-
Cisco IOS Security Command Reference: Commands S to Z
-
sa ipsec through sessions maximum
-
set aggressive-mode client-endpoint through show content-scan
-
show crypto ace redundancy through show cts sxp
-
show diameter peer through show object-group
-
show parameter-map type consent through show users
-
show vlan group through switchport port-security violation
-
tacacs-server administration through title-color
-
traffic-export through zone security
-
Index
-
Feedback
Contents
tacacs-server administration through title-color
- tacacs server
- tacacs-server administration
- tacacs-server directed-request
- tacacs-server dns-alias-lookup
- tacacs-server domain-stripping
- tacacs-server host
- tacacs-server key
- tacacs-server packet
- tacacs-server timeout
- tag cts sgt
- target-value
- tcp finwait-time
- tcp half-close reset
- tcp half-open reset
- tcp idle-time
- tcp idle reset
- tcp max-incomplete
- tcp reassembly
- tcp reassembly memory limit
- tcp syn-flood limit
- tcp syn-flood rate per-destination
- tcp synwait-time
- tcp window-scale-enforcement loose
- telnet
- template (identity policy)
- template (identity profile)
- template config
- template file
- template http admin-introduction
- template http completion
- template http error
- template http introduction
- template http start
- template http welcome
- template location
- template username
- template variable p
- test aaa group
- test content-scan
- test crypto self-test
- test urlf cache snapshot
- text-color
- threat-detection basic-threat
- threat-detection rate
- throttle
- timeout (application firewall application-configuration)
- timeout (config-radius-server)
- timeout (GTP)
- timeout (parameter-map)
- timeout (policy group)
- timeout (TACACS+)
- timeout file download
- timeout login response
- timeout retransmit
- timer (Diameter peer)
- timer reauthentication (config-if-cts-dot1x)
- timers delay
- timers hellotime
- title
- title-color
tacacs server
To configure the TACACS+ server for IPv6 or IPv4 and enter TACACS+ server configuration mode, use the tacacs servercommand in global configuration mode. To remove the configuration, use the no form of this command.
Usage Guidelines
The tacacs server command configures the TACACS server using the name argument and enters TACACS+ server configuration mode. The configuration is applied once you have finished configuration and exited TACACS+ server configuration mode.
Examples
The following example shows how to configure the TACACS server using the name server1 and enter TACACS+ server configuration mode to perform further configuration:
Router(config)# tacacs server server1 Router(config-server-tacacs)#Related Commands
Command
Description
address ipv6 (TACACS+)
Configures the IPv6 address of the TACACS+ server.
key (TACACS+)
Configures the per-server encryption key on the TACACS+ server.
port (TACACS+)
Specifies the TCP port to be used for TACACS+ connections.
send-nat-address (TACACS+)
Sends a client’s post-NAT address to the TACACS+ server.
single-connection (TACACS+)
Enables all TACACS packets to be sent to the same server using a single TCP connection.
timeout (TACACS+)
Configures the time to wait for a reply from the specified TACACS server.
tacacs-server administration
To enable the handling of administrative messages by the TACACS+ daemon, use the tacacs-server administration command in global configuration mode. To disable the handling of administrative messages by the TACACS+ daemon, use the no form of this command.
Command History
Release
Modification
Prior to 12.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
tacacs-server directed-request
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-requestcommand in global configuration mode. To send the entire string to the TACACS+ server, use the no form of this command.
Command History
Release
Modification
11.1
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it.
With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected.
Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.
tacacs-server dns-alias-lookup
To enable IP Domain Name System (DNS) alias lookup for TACACS+ servers, use the command in global configuration mode. To disable IP DNS alias lookup, use the no form of this command.
Command History
Release
Modification
Prior to 12.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
tacacs-server domain-stripping
To configure a network access server (NAS) to strip suffixes, or to strip both suffixes and prefixes from the username before forwarding the username to the remote TACACS+ server, use the tacacs-server domain-stripping command in global configuration mode. To disable a stripping configuration, use the no form of this command.
tacacs-server domain-stripping [ [right-to-left] [ prefix-delimiter character [ character2 . .. character7 ] ] [ delimiter character [ character2 . .. character7 ] ] | strip-suffix suffix ] [ vrf vrf-name ]
no tacacs-server domain-stripping [ [right-to-left] [ prefix-delimiter character [ character2 . .. character7 ] ] [ delimiter character [ character2 . .. character7 ] ] | strip-suffix suffix ] [ vrf vrf-name ]
Syntax Description
right-to-left
(Optional) Specifies that the NAS will apply the stripping configuration at the first delimiter found when parsing the full username from right to left. The default is for the NAS to apply the stripping configuration at the first delimiter found when parsing the full username from left to right.
prefix-delimiter character [character2...character7]
(Optional) Enables prefix stripping and specifies the character or characters that will be recognized as a prefix delimiter. Valid values for the character argument are @, /, $, %, \, #, and -. Multiple characters can be entered without intervening spaces. Up to seven characters can be defined as prefix delimiters, which is the maximum number of valid characters. If a \ is entered as the final or only value for the character argument, it must be entered as \\. No prefix delimiter is defined by default.
delimiter character [character2...character7]
(Optional) Specifies the character or characters that will be recognized as a suffix delimiter. Valid values for the character argument are @, /, $, %, \, #, and -. Multiple characters can be entered without intervening spaces. Up to seven characters can be defined as suffix delimiters, which is the maximum number of valid characters. If a \ is entered as the final or only value for the character argument, it must be entered as \\. The default suffix delimiter is the @ character.
strip-suffix suffix
(Optional) Specifies a suffix to strip from the username.
vrf vrf-name
(Optional) Restricts the domain stripping configuration to a Virtual Private Network (VPN) routing and forwarding (VRF) instance. The vrf-nameargument specifies the name of a VRF.
Usage Guidelines
Use the tacacs-server domain-stripping command to configure the NAS to strip the domain from a username before forwarding the username to the TACACS+ server. If the full username is user1@cisco.com, enabling the tacacs-server domain-stripping command results in the username "user1" being forwarded to the TACACS+ server.
