SEC-1583
match protocol h323-annexe
SEC-1584 SEC-1585 SEC-1586
match recipient address regex match recipient invalid count gtSEC-1592 SEC-1594
SEC-1588 SEC-1590
match req-resp body length
SEC-1595 SEC-1596 SEC-1599
match req-resp header content-type match req-resp protocol-violation match requestSEC-1602 SEC-1604 SEC-1606 SEC-1608 SEC-1610
match req-resp header transfer-encoding
SEC-1601
match request length match request method
match request not regex match request port-misuse
April 2011
xxviii
match request regex match response
SEC-1611
SEC-1613 SEC-1615 SEC-1616
match response body java-applet match response status-line regex match search-file-nameSEC-1617
match sender address regex match server-domain urlf-glob match server-response any match service match text-chat match url match url category match url reputation match user-group max-destination max-header-length max-incomplete max-logins max-request max-resp-pak max-uri-length max-users mime-typeSEC-1624 SEC-1626
SEC-1619 SEC-1621
SEC-1623
SEC-1627 SEC-1629 SEC-1630
match url-keyword urlf-globSEC-1633 SEC-1635 SEC-1636 SEC-1638
SEC-1632
SEC-1640 SEC-1642 SEC-1643 SEC-1644
max-retry-attemptsSEC-1647
SEC-1645
max-users (WebVPN)SEC-1650
SEC-1649
mls acl tcam default-result mls acl tcam share-global mls acl vacl apply-self mls aclmerge algorithm mls ip acl port expand mls ip inspect mls rate-limit allSEC-1659 SEC-1660
SEC-1652 SEC-1653
mls acl tcam override dynamic dhcp-snoopingSEC-1654 SEC-1655 SEC-1656 SEC-1658
mls rate-limit layer2
SEC-1662
April 2011
xxix
mls rate-limit unicast l3-features mls rate-limit multicast ipv4 mls rate-limit multicast ipv6 mls rate-limit unicast acl mls rate-limit unicast cef mls rate-limit unicast ip mode (IPSec) mode ra mode secure mode sub-cs nameSEC-1680
SEC-1665
SEC-1666 SEC-1668
SEC-1671 SEC-1673 SEC-1675 SEC-1678
mls rate-limit unicast vacl-logSEC-1682 SEC-1684 SEC-1685
monitor event-trace dmvpnSEC-1689 SEC-1690 SEC-1691
SEC-1687
name (view) named-key nasSEC-1693
nasi authentication nat (IKEv2 profile) nbns-list nbns-server netmaskSEC-1698
SEC-1695 SEC-1697
nbns-list (policy group)SEC-1701 SEC-1703
SEC-1700
no crypto engine software ipsec no crypto xauth no ip inspectSEC-1705 SEC-1706 SEC-1707
SEC-1704
no ip ips sdf builtin object-group network object-group service ocsp url onSEC-1722
object-group (Catalyst 6500 series switches)SEC-1711 SEC-1714 SEC-1720
SEC-1708
occur-at (ips-auto-update)SEC-1723 SEC-1725 SEC-1727 SEC-1729
one-minute outgoing parameter
April 2011
xxx
parameter-map type
SEC-1731 SEC-1734 SEC-1737 SEC-1740 SEC-1741
parameter-map type inspect
parameter-map type protocol-info parameter-map type inspect-vrf parameter-map type inspect-zone parameter-map type regex parameter-map type urlfilter parameter-map type urlfpolicy parameter-map type urlf-glob parser view pass passiveSEC-1757 SEC-1759
SEC-1742 SEC-1746
parameter-map type trend-global
SEC-1748 SEC-1750 SEC-1755
parser view superviewSEC-1761 SEC-1762
password (ca-trustpoint)
SEC-1763 SEC-1764 SEC-1765
password (dot1x credentials) password (line configuration) password 5SEC-1766
password encryption aes password logging peer address ipv4 peer (IKEv2 keyring) permitSEC-1777
SEC-1768
SEC-1770 SEC-1771
pattern (parameter-map)
SEC-1773 SEC-1775
permit (Catalyst 6500 series switches) permit (IP)SEC-1794 SEC-1807 SEC-1810 SEC-1814
SEC-1786
permit (MAC ACL) permit (reflexive) permit (webvpn acl) pfsSEC-1817
pki-server
SEC-1818 SEC-1819 SEC-1820
pki trustpoint policy
police (zone policy)SEC-1822
policy group
SEC-1824
April 2011
xxxi
policy-map type inspect pool (isakmp-group) portSEC-1834 SEC-1835
SEC-1826 SEC-1829
policy-map type inspect urlfilterSEC-1832
port-forward port-misuse
port-forward (policy group)SEC-1839 SEC-1841
SEC-1837
ppp accounting
ppp authentication ppp authorization ppp chap hostname ppp chap password ppp chap refuse ppp chap wait ppp eap identity ppp eap local ppp eap refuse ppp eap wait ppp link ppp pap refuse preempt ppp eap password
SEC-1842 SEC-1845
ppp authentication ms-chap-v2SEC-1847 SEC-1848 SEC-1850
SEC-1852 SEC-1854 SEC-1856 SEC-1857 SEC-1859
SEC-1860 SEC-1861
SEC-1862 SEC-1864 SEC-1866
ppp pap sent-usernameSEC-1868 SEC-1869
pre-shared-key primary
pre-shared-key (IKEv2 keyring)SEC-1874 SEC-1875 SEC-1877 SEC-1878 SEC-1879 SEC-1881
SEC-1871
priority(firewall) private-hosts
private-hosts layer3 private-hosts mac-list private-hosts mode private-hosts vlan-list privilegeSEC-1887
private-hosts promiscuous
SEC-1883
SEC-1885
April 2011
xxxii
privilege level
SEC-1892 SEC-1894 SEC-1895
profile (GDOI local server) proposal protocol proxySEC-1896 SEC-1897
profile (profile map configuration) protection (zone)SEC-1898 SEC-1899
qos-group (PVS Bundle Member) query certificate query url quitSEC-1907 SEC-1903 SEC-1905
SEC-1901
radius attribute nas-port-type
SEC-1908 SEC-1910 SEC-1911 SEC-1912
radius-server accounting system host-config radius-server attribute 11 default direction radius-server attribute 25 radius-server attribute 31SEC-1913 SEC-1914
radius-server attribute 188 format non-standard
