-
Cisco IOS Security Command Reference: Commands A to C, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
-
aaa authentication banner through aaa group server tacacs+
-
aaa nas port extended through address ipv6 (TACACS+)
-
authentication command bounce-port ignore through auth-type
-
clear dot1x through clear eap
-
client through crl
-
crypto ca authenticate through crypto ca trustpoint
-
crypto key generate rsa
-
Index
-
Feedback
Contents
aaa nas port extended through address ipv6 (TACACS+)
- aaa nas port extended
- aaa new-model
- aaa route download
- aaa server radius dynamic-author
- access-list (IP standard)
- address ipv6 (config-radius-server)
- address ipv6 (TACACS+)
aaa nas port extended
To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the aaa nas port extendedcommand inglobal configuration mode. To display no extended field information, use the no form of this command.
Command History
Release
Modification
11.3
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101 due to the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute.
In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco’s vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
aaa new-model
To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.
Command History
Release
Modification
10.0
This command was introduced.
12.4(4)T
Support for IPv6 was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA
12.2(33)SXI
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Cisco IOS XE Release 2.5
This command was integrated into Cisco IOS XE Release 2.5.
15.1(2)SNG
This command was implemented on the Cisco ASR 901 Series Aggregation Services Routers.
Related Commands
Command
Description
aaa accounting
Enables AAA accounting of requested services for billing or security purposes.
aaa authentication arap
Enables an AAA authentication method for ARAP using TACACS+.
aaa authentication enable default
Enables AAA authentication to determine if a user can access the privileged command level.
aaa authentication login
Sets AAA authentication at login.
aaa authentication ppp
Specifies one or more AAA authentication method for use on serial interfaces running PPP.
aaa authorization
Sets parameters that restrict user access to a network.
aaa route download
To enable the static route download feature and set the amount of time between downloads, use the aaa route download command in global configuration mode. To disable this function, use the no form of this command.
Syntax Description
time
(Optional) Time between downloads, in minutes. The range is from 1 to 1440 minutes.
authorization method-list
(Optional) Specify a named method list to which RADIUS authorization requests for static route downloads are sent. If these attributes are not set, all RADIUS authorization requests will be sent to the servers that are specified by the default method list.
Command History
Release
Modification
12.0(3)T
This command was introduced.
12.1
This command was integrated into Cisco IOS Release 12.1.
12.2(8)T
The authorization keyword was added; the method-list argument was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRC
This command was integrated into Cisco IOS Release 12.2(33)SRC.
Usage Guidelines
This command is used to download static route details from the authorization, authentication, and accounting (AAA) server if the name of the router is hostname. The name passed to the AAA server for static routes is hostname-1, hostname-2... hostname-n--the router downloads static routes until it fails an index and no more routes can be downloaded.
Examples
The following example sets the AAA route update period to 100 minutes:
aaa route download 100The following example sets the AAA route update period to 10 minutes and sends static route download requests to the servers specified by the method list name “list1”:
aaa route download 10 authorization list1Related Commands
Command
Description
aaa authorization configuration default
Downloads static route configuration information from the AAA server using TACACS+ or RADIUS.
clear ip route download
Clears static routes downloaded from a AAA server.
show ip route
Displays all static IP routes, or those installed using the AAA route download function.
aaa server radius dynamic-author
To configure a device as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server, use the aaa server radius dynamic-authorcommand in global configuration mode. To remove this configuration, use the no form of this command.
Command Default
The device will not function as a server when interacting with external policy servers.
Command History
Release
Modification
12.2(28)SB
This command was introduced.
12.4
This command was integrated into Cisco IOS Release 12.4.
Cisco IOS XE Release 2.6
This command was integrated into Cisco IOS XE Release 2.6.
12.2(5)SXI
This command was integrated into Cisco IOS Release 12.2(5)SXI.
15.2(2)T
This command was integrated into Cisco IOS Release 15.2(2)T.
Usage Guidelines
Dynamic authorization allows an external policy server to dynamically send updates to a device. Once the aaa server radius dynamic-author command is configured, dynamic authorization local server configuration mode is entered. Once in this mode, the RADIUS application commands can be configured.
Dynamic Authorization for the Intelligent Services Gateway (ISG)
ISG works with external devices, referred to as policy servers, that store per-subscriber and per-service information. ISG supports two models of interaction between the ISG device and external policy servers: initial authorization and dynamic authorization.
The dynamic authorization model allows an external policy server to dynamically send policies to the ISG. These operations can be initiated in-band by subscribers (through service selection) or through the actions of an administrator, or applications can change policies on the basis of an algorithm (for example, change session quality of service (QoS) at a certain time of day). This model is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server.