Use the right-to-leftkeyword to specify that the username should be parsed for a delimiter from right to left, rather than from left to right. This allows strings with two instances of a delimiter to strip the username at either delimiter. For example, if the username is user@cisco.com@cisco.net, the suffix could be stripped in two ways. The default direction (left to right) would result in the username "user" being forwarded to the TACACS+ server. Configuring the right-to-leftkeyword would result in the username "user@cisco.com" being forwarded to the TACACS+ server.
Use the prefix-delimiter keyword to enable prefix stripping and to specify the character or characters that will be recognized as a prefix delimiter. The first configured character that is parsed will be used as the prefix delimiter, and any characters before that delimiter will be stripped.
Use the delimiter keyword to specify the character or characters that will be recognized as a suffix delimiter. The first configured character that is parsed will be used as the suffix delimiter, and any characters after that delimiter will be stripped.
Use strip-suffix suffixto specify a particular suffix to strip from usernames. For example, configuring the tacacs-server domain-stripping strip-suffix cisco.netcommand would result in the username user@cisco.net being stripped, while the username user@cisco.com will not be stripped. You may configure multiple suffixes for stripping by issuing multiple instances of the tacacs-server domain-stripping command. The default suffix delimiter is the @ character.
NoteIssuing the tacacs-server domain-stripping strip-suffix suffix command disables the capacity to strip suffixes from all domains. Both the suffix delimiter and the suffix must match for the suffix to be stripped from the full username. The default suffix delimiter of @ will be used if you do not specify a different suffix delimiter or set of suffix delimiters using the delimiterkeyword.
NoteIssuing the no tacacs-server host command reconfigures the TACACS server host information. You can view the contents of the current running configuration file using the show running-config command.
To apply a domain-stripping configuration only to a specified VRF, use the vrf vrf-name option.
The interactions between the different types of domain stripping configurations are as follows:
- You may configure only one instance of the tacacs-server domain-stripping[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]]command.
- You may configure multiple instances of the tacacs-server domain-stripping[right-to-left] [prefix-delimiter character [character2...character7]] [delimiter character [character2...character7]] [vrf vrf-name]command with unique values for vrf vrf-name.
- You may configure multiple instances of the tacacs-server domain-stripping strip-suffix suffix[vrf per-vrf]command to specify multiple suffixes to be stripped as part of a global or per-VRF ruleset.
- Issuing any version of the tacacs-server domain-strippingcommand automatically enables suffix stripping using the default delimiter character @ for that ruleset, unless a different delimiter or set of delimiters is specified.
- Configuring a per-suffix stripping rule disables generic suffix stripping for that ruleset. Only suffixes that match the configured suffix or suffixes will be stripped from usernames.
Examples
The following example shows how to configure the router to parse the username from right to left and set the valid suffix delimiter characters as @, \, and $. If the full username is cisco/user@cisco.com$cisco.net, the username "cisco/user@cisco.com" will be forwarded to the TACACS+ server because the $ character is the first valid delimiter encountered by the NAS when parsing the username from right to left.
tacacs-server domain-stripping right-to-left delimiter @\$The following example shows how to configure the router to strip the domain name from usernames only for users associated with the VRF instance named abc. The default suffix delimiter @ will be used for generic suffix stripping.
tacacs-server domain-stripping vrf abcThe following example shows how to enable prefix stripping using the character / as the prefix delimiter. The default suffix delimiter character @ will be used for generic suffix stripping. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the TACACS+ server.
tacacs-server domain-stripping prefix-delimiter /The following example shows how to enable prefix stripping, specify the character / as the prefix delimiter, and specify the character # as the suffix delimiter. If the full username is cisco/user@cisco.com#cisco.net, the username "user@cisco.com" will be forwarded to the TACACS+ server.
tacacs-server domain-stripping prefix-delimiter / delimiter #The following example shows how to enable prefix stripping, configure the character / as the prefix delimiter, configure the characters $, @, and # as suffix delimiters, and configure per-suffix stripping of the suffix cisco.com. If the full username is cisco/user@cisco.com, the username "user" will be forwarded to the TACACS+ server. If the full username is cisco/user@cisco.com#cisco.com, the username "user@cisco.com" will be forwarded.
tacacs-server domain-stripping prefix-delimiter / delimiter $@# tacacs-server domain-stripping strip-suffix cisco.comThe following example shows how to configure the router to parse the username from right to left and enable suffix stripping for usernames with the suffix cisco.com. If the full username is cisco/user@cisco.net@cisco.com, the username "cisco/user@cisco.net" will be forwarded to the TACACS+ server. If the full username is cisco/user@cisco.com@cisco.net, the full username will be forwarded.
tacacs-server domain-stripping right-to-left tacacs-server domain-stripping strip-suffix cisco.comThe following example shows how to configure a set of global stripping rules that will strip the suffix cisco.com using the delimiter @, and a different set of stripping rules for usernames associated with the VRF named myvrf:
tacacs-server domain-stripping strip-suffix cisco.com ! tacacs-server domain-stripping prefix-delimiter # vrf myvrf tacacs-server domain-stripping strip-suffix cisco.net vrf myvrftacacs-server host
To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. To delete the specified name or address, use the no form of this command.
tacacs-server host { hostname | host-ip-address } [ key string ] [ [nat] [ port [ integer ] ] [single-connection] [ timeout [ integer ] ] ]
no tacacs-server host { hostname | host-ip-address }
Syntax Description
hostname
Name of the host.
host-ip-address
IP address of the host.
key
(Optional) Specifies an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.
string
(Optional) Character string specifying authentication and encryption key.
The string can be 0 (specifies that an unencrypted key follows), 6 (specifies that an advanced encryption scheme [AES] encrypted key follows), 7 (specifies that a hidden key follows), or a line specifying the unencrypted (clear-text) server key.
nat
(Optional) Port Network Address Translation (NAT) address of the client is sent to the TACACS+ server.
port
(Optional) Specifies a TACACS+ server port number. This option overrides the default, which is port 49.
integer
(Optional) Port number of the server. Valid port numbers range from 1 through 65535.
single-connection
(Optional) Maintains a single open connection between the router and the TACACS+ server.
timeout
(Optional) Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
integer
(Optional) Integer value, in seconds, of the timeout interval. The value is from 1 through 1000.