radius-server attribute 31 mac format radius-server attribute 4SEC-1918
SEC-1916 SEC-1917
radius-server attribute 32 include-in-access-req radius-server attribute 44 extend-with-addr radius-server attribute 44 sync-with-client radius-server attribute 55 include-in-acct-req radius-server attribute 6SEC-1926 SEC-1928
SEC-1920 SEC-1921
radius-server attribute 44 include-in-access-req
SEC-1923 SEC-1924
radius-server attribute 61 extended radius-server attribute 69 clear radius-server attribute 77SEC-1931
SEC-1930
radius-server attribute 8 include-in-access-req radius-server attribute 30 original-called-number radius-server attribute data-rate send 0 radius-server attribute listSEC-1937
SEC-1933 SEC-1935
SEC-1936
radius-server attribute nas-port extended radius-server attribute nas-port format radius-server authorizationSEC-1945
SEC-1939 SEC-1940
April 2011
xxxiii
radius-server authorization missing Service-Type radius-server backoff exponential radius-server challenge-noecho radius-server configure-nas radius-server dead-criteria radius-server deadtimeSEC-1947 SEC-1949
SEC-1946
SEC-1950 SEC-1952
SEC-1954 SEC-1956 SEC-1959 SEC-1963
radius-server directed-request radius-server domain-stripping radius-server host radius-server key radius-server localSEC-1964
radius-server extended-portnames radius-server host non-standardSEC-1971
SEC-1969
radius-server load-balance
SEC-1973
SEC-1977 SEC-1979
radius local-server pac-generate expiry radius-server optional-passwords radius-server retransmitSEC-1981
SEC-1980
radius-server retry method reorder radius-server source-ports extended radius-server throttle radius-server timeoutSEC-1986 SEC-1988
SEC-1983 SEC-1985
radius-server transaction max-tries radius-server unique-ident radius-server vsa send rate-limit (firewall) rdSEC-1997 SEC-1999 SEC-2001 SEC-1990
SEC-1989
radius-server vsa disallow unknownSEC-1993 SEC-1995
SEC-1992
reauthentication time redirect (identity policy) redundancy (GDOI) redundancy group redundancy rii regenerate
SEC-2002 SEC-2003 SEC-2005
redundancy inter-deviceSEC-2007
redundancy statefulSEC-2011
SEC-2009
April 2011
xxxiv
regexp (profile map configuration) registration interface rekey address ipv4 rekey algorithm rekey lifetime rekey retransmit remarkSEC-2026 SEC-2015 SEC-2017 SEC-2019 SEC-2021
SEC-2013
rekey authentication
SEC-2022 SEC-2023 SEC-2024
rekey transport unicast
replay counter window-size replay time window-size request-method request-timeout reset (policy-map) responder-only retired (IPS) reverse-route rootSEC-2044 SEC-2046 SEC-2047 SEC-2048 SEC-2049 SEC-2050 SEC-2051 SEC-2052 SEC-2053 SEC-2030 SEC-2032 SEC-2033
SEC-2027 SEC-2029
reset (zone-based policy)SEC-2035 SEC-2036 SEC-2038
SEC-2034
revocation-check root CEP root TFTP rsakeypair rsa-pubkey sa ipsec
SEC-2042
root PROXY
sa receive-only save-password scheme search-filter
SEC-2055 SEC-2057 SEC-2058 SEC-2059
secondary-color secretSEC-2060
secondary-text-color secret-keySEC-2062
secure boot-config
SEC-2064
April 2011
xxxv
secure boot-image secure cipher
SEC-2066
SEC-2068 SEC-2070 SEC-2071
security (Diameter peer) security ipsec self-identitySEC-2072
security authentication failure rate security passwords min-lengthSEC-2075
SEC-2074
serial-number (ca-trustpoint) serial-number (pubkey) serverSEC-2081 SEC-2082
SEC-2076
SEC-2077 SEC-2078
server (application firewall policy) server (ldap)
server (parameter-map) server (RADIUS) server (TACACS+) server address ipv4 server local server vendor
SEC-2083
SEC-2086 SEC-2088 SEC-2090
SEC-2091 SEC-2092 SEC-2094 SEC-2096
server-private (RADIUS) server-private (TACACS+) server-keySEC-2098 SEC-2099
service action
service password-encryption service password-recovery service-module ids bootmode service-policy (policy-map) service-policy (zones) service-policy inspect sessions maximum sessions rate
SEC-2101 SEC-2103 SEC-2111 SEC-2112
service-module ids heartbeat-resetSEC-2114 SEC-2116 SEC-2117 SEC-2118
service-policy type inspectSEC-2121
SEC-2119
set aggressive-mode client-endpoint set aggressive-mode password set groupSEC-2127
SEC-2123
SEC-2125
April 2011
xxxvi
set identity
SEC-2128 SEC-2130 SEC-2131
set ip access-group set isakmp-profile set nat demux set peer (IPsec) set pfsSEC-2137
SEC-2132 SEC-2134
set reverse-route
SEC-2140 SEC-2142 SEC-2144
set security-association idle-time set security-association lifetime
set security-association level per-host set security-association replay disable set security-policy limit set session-key set transform-set show aaa attributes show aaa cache group show aaa dead-criteria show aaa memorySEC-2152
SEC-2146 SEC-2150 SEC-2151
set security-association replay window-sizeSEC-2153 SEC-2156 SEC-2158
sgbp aaa authentication
SEC-2159 SEC-2162
show aaa cache filterserver
SEC-2164 SEC-2166 SEC-2168
show aaa local user lockoutSEC-2169
show aaa method-lists show aaa service-profiles show aaa servers show aaa user
SEC-2173 SEC-2177
SEC-2178 SEC-2182
show aaa subscriber profileSEC-2184
show access-group mode interface show access-lists compiled show access-lists show accounting show appfw show ase show auditSEC-2192 SEC-2195