Examples
The following example configures the ISG to act as a AAA server when interacting with the client at IP address 10.12.12.12:
aaa server radius dynamic-author client 10.12.12.12 key cisco message-authenticator ignoreRelated Commands
Command
Description
auth-type (ISG)
Specifies the server authorization type.
client
Specifies a RADIUS client from which a device will accept CoA and disconnect requests.
default
Sets a RADIUS application command to its default.
domain
Specifies username domain options.
ignore
Overrides a behavior to ignore certain paremeters.
port
Specifies a port on which local RADIUS server listens.
server-key
Specifies the encryption key shared with RADIUS clients.
access-list (IP standard)
To define a standard IP access list, use the s tandard version of the access-list command in global configuration mode. To remove a standard access list, use the no form of this command.
access-list access-list-number { deny | permit } source [source-wildcard] [ log [word] ]
no access-list access-list-number
Syntax Description
Command Default
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Command History
Release
Modification
10.3
This command was introduced.
11.3(3)T
The log keyword was added.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
12.4(22)T
The word argument was added to the log keyword.
Usage Guidelines
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Caution
Enhancements to this command are backward compatible; migrating from releases prior to Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This condition could cause you severe security problems. Save your old configuration file before booting these images.
Examples
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.168.34.0 0.0.0.255 access-list 1 permit 10.88.0.0 0.0.255.255 access-list 1 permit 10.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63 ! (Note: all other access implicitly denied)To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 10.48.0.3 access-list 2 permit 10.48.0.3 0.0.0.0The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63 ! (Note: all other access implicitly denied)The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected. In addition, the logging mechanism is enabled and the word SampleUserValue is appended to each syslog entry.
Router(config)# access-list 1 permit 10.29.2.64 0.0.0.63 log SampleUserValueRelated Commands
Command
Description
access-class
Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.
access-list (IP extended)
Defines an extended IP access list.
access-list remark
Writes a helpful comment (remark) for an entry in a numbered IP access list.
deny (IP)
Sets conditions under which a packet does not pass a named access list.
distribute-list in (IP)
Filters networks received in updates.
distribute-list out (IP)
Suppresses networks from being advertised in updates.
ip access-group
Controls access to an interface.
ip access-list logging hash-generation
Enables hash value generation for ACE syslog entries.
permit (IP)
Sets conditions under which a packet passes a named access list.
remark (IP)
Writes a helpful comment (remark) for an entry in a named IP access list.
show access-lists
Displays the contents of current IP and rate-limit access lists.
show ip access-list
Displays the contents of all current IP access lists.
address ipv6 (config-radius-server)
To configure the IPv6 address for the RADIUS server accounting and authentication parameters, use the address ipv6 command in RADIUS server configuration mode. To remove the specified RADIUS server accounting and authentication parameters, use the no form of this command.
address ipv6 { hostname | ipv6address } [ acct-port port | alias { hostname | ipv6address } | auth-port port [ acct-port port ] ]
no address ipv6 { hostname | ipv6address } [ acct-port port | alias { hostname | ipv6address } | auth-port port [ acct-port port ] ]
Syntax Description
hostname
Domain Name System (DNS) name of the RADIUS server host.
ipv6address
RADIUS server IPv6 address.
acct-port port
(Optional) Specifies the User Datagram Protocol (UDP) port for the RADIUS accounting server for accounting requests. The default port is 1646.
alias {hostname | ipv6address}
(Optional) Specifies an alias for this server. The alias can be an IPv6 address or hostname. Up to eight aliases can be configured for this server.
auth-port port
(Optional) Specifies the UDP port for the RADIUS authentication server. The default port is 1645.
Usage Guidelines
The aaa new-model command must be configured before accessing this command.
The Cisco TrustSec (CTS) feature uses Secure RADIUS to prescribe a process of authentication, authorization, session association, encryption, and traffic filtering.
Before an alias can be configured for the RADIUS server, the server’s IPv6 address or DNS name must be configured. This is accomplished by using the address ipv6 command and the hostname argument. An alias can then be configured by using the address ipv6 command, the alias keyword, and the hostname argument.
Examples
The following example shows how to configure the RADIUS server accounting and authentication parameters:
Device(config)# aaa new-model Device(config)# radius server myserver Device(config-radius-server)# address ipv6 2001:DB8:1::1 acct-port 1813 auth-port 1812address ipv6 (TACACS+)
To configure the IPv6 address of the TACACS+ server, use the address ipv6 command in TACACS+ server configuration mode. To remove the IPv6 address, use the no form of this command.
Usage Guidelines
Use the address ipv6 (TACACS+) command after you have enabled the TACACS+ server using the tacacs server command.