Command History
Release
Modification
10.0
This command was introduced.
12.1(11), 12.2(6)
This command was modified. The nat keyword was added.
12.2(8)T
This command was modified. The nat keyword was added.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.4(1)T
This command was modified. The 6 keyword was added.
Usage Guidelines
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the port, timeout, key, single-connection, and nat keywords only when running a AAA/TACACS+ server.
Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.
The single-connection keyword specifies a single connection (only valid with CiscoSecure Release 1.0.1 or later). Rather than have the router open and close a TCP connection to the server each time it must communicate, the single-connection option maintains a single open connection between the router and the server. The single connection is more efficient because it allows the server to handle a higher number of TACACS operations.
Use the password encryption aes command to configure type 6 AES encrypted keys.
Examples
The following example shows how to specify a TACACS+ host named Sea_Change:
Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# tacacs-server host Sea_ChangeThe following example shows how to specify that, for authentication, authorization, and accounting (AAA) confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.
Device> enable Device# configure terminal Device(config)# aaa new-model Device(config)# tacacs-server host Sea_Cure port 51 timeout 3 key a_secretRelated Commands
Command
Description
aaa accounting
Enables AAA accounting of requested services for billing or security.
aaa authentication
Specifies or enables AAA authentication.
aaa authorization
Sets parameters that restrict user access to a network.
password encryption aes
Enables a type 6 encrypted preshared key.
ppp
Starts an asynchronous connection using PPP.
slip
Starts a serial connection to a remote host using SLIP.
tacacs-server key
Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.
tacacs-server key
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.
tacacs-server key { 0 string | 6 string | 7 string | string }
no tacacs-server key { 0 string | 6 string | 7 string | string }
Syntax Description
Command History
Release
Modification
11.1
This command was introduced.
12.3(2)T
This command was modified. The 0 string and 7 string keywords and argument pairs were added.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2(33)SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.4(1)T
This command was modified. The 6 keyword was added.
Usage Guidelines
After enabling authentication, authorization, and accounting (AAA) with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.
The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Use the password encryption aes command to configure type 6 AES encrypted keys.
tacacs-server packet
To specify the maximum size of TACACS+ packets, use the tacacs-server packetcommand in global configuration mode. To disable, use the no form of this command.
Command History
Release
Modification
12.0
This command was introduced in a release earlier than Cisco IOS Release 12.0
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
tacacs-server timeout
To set the interval for which the TACACS server waits for a server host to reply, use the tacacs-server timeout command in global configuration mode. To restore the default timeout interval, use the no form of this command.
Command Default
The default timeout interval for which the server waits for the server host to reply is 5 seconds.
Command History
Release
Modification
10.0
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
Usage Guidelines
Use the tacacs-server timeoutcommand to set the interval for which the server waits for a server host to reply. A TCP connection between the server and the host times out during higher loads. Therefore, to delay TCP timeouts, change the timeout interval to 30 seconds. You can also configure the tacacs-server host command with the single-connection keyword to delay TCP timeouts.
tag cts sgt
To enable Cisco TrustSec (CTS) SGT inline tagging in a GDOI group IPsec SA, use the tag cts sgt command in GDOI SA IPsec configuration mode.
Usage Guidelines
CTS maintains classification of each packet by tagging packets on ingress to the CTS network, so that they can be properly identified for applying security and other policy criteria along the data path.
You use this command on a key server (KS) or primary KS.
Because GET VPN is a technology that is based on groups, all devices in the same group (including the KS, cooperative KSs, and GMs) must support CTS SGT inline tagging before the group’s KS can enable the feature. If you want to enable the feature for a group, you must ensure that all devices in the group are running compatible versions of the GET VPN software by using the show crypto gdoi feature cts-sgt command on the KS or primary KS.
If incompatible devices exist in the group when you use this command, the following message appears:
WARNING for group GET-SGT: some devices cannot support SGT inline tagging. Rekey can cause traffic disruption and GM registration failures. Please check 'show crypto gdoi feature sgt'. Are you sure you want to proceed ? [yes/no]:After you use this command, you must use the crypto gdoi ks rekey command on the KS or primary KS to trigger a rekey.
Examples
The following example shows how to configure CTS SGT inline tagging in an IPsec SA for a KS serving a single GDOI group:
Device> enable Device# configure terminal Device(config)# ip access-list extended ACL-SGT Device(config-ext-nacl)# permit ip any any Device(config-ext-nacl)# exit Device(config)# crypto gdoi group GET-SGT Device(config-gdoi-group)# identity number 1 Device(config-gdoi-group)# server local Device(gdoi-local-server)# sa ipsec 1 Device(gdoi-sa-ipsec)# tag cts sgt Device(gdoi-sa-ipsec)# profile gdoi-p2 Device(gdoi-sa-ipsec)# match address ipv4 ACL-SGT Device(gdoi-sa-ipsec)# replay time window-size 100 Device(gdoi-sa-ipsec)# endtarget-value
To define the target value rating for a host, use the target-valuecommand in configuration rule configuration mode. To change the target value rating or revert to the default value, use the no form of this command.
target-value { mission-critical | high | medium | low } target-address ip-address [ /nn | toip-address ]
notarget-value { mission-critical | high | medium | low } target-address ip-address [ /nn | toip-address ]
Usage Guidelines
Use the target-valuecommand to set the target value rating, which allows users to develop security policies that can be more strict for some resources than others. The security policy is applied to a table of hosts that are protected by Cisco IOS Intrusion Prevention System (IPS). A host can be a single IP address or a range of IP addresses with an associated target value rating.
NoteChanges to the target value rating is not shown in the run time config because the changes are recorded in the seap-delta.xml file, which can be located via the ip ips config locationcommand.
tcp finwait-time
To specify how long a TCP session will be managed after the Cisco IOS firewall detects a FIN-exchange, use the tcp finwait-time command in parameter-map type inspect configuration mode. To disable this function, use the no form of this command.