SEC-2188
SEC-2189
SEC-2196 SEC-2198 SEC-2201 SEC-2203
show authentication interface
April 2011
xxxvii
show authentication registrations show authentication sessions show auto secure config show call admission statistics show class-map type inspect show class-map type urlfilter show crypto ace redundancy show crypto ca certificates show crypto ca crls show crypto ca roots show crypto ca timersSEC-2223 SEC-2224 SEC-2225 SEC-2210
SEC-2205
SEC-2206
SEC-2213 SEC-2215 SEC-2217 SEC-2219 SEC-2221
show crypto ca trustpoints show crypto ctcpSEC-2229
SEC-2226 SEC-2227
show crypto call admission statistics show crypto datapathSEC-2231
show crypto debug-condition show crypto dynamic-map show crypto eliSEC-2237
SEC-2234 SEC-2236
show crypto eng qos show crypto engine
SEC-2239 SEC-2240 SEC-2243 SEC-2245 SEC-2247
show crypto engine accelerator logs show crypto engine accelerator ring
show crypto engine accelerator sa-database show crypto engine accelerator statistic show crypto gdoi show crypto haSEC-2263 SEC-2266 SEC-2267 SEC-2268
SEC-2248
show crypto identity
show crypto ikev2 diagnose error show crypto ikev2 policy show crypto ikev2 profile show crypto ikev2 proposal show crypto ikev2 sa show crypto ikev2 stats show crypto ikev2 sessionSEC-2269
SEC-2271 SEC-2273
SEC-2275 SEC-2278 SEC-2281 SEC-2282
show crypto ipsec client ezvpn
April 2011
xxxviii
show crypto ipsec default transform-set show crypto ipsec saSEC-2287
SEC-2285
show crypto ipsec security-association idle-time show crypto ipsec security-association lifetime show crypto ipsec transform-set show crypto isakmp default policy show crypto isakmp key show crypto isakmp peers show crypto isakmp policy show crypto isakmp profile show crypto isakmp saSEC-2303 SEC-2304 SEC-2306 SEC-2309 SEC-2298 SEC-2300
SEC-2296 SEC-2297
SEC-2311 SEC-2314 SEC-2317
show crypto key mypubkey rsa show crypto map (IPsec)
show crypto key pubkey-chain rsaSEC-2320
show crypto mib ipsec flowmib endpoint show crypto mib ipsec flowmib failure show crypto mib ipsec flowmib global show crypto mib ipsec flowmib history
SEC-2324 SEC-2326 SEC-2328 SEC-2330 SEC-2333 SEC-2334
show crypto mib ipsec flowmib history failure size show crypto mib ipsec flowmib history tunnel size show crypto mib ipsec flowmib spiSEC-2335 SEC-2337 SEC-2340 SEC-2341 SEC-2344 SEC-2347 SEC-2351 SEC-2353
show crypto mib ipsec flowmib tunnel show crypto mib ipsec flowmib version show crypto mib isakmp flowmib failure show crypto mib isakmp flowmib global show crypto mib isakmp flowmib history show crypto mib isakmp flowmib peer show crypto mib isakmp flowmib tunnel show crypto pki benchmarks show crypto pki certificates show crypto pki counters show crypto pki crls show crypto pki serverSEC-2357 SEC-2360
show crypto pki certificates storageSEC-2366 SEC-2368 SEC-2370
SEC-2365
show crypto pki server certificates
SEC-2374
April 2011
xxxix
show crypto pki server crl show crypto pki timers show crypto pki token show crypto route show crypto ruleset show crypto session
SEC-2376 SEC-2377
show crypto pki server requestsSEC-2380 SEC-2381
show crypto pki trustpointsSEC-2388
SEC-2383
SEC-2389 SEC-2391 SEC-2396 SEC-2397
show crypto session group show crypto socket show crypto vlan show diameter peer show dmvpn show dnsix show dot1x show dss logSEC-2410 SEC-2411
show crypto session summarySEC-2398
show crypto tech-supportSEC-2402
SEC-2400
SEC-2403
SEC-2405
show dot1x (EtherSwitch)SEC-2420
SEC-2415
show eap registrations show eap sessions show eouSEC-2425
SEC-2421
SEC-2423
show epm session
SEC-2429 SEC-2431 SEC-2433 SEC-2436 SEC-2438
show firewall vlan-group show fm private-hosts show fpm package-group show fpm package-info show idmgrSEC-2440
show interface virtual-access show ip access-lists show ip admissionSEC-2446 SEC-2449
SEC-2443
show ip audit configuration show ip audit interface show ip audit statistics show ip auth-proxy
SEC-2451
SEC-2452 SEC-2453
SEC-2454
April 2011
xl
show ip auth-proxy watch-list show ip bgp labels show ip inspect show ip interface show ip ipsSEC-2458
SEC-2456
show ip device tracking show ip inspect ha
SEC-2460
SEC-2462 SEC-2473 SEC-2476
SEC-2484 SEC-2488
show ip ips auto-update show ip ips category
SEC-2490 SEC-2496 SEC-2498
show ip ips event-action-rules show ip ips signature-category show ip nhrp nhs show ip port-map show ip sdeeSEC-2500 SEC-2503
SEC-2505 SEC-2508 SEC-2510 SEC-2512
show ip ips sig-clidelta show ip source-track show ip sshSEC-2513
show ip source-track export flows show ip traffic-export show ip trm config show ip urlfilterSEC-2514
show ip trigger-authenticationSEC-2518
SEC-2516
show ip trm subscription statusSEC-2522 SEC-2525 SEC-2527
SEC-2520
show ip urlfilter cache show ip urlfilter config show kerberos creds show ldap attributes show ldap server show login show mab
show ip virtual-reassembly
SEC-2529
SEC-2531 SEC-2532
SEC-2534 SEC-2536
show logging ip access-listSEC-2538 SEC-2541
show mac access-group interface show mac-address-tableSEC-2544
SEC-2543
show management-interface
SEC-2553
April 2011
xli