Usage Guidelines
In a TCP connection, the client and the server terminate their end of the connection by sending a finish (FIN) message. The time the client and the server wait for their FIN message to be acknowledged by the other side before closing the sequence during a TCP connection is called the finwait-time. The timeout that you set for the finwait-time is referred to as the finwait timeout.
When the software detects a valid TCP packet that is the first in a session, it establishes state information for the new session.
Use the tcp finwait-time command to define how long TCP session state information will be maintained after the firewall detects a FIN-exchange for the session. The FIN-exchange occurs when the TCP session is ready to close. The global value specified for the timeout applies to all TCP sessions.
When you configure an inspect parameter map, you can enter the tcp finwait-time command only after you enter the parameter-map type inspect command.
For detailed information about creating a parameter map, see the parameter-map type inspect command.
Examples
The following example show how to change the finwait timeout to 20 seconds:
parameter-map type inspect eng_network_profile tcp finwait-time 20The following example show how to change the finwait idle timeout to 40 seconds:
parameter-map type inspect eng_network_profile tcp finwait-time 20 ageout-time 40Related Commands
Command
Description
ip inspect tcp finwait-time
Defines how long a TCP session will still be managed after the firewall detects a FIN-exchange.
max-incomplete aggressive-aging
Configures aggressive aging of half-opened firewall sessions.
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
tcp half-close reset
To specify whether the TCP reset (RST) segment should be sent when a half-close session is cleared, use the tcp half-close reset command in parameter-map type inspect configuration mode. To specify that the TCP RST segment should not be sent when a half-close session is cleared, use the no form of this command.
Usage Guidelines
TCP provides the ability for one end of a connection to terminate its output while still receiving data from the other end of the connection. This TCP state is called the half-close state. A session enters the half-close state when it receives the first TCP finish (FIN) segment and starts a timer. If another segment is received before the session timeout occurs, then the timer is restarted.
You can set the timeout value for a half-close session by using the tcp synwait-time command. The default timeout value is 30 seconds.
When you configure an inspect type parameter map, you can enter the tcp half-close reset command after you enter the parameter-map type inspect command.
If you configure the tcp half-close reset on command, the TCP RST segment is sent to both ends of the half-close session when half-close session is cleared. If you configure the tcp half-close reset off command, the TCP RST segment is not transmitted when the session is cleared.
Examples
The following example shows how to configure TCP half-close RST segment transmission:
Device(config)# parameter-map type inspect pmap Device(config-profile)# tcp half-close reset onRelated Commands
Command
Description
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
tcp synwait-time
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
tcp half-open reset
To specify whether the TCP reset (RST) segment should be sent when a half-open session is cleared, use the tcp half-open reset command in parameter-map type inspect configuration mode. To specify that the TCP RST segment should not be sent when a half-open session is cleared, use the no form of this command.
Usage Guidelines
A half-open session is an unestablished session that is initiated by a TCP synchronization (SYN) segment but has an incomplete three-way handshake. A timer is started as soon as the incomplete three-way handshake occurs.
NoteYou can set the timeout value for a half-open session by using the tcp synwait-time command. The default timeout value is 30 seconds.
When you configure an inspect type parameter map, you can enter the tcp half-open reset command after you enter the parameter-map type inspect command.
If you configure the tcp half-open reset on command, the TCP RST segment is sent to both ends of the half-open session when the half-open session is cleared. If you configure the tcp half-open reset off command, the TCP RST segment is not transmitted when the session is cleared.
Examples
The following example shows how to configure TCP half-open RST segment transmission:
Device(config)# parameter-map type inspect pmap Device(config-profile)# tcp half-open reset onRelated Commands
Command
Description
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
tcp synwait-time
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
tcp idle-time
To configure the amount of time a TCP session will still be managed while there is no activity, use the tcp idle-time command in parameter-map type inspect configuration mode. To disable this function, use the no form of this command.
Syntax Description
seconds
Amount of time, in seconds, during which a TCP session will still be managed while there is no activity. The default is 3600 seconds (1 hour). Valid values are from 1 to 2147483.
ageout-time seconds
(Optional) Specifies the aggressive aging time for TCP packets. Valid values are from 1 to 2147483.
Usage Guidelines
When you configure an inspect parameter map, you can enter the tcp idle-time command after you enter the parameter-map type inspect command.
When the software detects a valid TCP packet that is the first in a session, the software establishes state information for the new session.
If the software detects no packets for the session for a time period defined by the TCP idle timeout, the software will not manage state information for the session.
The value specified for this timeout applies to all TCP sessions.
For detailed information about creating a parameter map, see the parameter-map type inspect command.
Examples
The following example shows how to set the TCP timeout to 90 seconds:
parameter-map type inspect eng-network-profile tcp idle-time 90The following example shows how to set the TCP ageout time to 70 seconds:
parameter-map type inspect eng-network-profile tcp idle-time 90 ageout-time 70Related Commands
Command
Description
ip inspect tcp idle-time
Specifies the TCP idle timeout (the length of time during which a TCP session will still be managed while there is no activity).
max-incomplete aggressive-aging
Configures aggressive aging of half-opened firewall sessions.
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
tcp idle reset
To specify whether the TCP reset (RST) segment should be sent when an idle session is cleared, use the tcp idle reset command in parameter-map type inspect configuration mode. To specify that the TCP RST segment should not be sent when an idle session is cleared, use the no form of this command.
Usage Guidelines
An idle session is a TCP session that is active between two devices even when no data is transmitted by either device for a prolonged period of time.
NoteYou can set the timeout value for an idle session by using the tcp idle-time command . The default timeout value for idle sessions is 3600 seconds.
When an idle TCP session is cleared, the TCP RST segment is sent and the session is reset if the TCP reset segment control is configured on the session.
When you configure an inspect type parameter map, you can enter the tcp idle reset command after you enter the parameter-map type inspect command.
If you configure the tcp idle reset on command, the TCP RST segment is sent to both ends of the idle session when the session is cleared. If you configure the tcp idle reset off command, the TCP RST segment is not transmitted when the session is cleared.
tcp max-incomplete
To specify threshold and blocking time values for TCP host-specific denial-of-service (DoS) detection and prevention, use the tcp max-incomplete command in parameter-map type inspect configuration mode. To reset the threshold and blocking time to the default values, use the no form of this command.