show mls rate-limit show object-group
SEC-2555 SEC-2558
show monitor event-trace dmvpnSEC-2560
show parameter-map type consent show parameter-map type inspect
SEC-2562 SEC-2563 SEC-2565 SEC-2567 SEC-2569
show parameter-map type protocol-info show parameter-map type inspect-vrf show parameter-map type inspect-zone show parameter-map type regex show parameter-map type urlf-glob show parameter-map type urlfilter show parameter-map type urlfpolicy show parser viewSEC-2575
SEC-2570 SEC-2571
show parameter-map type trend-global
SEC-2572 SEC-2573 SEC-2574
show platform hardware qfp feature
SEC-2577 SEC-2581 SEC-2582
show platform hardware qfp act feature ipsec datapath memory show platform software ipsec f0 encryption-processor registers show policy-firewall config show policy-firewall mib show policy-firewall stats show policy-firewall session show policy-firewall stats vrf show policy-firewall stats zone show policy-firewall summary-log show policy-map type inspectSEC-2583 SEC-2586 SEC-2590 SEC-2593 SEC-2595 SEC-2597
show policy-firewall stats vrf global
SEC-2599 SEC-2601
SEC-2602 SEC-2604 SEC-2605 SEC-2610
show policy-map type inspect urlfilter show policy-map type inspect zone-pair show port-security show ppp queues show pppoe sessionSEC-2613 SEC-2615 SEC-2617
show policy-map type inspect zone-pair urlfilter
show private-hosts access-lists show private-hosts configuration
SEC-2620 SEC-2622 SEC-2624
show private-hosts interface configuration
April 2011
xlii
show private-hosts mac-list show privilegeSEC-2626
SEC-2625
show radius local-server statistics show radius server-group show radius statistics show radius table attributesSEC-2629 SEC-2631
SEC-2627
SEC-2634 SEC-2655
show redundancy application control-interface group show redundancy application data-interface show redundancy application faults group show redundancy application group show redundancy application if-mgr show redundancy application protocol show redundancy application transport show redundancy linecard-group show running-config show sasl show smm show ssh show tacacsSEC-2679 SEC-2681 SEC-2669 SEC-2676 SEC-2659 SEC-2663 SEC-2665 SEC-2667 SEC-2656 SEC-2657
SEC-2668
show running-config vrf show secure bootsetSEC-2682
show snmp mib nhrp statusSEC-2685
SEC-2684
show ssl-proxy module stateSEC-2689
SEC-2687
show tcp intercept connections show tcp intercept statistics show tech-supportSEC-2694
SEC-2691 SEC-2693
show tech-support ipsec show tunnel endpoints show usb controllers show usb device show usb driver show usb port show usb tree show usbtoken show user-group
SEC-2701 SEC-2704
SEC-2706
SEC-2708 SEC-2711 SEC-2713 SEC-2714 SEC-2715 SEC-2717
April 2011
xliii
show users show vasi pair
SEC-2719 SEC-2722 SEC-2724 SEC-2725 SEC-2728 SEC-2731 SEC-2733 SEC-2736 SEC-2737 SEC-2739 SEC-2742 SEC-2747 SEC-2749
show vlan group show vtemplate
show webvpn context show webvpn gateway show webvpn install show webvpn license show webvpn nbns show webvpn policy show webvpn session show webvpn sessions show webvpn statistics show webvpn stats show wlccp wds show zone security shutdown (firewall) signatureSEC-2771
SEC-2750 SEC-2764 SEC-2766 SEC-2767
show zone-pair security
SEC-2768 SEC-2769
shutdown (certificate server) smart-tunnel listSEC-2772
snmp-server enable traps ipsec snmp-server enable traps isakmp snmp-server enable traps nhrp snmp trap ip verify drop-rate source interfaceSEC-2781
SEC-2774 SEC-2776 SEC-2778 SEC-2780
source interface (Diameter peer) split-dns sshSEC-2785
SEC-2783 SEC-2784
source-interface (URL parameter-map)SEC-2787
ssid (local RADIUS server group) ssl encryption ssl truspoint sso-serverSEC-2794
SEC-2792
ssl-proxy module allowed-vlanSEC-2796 SEC-2797
SEC-2795
April 2011
xliv
status
SEC-2798 SEC-2799 SEC-2801
strict-http
subject-alt-name subject-name subnet-acl (IKEv2) subscriber service svc address-pool svc default-domain svc dns-server svc dpd-interval svc dtls svc homepage svc keepalive svc module
SEC-2803 SEC-2804 SEC-2806
subscriber access pppoe unique-key circuit-idSEC-2807 SEC-2809 SEC-2811
SEC-2812 SEC-2813
SEC-2814 SEC-2815 SEC-2816 SEC-2817
svc keep-client-installedSEC-2818 SEC-2819
svc msie-proxy svc mtu svc rekey svc split svc split dns
svc msie-proxy serverSEC-2822 SEC-2823 SEC-2824 SEC-2826
SEC-2821
svc wins-server
SEC-2827 SEC-2828 SEC-2830 SEC-2832 SEC-2834 SEC-2836
switchport port-security
switchport port-security aging
switchport port-security mac-address switchport port-security maximum switchport port-security violation tacacs-server administration tacacs-server directed-request tacacs-server dns-alias-lookup tacacs-server domain-stripping tacacs-server host tacacs-server key tacacs-server packetSEC-2846 SEC-2848 SEC-2850
SEC-2838 SEC-2839 SEC-2841 SEC-2842
April 2011
xlv
tacacs-server timeout target-value tcp idle-timeSEC-2852
SEC-2851
tcp finwait-time
SEC-2853
SEC-2855 SEC-2857 SEC-2859
tcp max-incomplete tcp syn-flood limit tcp synwait-time
tcp reassembly memory limitSEC-2860
tcp syn-flood rate per-destinationSEC-2863
SEC-2862