Syntax Description
host threshold
Number of half-open TCP sessions with the same host destination address that can simultaneously exist before the software starts deleting half-open sessions to the host. The range is from 1 to 2147483647. The default is unlimited.
block-time minutes
(Optional) Amount of time, in minutes, the software prevents connections to the host. The default is 0.
Usage Guidelines
When you are configuring an inspect type parameter map, you can enter the tcp max-incomplete command after you enter the parameter-map type inspect command.
After the specified threshold is exceeded, the router drops packets.
Half-open means that the session has not reached the established state.An unusually high number of half-open sessions with the same destination host address could indicate that a DoS attack is being launched against the host.
When the number of half-open sessions with the same destination host address rises above a threshold (the host threshold number), the software deletes half-open sessions according to one of the following methods.
The software deletes the oldest existing half-open session for the host for every new connection request to the host. This ensures that the number of half-open sessions to a given host never exceeds the threshold.
The software deletes all existing half-open sessions for the host and then blocks all new connection requests to the host. The software continues to block all new connection requests until the block-time expires.
The software also sends syslog messages whenever the specified threshold is exceeded and when blocking of connection initiations to a host starts or ends.
The global values specified for the threshold and blocking time apply to all TCP connections that Cisco IOS stateful packet inspection inspects.
For more detailed information about creating a parameter map, see the parameter-map type inspect command.
Examples
The following example shows how to specifiy a maximum of 100 half-open sessions and a block time of 10 minutes. If a single host receives 400 half-open sessions, subsequent connections after 100 will be dropped. If a host receives 50 connections and another host receives 50 connections, no packets are dropped.
parameter-map type inspect eng-network-profile tcp max-incomplete host 100 block-time 10Related Commands
Command
Description
ip inspect tcp max-incomplete host
Specifies threshold and blocking time values for TCP host-specific DoS detection and prevention.
max-incomplete aggressive-aging
Configures aggressive aging of half-open firewall sessions.
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
tcp reassembly
To change the default parameters for Out-of-Order (OoO) queue processing of TCP sessions, use the tcp reassembly command in parameter-map type configuration mode. To revert to the default parameters, use the no form of this command.
tcp reassembly { alarm { on | off } | queue length queue-length | timeout seconds }
no tcp reassembly { alarm { on | off } | queue length queue-length | timeout seconds }
Syntax Description
alarm {on | off} Enables or disables the alert message configuration for OoO packets. The default is off.
queue length queue-length Specifies the length of OoO queues. The range is from 0 to 1024. The default is 16.
timeout seconds Specifies the timeout for OoO queues in seconds. The range is from 1 to 3600. The default is 5.
Command Default
Alert messages are disabled, the default OoO queue length is 16, and the default timeout for OoO queues is 5 seconds.
Command History
Usage Guidelines
If the TCP queue length is set to 0, the TCP OoO packet buffering and reassembly is disabled.
If the TCP alarm is enabled, a syslog message is generated when an OoO packet is dropped.
tcp reassembly memory limit
To specify the limit of the out-of-order (OOO) queue size for TCP sessions, use the tcp reassembly memory limit command in parameter map type OOO global configuration mode. To disable the configuration, use the no form of this command.
Usage Guidelines
You must use the tcp reassembly memory limit command to specify the limit of the OOO queue size for TCP sessions when the deep packet inspection feature is configured on the router.
tcp syn-flood limit
To configure a limit to the number of TCP half-open sessions before triggering synchronization (SYN) cookie processing for new SYN packets, use the tcp syn-flood limitcommand in profile configuration mode. To disable the configuration, use the no form of this command.
Usage Guidelines
A TCP half-open session is a session that has not reached the established state.
In a VRF-aware firewall, you can configure a limit to the number of TCP half-open sessions for each VRF. At both the global level and at the VPN Routing and Forwarding (VRF) level, when the configured TCP SYN flood limit is reached, the TCP SYN cookie verifies the source of the half-open sessions before creating more sessions.
You must configure the parameter-map type inspect-vrf or the parameter-map type inspect globalcommand before you can configure the tcp syn-flood limit command.
Examples
The following example shows how to limit the number of TCP half-open sessions to 500 at an inspect-VRF parameter map level:
Router(config)# parameter-map type inspect-vrf Router(config-profile)# tcp syn-flood limit 500 Router(config-profile)# endThe following example shows how to limit the number of TCP half-open sessions to 300 at a global parameter map level:
Router(config)# parameter-map type global Router(config-profile)# tcp syn-flood limit 300 Router(config-profile)# endtcp syn-flood rate per-destination
To configure a TCP synchronization (SYN) flood rate limit for each destination address, use the tcp syn-flood rate per-destination command in profile configuration mode. To disable TCP SYN flood packets, use the no form of this command.
tcp syn-flood rate per-destination maximum-packet-rate
no tcp syn-flood rate per-destination maximum-packet-rate
Usage Guidelines
When the configured maximum packet rate is reached, the TCP SYN cookie protection is triggered.
You must configure the parameter-map type inspect-zone or the parameter-map type globalcommand before you can configure the tcp syn-flood rate per-destination command.
Examples
The following example shows how to configure the TCP SYN-flood packet rate of 500 at an inspect-zone parameter map level:
Router(config)# parameter-map type inspect-zone Router(config-profile)# tcp syn-flood rate per-destination 500 Router(config-profile)# endThe following example shows how to configure the TCP SYN-flood packet rate of 300 at a global parameter map level:
Router(config)# parameter-map type global Router(config-profile)# tcp syn-flood rate per-destination 300 Router(config-profile)# endtcp synwait-time
To specify how long the software will wait for a TCP session to reach the established state before dropping the session, use the tcp synwait-time command in parameter-map type inspect configuration mode. To disable this function, use the no form of this command.
Syntax Description
seconds
Time, in seconds, that the system will wait for a TCP session to reach the established state before dropping the session. The default is 30. Valid values are from 1 to 2147483.
ageout-time seconds
(Optional) Specifies the aggressive aging time for TCP packets. Valid values are from 1 to 2147483.
Usage Guidelines
You must configure the parameter-map type inspect command before you can configure the tcp synwait-time command.
Examples
The following example shows how to specify that the TCP session will be dropped if the TCP session does not reach the established state in 3 seconds:
parameter-map type inspect eng-network-profile tcp synwait-time 3The following example shows how to specify the aging out time after which the TCP session will be dropped:
parameter-map type inspect eng-network-profile tcp synwait-time 3 ageout-time 20tcp window-scale-enforcement loose
To disable the checking of the TCP window-scale option in a Zone-Based Policy Firewall, use the tcp window-scale-enforcement loose command in parameter-map type inspect configuration mode. To return to the command default, use the no form of this command.
Usage Guidelines
The window-scale extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit Window field of the TCP header. The firewall enforces the strict checking of the TCP window scale option. See RFC 1323 for more information on this function.
Sometimes server uses a non-RFC compliant TCP/IP protocol stack. In this case, the intiator does not offer the window-scale option, but the responder has the option enabled with a window-scale factor that is not zero.
Network administrators who experience issues with a noncompliant server may not have control over the server to which they need to connect. Disabling the firewall to connect to a noncompliant server is not desirable and may fail if each endpoint cannot agree on the window-scaling factor to use for its respective receive window.
Use the tcp window-scale-enforcement loose command in parameter-map type inspect configuration mode to allow noncompliant window scale negotiation and to ensure the window-scale option works without the firewall being disabled to access the noncompliant servers. This command is used by the firewall, which provides a unidirectional firewall policy between groups of interfaces known as zones.
Examples
The following example shows how to disable the window scale option check in the Zone-Based Firewall parameter map for a TCP packet that has an invalid window scale option:
Device> enable Device# configure terminal Device(config)# parameter-map type inspect pmap-fw Device(config-profile)# tcp window-scale-enforcement looseRelated Commands
Command
Description
parameter-map type inspect
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
tcp synwait-time
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
telnet
To log in to a host that supports Telnet, use the telnet command in user EXEC or privileged EXEC mode.
Command History
Release
Modification
10.0
This command was introduced.
12.0(21)ST
The /ipv4 and /ipv6 keywords were added.
12.1
The /quiet keyword was added.
12.2(2)T
The /ipv4 and /ipv6 keywords were added.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Routers.
Usage Guidelines
The table below lists the optional telnet command keywords.
Table 1 telnet Keyword Options Option
Description
/debug
Enables Telnet debugging mode.
/encrypt kerberos
Enables an encrypted Telnet session. This keyword is available only if you have the Kerberized Telnet subsystem.
If you authenticate using Kerberos Credentials, the use of this keyword initiates an encryption negotiation with the remote server. If the encryption negotiation fails, the Telnet connection will be reset. If the encryption negotiation is successful, the Telnet connection will be established, and the Telnet session will continue in encrypted mode (all Telnet traffic for the session will be encrypted).
/ipv4
Specifies version 4 of the IP protocol. If a version of the IP protocol is not specified in a network that supports both the IPv4 and IPv6 protocol stacks, IPv6 is attempted first and is followed by IPv4.
/ipv6
Specifies version 6 of the IP protocol. If a version of the IP protocol is not specified in a network that supports both the IPv4 and IPv6 protocol stacks, IPv6 is attempted first and is followed by IPv4.
/line
Enables Telnet line mode. In this mode, the Cisco IOS software sends no data to the host until you press the Enter key. You can edit the line using the standard Cisco IOS software command-editing characters. The /line keyword is a local switch; the remote router is not notified of the mode change.
/noecho
Disables local echo.
/quiet
Prevents onscreen display of all messages from the Cisco IOS software.
/route: path
Specifies loose source routing. The path argument is a list of hostnames or IP addresses that specify network nodes and ends with the final destination.
/source-interface
Specifies the source interface.
/stream
Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UNIX-to-UNIX Copy Program (UUCP) and other non-Telnet protocols.
port-number
Port number.
bgp
Border Gateway Protocol.
chargen
Character generator.
cmd rcmd
Remote commands.
daytime
Daytime.
discard
Discard.
domain
Domain Name Service.
echo
Echo.
exec
EXEC.
finger
Finger.
ftp
File Transfer Protocol.
ftp-data
FTP data connections (used infrequently).
gopher
Gopher.
hostname
Hostname server.
ident
Ident Protocol.
irc
Internet Relay Chat.
klogin
Kerberos login.
kshell
Kerberos shell.
login
Login (rlogin).
lpd
Printer service.
nntp
Network News Transport Protocol.
pim-auto-rp
Protocol Independent Multicast (PIM) auto-rendezvous point (RP).
node
Connect to a specific Local-Area Transport (LAT) node.
pop2
Post Office Protocol v2.
pop3
Post Office Protocol v3.
port
Destination local-area transport (LAT) port name.
smtp
Simple Mail Transfer Protocol.
sunrpc
Sun Remote Procedure Call.
syslog
Syslog.
tacacs
Specifies TACACS security.
talk
Talk (517).
telnet
Telnet (23).
time
Time (37).
uucp
UNIX-to-UNIX Copy Program (540).
whois
Nickname (43).
www
World Wide Web (HTTP, 80).
With the Cisco IOS implementation of TCP/IP, you are not required to enter the connect or telnet command to establish a terminal connection. You can enter only the learned hostname--as long as the following conditions are met:
- The hostname is different from a command word for the router.
- The preferred transport protocol is set to telnet.
To display a list of the available hosts, use the show hosts command. To display the status of all TCP connections, use the show tcp command.
The Cisco IOS software assigns a logical name to each connection, and several commands use these names to identify connections. The logical name is the same as the hostname, unless that name is already in use, or you change the connection name with the name-connection EXEC command. If the name is already in use, the Cisco IOS software assigns a null name to the connection.
The Telnet software supports special Telnet commands in the form of Telnet sequences that map generic terminal control functions to operating system-specific functions. To issue a special Telnet command, enter the escape sequence and then a command character. The default escape sequence is Ctrl-^ (press and hold the Ctrl and Shift keys and the 6 key). You can enter the command character as you hold down Ctrl or with Ctrl released; you can use either uppercase or lowercase letters. The table below lists the special Telnet escape sequences.