tcp window-scale-enforcement loose template (identity policy) template (identity profile) template config template fileSEC-2868 SEC-2872 SEC-2866 SEC-2867
SEC-2864
template http admin-introduction template http completion template http error template http start template location template username template variable p test aaa group test crypto self-test text-color throttleSEC-2890 SEC-2891 SEC-2876
SEC-2874
SEC-2875
template http introduction template http welcome
SEC-2877
SEC-2878 SEC-2879
SEC-2880 SEC-2882 SEC-2883
SEC-2885 SEC-2888 SEC-2889
test urlf cache snapshot
timeout (application firewall application-configuration) timeout (policy group) timeout file download timeout login response timeout retransmit timer (Diameter peer) timers delaySEC-2902 SEC-2895 SEC-2897 SEC-2898
SEC-2893
SEC-2899 SEC-2900
April 2011
xlvi
timers hellotime titleSEC-2906
SEC-2904
title-color
SEC-2907 SEC-2908 SEC-2910 SEC-2912
track (firewall) traffic-export transport port trm register
transfer-encoding typeSEC-2914
transport port (ldap)
SEC-2915
SEC-2916 SEC-2917
trustpoint (tti-petitioner) trustpoint signing tunnel mode tunnel protection udp idle-timeSEC-2920
SEC-2918
SEC-2924 SEC-2928
type echo protocol ipIcmpEchoSEC-2930 SEC-2932 SEC-2933
unmatched-action url (ips-auto-update) url rewrite urlfilter url-list url-text usage user url-profile
SEC-2934
SEC-2935 SEC-2936 SEC-2938 SEC-2940 SEC-2941 SEC-2942 SEC-2944 SEC-2945
user-group username
user-group loggingSEC-2946
username (dot1x credentials) username (ips-autoupdate) username secret viewSEC-2959 SEC-2955 SEC-2957
SEC-2952 SEC-2953
user-profile location
virtual-template (IKEv2 profile) vlan (local RADIUS server group)
SEC-2961 SEC-2962 SEC-2963
virtual-template (webvpn context)
April 2011
xlvii
vlan group
SEC-2965 SEC-2967 SEC-2969
vpdn aaa attribute vrf (isakmp profile) vrfname vrf-name webvpnSEC-2971 SEC-2972
web-agent-url
SEC-2973
SEC-2975 SEC-2976
webvpn-homepage webvpn cef webvpn context webvpn enable webvpn gateway webvpn install winsSEC-2989
SEC-2977 SEC-2978 SEC-2980
webvpn create templateSEC-2982
SEC-2983 SEC-2985
webvpn import svc profileSEC-2986
webvpn sslvpn-vif nat
SEC-2988
wlccp authentication-server client wlccp wds priority interface xauth userid mode zone pair security zone securitySEC-2996 SEC-2998
SEC-2991 SEC-2993
wlccp authentication-server infrastructureSEC-2994
zone-member securitySEC-3001
SEC-2999
April 2011
xlviii
IntroductionThe Cisco IOS Security Command Reference contains commands that are used to configure Cisco IOS security features for your Cisco networking devices; specifically, it contains commands used to perform the following functions:
Configure authentication, authorization, and accounting (AAA). Configure security server protocols such as RADIUS, TACACS+, and Kerberos.
Note
TACACS and Extended TACACS commands are included in Cisco IOS Release 12.2 software for backward compatibility with earlier Cisco IOS releases; however, these commands are no longer supported and are not documented for this release. Cisco recommends using only the TACACS+ security protocol with Release 12.1 and later of Cisco IOS software. Table 1 identifies Cisco IOS software commands available to the different versions of TACACS. Although TACACS+ is enabled through AAA and uses commands specific to AAA, there are some commands that are common to TACACS, Extended TACACS, and TACACS+. TACACS and Extended TACACS commands that are not common to TACACS+ are not documented in this release.Table 1 TACACS Command Comparison
Cisco IOS Command aaa accounting aaa authentication arap aaa authentication enable default aaa authentication login aaa authentication ppp aaa authorization aaa group server tacacs+ aaa new-model arap authentication arap use-tacacs enable last-resort
TACACS yes yes
Extended TACACS yes yes
TACACS+ yes yes yes yes yes yes yes yes yes
Cisco IOS Security Command Reference April 2011
SEC1
Introduction
Table 1
TACACS Command Comparison (continued)
Cisco IOS Command enable use-tacacs ip tacacs source-interface login authentication login tacacs ppp authentication ppp use-tacacs server tacacs-server administration tacacs-server directed-request tacacs-server dns-alias-lookup tacacs-server host tacacs-server key tacacs-server packet tacacs-server timeout
TACACS yes yes yes yes yes yes yes yes
Extended TACACS yes yes yes yes yes yes yes yes
TACACS+ yes yes yes no yes yes yes yes yes yes yes yes
Configure the following traffic filtering and firewall features: Context-Based Access Control (CBAC) Intrusion Detection System (IDS) Port to application mapping (PAM) Reflexive access lists TCP Intercept
Configure IP Security (IPSec) and encryption features such as public key infrastructure (PKI) and Internet Key Exchange (IKE). Configure additional security features such as passwords and privileges, IP Security Options (IPSO), Unicast Reverse Path Forwarding (uRPF), secure shell (SSH), and AutoSecure.
For information on how to configure Cisco IOS security features and configuration examples using the commands in this book, refer to the Cisco IOS Security Configuration Guide.