Table 2 Special Telnet Escape Sequences Escape Sequence1
Purpose
Ctrl-^ b
Break
Ctrl-^ c
Interrupt Process (IP and IPv6)
Ctrl-^ h
Erase Character (EC)
Ctrl-^ o
Abort Output (AO)
Ctrl-^ t
Are You There? (AYT)
Ctrl-^ u
Erase Line (EL)
1 The caret (^) symbol refers to Shift-6 on your keyboard.At any time during an active Telnet session, you can list the Telnet commands by pressing the escape sequence keys followed by a question mark at the system prompt: Ctrl-^ ?
A sample of this list follows. In this sample output, the first caret (^) symbol represents the Ctrl key, and the second caret represents Shift-6 on your keyboard:
router> ^^? [Special telnet escape help] ^^B sends telnet BREAK ^^C sends telnet IP ^^H sends telnet EC ^^O sends telnet AO ^^T sends telnet AYT ^^U sends telnet ELYou can have several concurrent Telnet sessions open and switch among them. To open a subsequent session, first suspend the current connection by pressing the escape sequence (Ctrl-Shift-6 then x [Ctrl^x] by default) to return to the system command prompt. Then open a new connection with the telnet command.
To terminate an active Telnet session, enter any of the following commands at the prompt of the device to which you are connecting:
Examples
The following example establishes an encrypted Telnet session from a router to a remote host named host1:
router> telnet host1 /encrypt kerberosThe following example routes packets from the source system host1 to example.com, then to 10.1.0.11, and finally back to host1 :
router> telnet host1 /route:example.com 10.1.0.11 host1The following example connects to a host with the logical name host1:
router> host1The following example suppresses all onscreen messages from the Cisco IOS software during login and logout:
router> telnet host2 /quietThe following example shows the limited messages displayed when connection is made using the optional /quiet keyword:
login:User2 Password: Welcome to OpenVMS VAX version V6.1 on node CRAW Last interactive login on Tuesday, 15-DEC-1998 11:01 Last non-interactive login on Sunday, 3-JAN-1999 22:32 Server3)logout User2 logged out at 16-FEB-2000 09:38:27.85Related Commands
Command
Description
connect
Logs in to a host that supports Telnet, rlogin, or LAT.
kerberos clients mandatory
Causes the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos Protocol with the remote server.
name connection
Assigns a logical name to a connection.
rlogin
Logs in to a UNIX host using rlogin.
show hosts
Displays the default domain name, the style of name lookup service, a list of name server hosts, and the cached list of hostnames and addresses.
show tcp
Displays the status of TCP connections.
template (identity policy)
To specify a virtual template from which commands may be cloned, use the template command in identity policy configuration mode. To disable the virtual template, use the no form of this command.
Usage Guidelines
The identity policycommand must be entered in global configuration mode before the template command can be used.
template (identity profile)
To specify a virtual template from which commands may be cloned, use the template command in identity profile configuration mode. To disable the virtual template, use the no form of this command.
Usage Guidelines
The identity profile command and defaultkeyword must be entered in global configuration mode before the template command can be used.
template config
To specify a remote URL for a Cisco IOS command-line interface (CLI) configuration template, use the template config command in tti-registrar configuration mode. To remove the template from the configuration and use the default configuration template, use the no form of this command.
Syntax Description
Usage Guidelines
Use the template config command to specify a URL in which to retrieve the template that will be sent from the Secure Device Provisioning (SDP) registrar to the SDP petitioner during the Trusted Transitive Introduction (TTI) exchange.
If neither a configuration template nor the post keyword is specified, the default configuration template is used. The default configuration template contains the following commands:
! $t ! $c ! ! end END_CONFIG ;The variable "$t" will be expanded to include a Cisco IOS public key infrastructure (PKI) trustpoint that is configured for autoenrollment with the certificate server of the registrar. The variable "$c" will be expanded into the correct certificate chain for the certificate server of the registrar.
If an external template is specified, it must include the "$t" and "$c" variables to enable the petitioner device to obtain a certificate. The end command must be specified. If you want to specify details about the trustpoint, you can specify a template as follows:
! crypto ca trustpoint $t enrollment url http://<registrar fqdn> rsakeypair $k $s auto-enroll 70 ! $c endWhere $t comes from "trustpoint" configured under the petitioner, $k comes from "rsakeypair" under the trustpoint:
! $l will be replaced by 'mytp.' crypto provisioning petitioner trustpoint mytp ! $k will be replaced by 'mykey.' crypto ca trustpoint mytp rsakeypair mykey !
NoteThe template configuration location may include a variable "$n", which is expanded to the name of the introducer.
The table below lists the available options for the url argument.
Table 3 URL Keywords for the CLI Template Keyword
Description
cns:
Retrieves from the Cisco Networking Services (CNS) configuration engine.
flash:
Retrieves from flash memory.
ftp:
Retrieves from the FTP network server.
http:
Retrieves from a HTTP server (also called a web server).
https:
Retrieves from a Secure HTTP (HTTPS) server.
null:
Retrieves from the file system.
nvram:
Retrieves from the NVRAM of the router.
rcp:
Retrieves from a remote copy (rcp) protocol network server.
scp:
Retrieves from a network server that supports Secure Shell (SSH).
system:
Retrieves from system memory, which includes the running configuration.
tftp:
Retrieves from a TFTP network server.
webflash:
Retrieves from the file system.
xmodem:
Retrieves from a network machine that uses the Xmodem protocol.
Expanded SDP CGI Template Support
Expanded SDP CGI template support allows you to specify a bootstrap configuration based on the client type, model, Cisco IOS version, and current configuration. Specifying a boot strap configuration is accomplished by the TTI registrar forwarding the device information to the external management system when requesting a bootstrap configuration.
The template config command with the post keyword supports expanded SDP CGI templates by allowing the SDP registrar to send the additional information about the device configuration to an external management system by issuing an HTTP POST or an HTTPS POST. Without the use of the post keyword, the SDP registrar requests information only from the management system based on the device name.