April 2011
SEC2
Security Commands
Cisco IOS Security Command Reference April 2011
SEC-1
Security Commands aaa accounting
aaa accountingTo enable authentication, authorization, and accounting (AAA) accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode or template configuration mode. To disable AAA accounting, use the no form of this command. aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name} no aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}Template Configuration Mode
aaa accounting {delay-start | send stop-record authentication} {failure | success remote-server} no aaa accounting {delay-start | send stop-record authentication} {failure | success remote-server}
Syntax Description
auth-proxy system
Provides information about all authenticated-proxy user events. Performs accounting for all system-level events not associated with users, such as reloads.Note
When system accounting is used and the accounting server is unreachable at system startup time, the system will not be accessible for approximately two minutes.
network
Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP). Runs accounting for the EXEC shell session. Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler and disassembler (PAD), and rlogin. Runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 through 15. Provides information about all IEEE 802.1x-related user events. Uses the listed accounting methods that follow this keyword as the default list of methods for accounting services.
exec connection
commands level dot1x default
April 2011
SEC-2
Security Commands aaa accounting
list-name
Character string used to name the list of at least one of the following accounting methods:
group radiusUses the list of all RADIUS servers for authentication as defined by the aaa group server radius command. group tacacs+Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command. group group-nameUses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.
guarantee-first vrf vrf-name start-stop
Guarantees system accounting as the first record. (Optional) Specifies a virtual routing and forwarding (VRF) configuration.
VRF is used only with system accounting.
Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. Sends a stop accounting record for all cases including authentication failures regardless of whether the aaa accounting send stop-record authentication failure command is configured. Disables accounting services on this line or interface. (Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group. Runs the accounting service for RADIUS.
stop-only
none broadcast
radius
April 2011
SEC-3
Security Commands aaa accounting
group group-name
Specifies the accounting method list. Enter at least one of the following keywords:
auth-proxyCreates a method list to provide accounting information about all authenticated hosts that use the authentication proxy service. commandsCreates a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level. connectionCreates a method list to provide accounting information about all outbound connections made from the network access server. execCreates a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times. networkCreates a method list to provide accounting information for SLIP, PPP, NCPs, and ARAP sessions. resourceCreates a method list to provide accounting records for calls that have passed user authentication or calls that failed to be authenticated. tunnelCreates a method list to provide accounting records (Tunnel-Start, Tunnel-Stop, and Tunnel-Reject) for virtual private dialup network (VPDN) tunnel status changes. tunnel-linkCreates a method list to provide accounting records (Tunnel-Link-Start, Tunnel-Link-Stop, and Tunnel-Link-Reject) for VPDN tunnel-link status changes.
delay-start send stop-record authentication failure success remote-server
Delays PPP network start records until peer IP address is known. Sends records to the accounting server. Generates stop records for a specified event. Generates stop records for authentication. Generates stop records for authentication failures. Generates stop records for authenticated users. Specifies that the users are successfully authenticated through access-accept, by a remote AAA server.
Defaults
AAA accounting is disabled.
Command Modes
Global configuration (config) Template configuration (config-template)
Command History
Release 12.0(5)T 12.1(1)T 12.1(5)T
Modification This command was modified. The Group server support was added. This command was modified. The broadcast keyword was added on the Cisco AS5300 and Cisco AS5800 universal access servers. This command was modified. The auth-proxy keyword was added.
April 2011
SEC-4
Security Commands aaa accounting
Release 12.2(1)DX 12.2(2)DD 12.2(4)B 12.2(13)T 12.2(15)B 12.3(4)T 12.2(28)SB 12.2(33)SRA 12.4(11)T 12.2(33)SXH 12.2(33)SXI Cisco IOS XE Release 2.6
Modification This command was modified. The vrf keyword and vrf-name argument were added on the Cisco 7200 series and Cisco 7401ASR series routers. This command was integrated into Cisco IOS Release 12.2(2)DD. This command was integrated into Cisco IOS Release 12.2(4)B. This command was modified. The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T. This command was modified. The tunnel and tunnel-link accounting methods were introduced. This command was modified. The tunnel and tunnel-link accounting methods were integrated into Cisco IOS Release 12.3(4)T. This command was integrated into Cisco IOS Release 12.2(28)SB. This command was integrated into Cisco IOS Release 12.2(33)SRA. The dot1x keyword was integrated into Cisco IOS Release 12.4(11)T. This command was integrated into Cisco IOS Release 12.2(33)SXH. This command was integrated into Cisco IOS Release 12.2(33)SXI. This command was integrated into Cisco IOS XE Release 2.6. The radius keyword was added.
Usage Guidelines
General Information
Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. You must enable AAA services using the aaa new-model global configuration command. Table 1 contains descriptions of keywords for AAA accounting methods.Table 1 aaa accounting Methods
Keyword group radius group tacacs+ group group-name
Description Uses the list of all RADIUS servers for authentication as defined by the aaa group server radius command. Uses the list of all TACACS+ servers for authentication as defined by the aaa group server tacacs+ command. Uses a subset of RADIUS or TACACS+ servers for accounting as defined by the server group group-name argument.
In Table 1, the group radius and group tacacs+ methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server radius and aaa group server tacacs+ commands to create a named group of servers. Cisco IOS software supports the following two methods of accounting:
RADIUSThe network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
April 2011
SEC-5
Security Commands aaa accounting
TACACS+The network access server reports user activity to the TACACS+ security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering values for the list-name argument where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method list keywords to identify the methods to be tried in sequence as given. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Note
System accounting does not use named accounting lists; you can define the default list only for system accounting. For minimal accounting, include the stop-only keyword to send a stop accounting record for all cases including authentication failures. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. Accounting is stored only on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface. To specify an accounting configuration for a particular VRF, specify a default system accounting method list, and use the vrf keyword and vrf-name argument. System accounting does not have knowledge of VRF unless specified. When AAA accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, see the appendix RADIUS Attributes in theCisco IOS Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, see the appendix TACACS+ Attribute-Value Pairs in the Cisco IOS Security Configuration Guide.
Note
The aaa accounting command cannot be used with TACACS or extended TACACS.Cisco Service Selection Gateway Broadcast Accounting
To configure Cisco Service Selection Gateway (SSG) broadcast accounting, use ssg_broadcast_accounting for the list-name argument. For more information about configuring SSG, see the chapter Configuring Accounting for SSG in the Cisco IOS Service Selection Gateway Configuration Guide, Release 12.4.Layer 2 LAN Switch Port
You must configure the RADIUS server to perform accounting tasks, such as logging start, stop, and interim-update messages and time stamps. To turn on these functions, enable logging of Update/Watchdog packets from this AAA client in your RADIUS server Network Configuration tab. Next, enable CVS RADIUS Accounting in your RADIUS server System Configuration tab. You must enable AAA before you can enter the aaa accounting command. To enable AAA and 802.1X (port-based authentication), use the following global configuration mode commands:
April 2011
SEC-6
Security Commands aaa accounting
aaa new-model aaa authentication dot1x default group radius dot1x system-auth-control
Use the show radius statistics command to display the number of RADIUS messages that do not receive the accounting response message. Use the aaa accounting system default start-stop group radius command to send start and stop accounting records after the router reboots. The start record is generated while the router is booted and the stop record is generated while the router is reloaded. The router generates a start record to reach the AAA server. If the AAA server is not reachable, the router retries sending the packet four times. The retry mechanism is based on the exponential backoff algorithm. If there is no response from the AAA server, the request will be dropped.Establishing a Session with a Router if the AAA Server is Unreachable
The aaa accounting system guarantee-first command guarantees system accounting as the first record, which is the default condition. In some situations, users may be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than three minutes. To establish a console or telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command.
Note
Entering the no aaa accounting system guarantee-first command is not the only condition by which the console or telnet session can be started. For example, if the privileged EXEC session is being authenticated by TACACS and the TACACS server is not reachable, then the session cannot start.
Examples
The following example shows how to define a default command accounting method list, where accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.aaa accounting commands 15 default stop-only group tacacs+
The following example shows how to defines a default auth-proxy accounting method list, where accounting services are provided by a TACACS+ security server with a start-stop restriction. The aaa accounting command activates authentication proxy accounting.aaa aaa aaa aaa new-model authentication login default group tacacs+ authorization auth-proxy default group tacacs+ accounting auth-proxy default start-stop group tacacs+
The following example shows how to define a default system accounting method list, where accounting services are provided by RADIUS security server server1 with a start-stop restriction. The aaa accounting command specifies accounting for VRF vrf1.aaa accounting system default vrf vrf1 start-stop group server1
The following example shows how to define a default IEEE 802.1x accounting method list, where accounting services are provided by a RADIUS server. The aaa accounting command activates IEEE 802.1x accounting.aaa aaa aaa aaa new model authentication dot1x default group radius authorization dot1x default group radius accounting dot1x default start-stop group radius
April 2011
SEC-7
Security Commands aaa accounting
The following example shows how to enable network accounting and send tunnel and tunnel-link accounting records to the RADIUS server. (Tunnel-Reject and Tunnel-Link-Reject accounting records are automatically sent if either start or stop records are configured.)aaa accounting network tunnel start-stop group radius aaa accounting network session start-stop group radius
The following example shows how to delay PPP Network start record until peer IP address is known:Router# configure terminal Router(config)# aaa new-model Router(config)# template name Router(config-template)# aaa accounting delay-start
Related Commands
Command aaa authentication dot1x aaa authentication ppp aaa authorization aaa group server radius aaa group server tacacs+ aaa new-model auto command dot1x system-auth-control radius-server host show radius statistics tacacs-server host
Description Specifies one or more AAA methods for use on interfaces running IEEE 802.1X. Specifies one or more AAA authentication methods for use on serial interfaces running PPP. Sets parameters that restrict user access to a network. Groups different RADIUS server hosts into distinct lists and distinct methods. Groups different server hosts into distinct lists and distinct methods. Enables the AAA access control model. Configures the system to automatically execute a specific EXEC command when it connects to a port. Enables port-based authentication. Specifies a RADIUS server host. Displays the RADIUS statistics for accounting and authentication packets. Specifies a TACACS+ server host.
April 2011
SEC-8
Security Commands aaa accounting (IKEv2 profile)
aaa accounting (IKEv2 profile)To enable AAA accounting for IPsec sessions, use the aaa accounting command in IKEv2 profile configuration mode. To disable AAA accounting, use the no form of this command. aaa accounting [psk | cert | eap] list-name no aaa accounting [psk | cert | eap] list-name
Syntax Description
psk cert eap list-name
(Optional) Specifies a method list if the authentication method preshared key. (Optional) Specifies a method list if the authentication method is certificate based. (Optional) Specifies a method list if the authentication method is Extensible Authentication Protocol (EAP). Name of the AAA list.
Command Default
AAA accounting is disabled.
Command Modes
IKEv2 profile configuration (config-ikev2-profile)
Command History
Release 15.1(1)T Cisco IOS XE Release 3.3S
Modification This command was introduced. This command was integrated into Cisco IOS XE Release 3.3S.
Usage Guidelines
Use the aaa accounting command to enable and specify the method list for AAA accounting for IPsec sessions. The aaa accounting command can be specific to an authentication method or common to all authentication methods, but not both at the same time. If no method list is specified, the list is common across authentication methods.
Examples
The following example defines an AAA accounting configuration common to all authentication methods:Router(config-ikev2-profile)# aaa accounting common-list1
The following example configures an AAA accounting for each authentication method:Router(config-ikev2-profile)# aaa accounting psk psk-list1 Router(config-ikev2-profile)# aaa accounting cert cert-list1 Router(config-ikev2-profile)# aaa accounting eap eap-list1
April 2011
SEC-9
Security Commands aaa accounting (IKEv2 profile)
Related Commands
Command crypto ikev2 profile
Description Defines an IKEv2 profile.
April 2011
SEC-10
Security Commands aaa accounting connection h323
aaa accounting connection h323To define the accounting method list H.323 using RADIUS as a method with either stop-only or start-stop accounting options, use the aaa accounting connection h323 command in global configuration mode. To disable the use of this accounting method list, use the no form of this command. aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname no aaa accounting connection h323 {stop-only | start-stop | none} [broadcast] group groupname
Syntax Description
stop-only start-stop
Sends a stop accounting notice at the end of the requested user process. Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. Disables accounting services on this line or interface. (Optional) Enables sending accounting records to multiple AAA servers. Simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group. Specifies the server group to be used for accounting services. The following are valid server group names:
none broadcast
group groupname
string: Character string used to name a server group. radius: Uses list of all RADIUS hosts. tacacs+: Uses list of all TACACS+ hosts.
Defaults
No accounting method list is defined.
Command Modes
Global configuration
Command History
Release 11.3(6)NA2 12.2SX
Modification This command was introduced. This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
This command creates a method list called h323 and is applied by default to all voice interfaces if the gw-accounting h323 command is also activated.
April 2011
SEC-11
Security Commands aaa accounting connection h323
Examples
The following example enables authentication, authorization, and accounting (AAA) services, gateway accounting services, and defines a connection accounting method list (h323). The h323 accounting method lists specifies that RADIUS is the security protocol that will provide the accounting services, and that the RADIUS service will track start-stop records.aaa new model gw-accounting h323 aaa accounting connection h323 start-stop group radius
Related Commands
Command gw-accounting
Description Enables the accounting method for collecting call detail records.
April 2011
SEC-12
Security Commands aaa accounting delay-start
aaa accounting delay-startTo delay generation of accounting start records until the user IP address is established, use the aaa accounting delay-start command in global configuration mode. To disable this functionality, use the no form of this command. aaa accounting delay-start [all] [vrf vrf-name] no aaa accounting delay-start [all] [vrf vrf-name]
Syntax Description
all vrf vrf-name
(Optional) Extends the delay of accounting start records to all Virtual Route Forwarding (VRF) and non-VRF users. (Optional) Extends the delay of accounting start records to individual VRF users.
Defaults
Accounting records are not delayed.
Command Modes
Global configuration
Command History
Release 12.1 12.2(1)DX 12.2(2)DD 12.2(4)B 12.2(13)T 12.3(1) 12.2(28)SB 12.2(33)SRA 12.2SX
Modification This command was introduced. The vrf keyword and vrf-name argument were introduced on the Cisco 7200 series and Cisco 7401ASR. This command was integrated into Cisco IOS Release 12.2(2)DD. This command was integrated into Cisco IOS Release 12.2(4)B. The vrf keyword and vrf-name argument were integrated into Cisco IOS Release 12.2(13)T. The all keyword was added. This command was integrated into Cisco IOS Release 12.2(28)SB. This command was integrated into Cisco IOS Release 12.2(33)SRA. This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. This command was integrated into Cisco IOS Release 12.2(33)SXH. This command was integrated into Cisco IOS Release 12.2(33)SXI.
12.2(33)SXH 12.2(33)SXI
Usage Guidelines
Use the aaa accounting delay-start command to delay generation of accounting start records until the IP address of the user has been established. Use the vrf vrf-name keyword and argument to delay accounting start records for individual Virtual Private Network (VPN) routing and forwarding (VRF) users or use the all keyword for all VRF and non-VRF users.
April 2011
SEC-13
Security Commands aaa accounting delay-start
Note
The aaa accounting delay-start command applies only to non-VRF users. If you have a mix of VRF and non-VRF users, configure either aaa accounting delay-start (for non-VRF users) or aaa accounting delay-start vrf {vrf-name} (for VRF users) or aaa accounting delay-start all (for all VRF and non-VRF users).
Examples
The following example shows how to delay accounting start records until the IP address of the user is established:aaa new-model aaa authentication ppp default radius aaa accounting network default start-stop group radius aaa accounting delay-start radius-server host 172.16.0.0 non-standard radius-server key rad123
The following example shows that accounting start records are to be delayed to all VRF and non-VRF users:aaa new-model aaa authentication ppp default radius aaa accounting network default start-stop group radius aaa accounting delay-start all radius-server host 172.16.0.0 non-standard radius-server key rad123
Related Commands
Command aaa accounting aaa authentication ppp aaa authorization aaa new-model radius-server host tacacs-server host
Description Enables AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+. Specifies one or more AAA authentication methods for use on serial interfaces running PPP. Sets parameters that restrict user access to a network. Enables the AAA access control model. Specifies a RADIUS server host. Specifies a TACACS+ server host.
April 2011
SEC-14
Security Commands aaa accounting gigawords
aaa accounting gigawordsTo enable authentication, authorization, and accounting (AAA) 64-bit, high-capacity counters, use the aaa accounting gigawords command in global configuration mode. To disable the counters, use the no form of this command. (Note that gigaword support is automatically configured unless you unconfigure it using the no form of the command.) aaa accounting gigawords no aaa accounting gigawords
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not configured, the 64-bit, high-capacity counters that support RADIUS attributes 52 and 53 are automatically enabled.
Command Modes
Global configuration
Command History
Release 12.2(13.7)T
Modification This command was introduced.
Usage Guidelines
The AAA high-capacity counter process takes approximately 8 percent CPU memory for 24,000 (24 K) sessions running under steady state. If you have entered the no form of this command to turn off the 64-bit counters and you want to reenable them, you will need to enter the aaa accounting gigawords command. Also, once you have entered the no form of the command, it takes a reload of the router to actually disable the use of the 64-bit counters.
Note
The aaa accounting gigawords command does not show up in the running configuration unless the no form of the command is used in the c