NoteIn order to use the expanded SDP CGI support, the registrar must be running Cisco IOS Release 12.4(6)T or a later release, the template config command must be issued with the post keyword, and the url argument must include either the HTTP or HTTPS protocol. No other protocol (for example, FTP) is supported for the expanded CGI template functionality.
The additional information sent to the external management system with the issuance of an HTTP POST from the SDP registrar to the external management system is shown in the table below.
Table 4 AV Pairs Sent During HTTP Post to External Management System AV Pair
Description
TTIFixSubjectName
AAA_AT_TTI_SUBJECTNAME (sent only if the realm authentication user is not the root user on the registrar)
TTIIosRunningConfig
Output of show running-config brief
TTIKeyHash
Digest calculated over the device public key
TTIPrivilege
AAA_AT_TTI_PRIVILEGE--"admin" is sent if the user is an administrator; "user" is sent if the user is not an administrator (sent only if the realm authentication user is an administrator and the information is available from the authentication, authorization, and accounting [AAA] server)
TTISignature
Digest calculated over all attribute-value (AV) pairs except UserDeviceName and TTISignCert
TTISignCert
Device current certificate (sent only if the device currently has a certificate)
TTITemplateVar
AAA_AT_TTI_IOSCONFIG(1-9) (sent only if the realm authentication user is not the root user on the registrar)
TTIUserName
Device name as entered by the administrative introducer (sent only if the realm authentication user is an administrator)
TTIVersion
TTI version of the registrar
Examples
The following example shows how to specify the HTTP URL "http://pki1-36a.cisco.com:80" for the Cisco IOS CLI configuration template, which is sent from the SDP registrar to the external management system during the TTI exchange:
crypto provisioning registrar pki-server cs1 template config http://pki1-36a.cisco.com:80The following example shows how to specify that the SDP registrar will send additional device information to the external management system to retrieve a more specific bootstrap configuration file:
crypto provisioning registrar pki-server cs1 template config http://myserver/cgi-bin/mycgi postRelated Commands
Command
Description
authentication list (tti-registrar)
Authenticates the introducer in an SDP operation.
authorization list (tti-registrar)
Specifies the appropriate authorized fields for both the certificate subject name and the list of template variables to be expanded into the Cisco IOS CLI snippet that is sent back to the petitioner in an SDP operation.
template username
Establishes a template username and password to access the configuration template on the file system.
template file
To specify the source template file location on the registrar and the destination template file location on the petitioner, use the template file command in tti-registrar configuration mode.
Usage Guidelines
Use the template file command to specify the location where a template file will be retrieved from and copied to during the Trusted Transitive Introduction (TTI) exchange. There may be up to nine template files transferred, each with a different source and destination location. A destination URL could also be a token on the petitioner, such as usbtoken0:.
The file content is expanded on the registrar. The destination URL and file content are expanded on the petitioner.
Table 5 Source and Destination URL Keywords Keyword
Description
archive:
Retrieves from the archive location.
cns:
Retrieves from the Cisco Networking Services (CNS) configuration engine.
disk0:
Retrieves from disk0.
disk1:
Retrieves from disk1.
flash:
Retrieves from flash memory.
ftp:
Retrieves from the FTP network server.
http:
Retrieves from a HTTP server.
https:
Retrieves from a Secure HTTP (HTTPS) server.
null:
Retrieves from the file system.
nvram:
Retrieves from the NVRAM of the router.
rcp:
Retrieves from a remote copy (rcp) protocol network server.
scp:
Retrieves from a network server that supports Secure Shell (SSH).
system:
Retrieves from system memory, which includes the running configuration.
tar:
Retrieves from a compressed file in tar format.
tftp:
Retrieves from a TFTP network server.
tmpsys:
Retrieves from a temporary system location.
unix:
Retrieves from the UNIX system location.
usbtoken:
Retrieves from the USB token.
Examples
The following example shows how to specify where the source template file is located and where the template file will be copied to on the petitioner:
crypto provisioning registrar pki-server cs1 template file http://myserver/file1 usbtoken0://file1 template file http://myserver/file2 flash://file2template http admin-introduction
To use a custom administrator introduction template rather than the default template, issue the template http admin-introduction command in tti-registrar configuration mode.
Usage Guidelines
You may want to use a custom administrator introduction template rather than a default template because the device name can be prefilled on the web page for the user. Without this command, the welcome page must be the first page requested by the user.
Examples
The following example shows how to direct the registrar to use the administrator introduction page template located at tftp://walnut.cisco.com/admin-introducer.html:
template http admin-introduction tftp://walnut.cisco.com/admin-introducer.htmlRelated Commands
Command
Description
template http completion
Uses a custom completion template rather than the default template.
template http error
Uses a custom error template rather than the default template.
template http introduction
Uses a custom introduction template rather than the default template.
template http start
Directs the TTI registrar to use the custom start page template.
template http welcome
Uses a custom welcome template rather than the default template.
template http completion
To use a custom completion template rather than the default template, issue the template http completion command in tti-registrar configuration mode.
Usage Guidelines
Custom templates allow for additional information specific to the deployment to be displayed on the web pages. The easy way to define a custom template is to modify the default template.
Examples
The following example shows how to direct the registrar to use the completion page template located at specified location:
template http completion tftp://walnut.cisco.com/completion.htmlRelated Commands
Command
Description
template http admin-introduction
Uses a custom admin-introduction template rather than the default template.
template http error
Uses a custom error template rather than the default template.
template http introduction
Uses a custom introduction template rather than the default template.
template http start
Directs the TTI registrar to use the custom start page template.
template http welcome
Uses a custom welcome template rather than the default template.
template http error
To use a custom error template rather than the default template, issue the template http error command in tti-registrar configuration mode.
Usage Guidelines
Custom templates allow for additional information specific to the deployment to be displayed on the web pages. The easy way to define a custom template is to modify the default template.
Examples
The following example shows how to direct the registrar to use the error page template located at specified location:
template http error tftp://walnut.cisco.com/error.htmlRelated Commands
Command
Description
template http admin-introduction
Uses a custom admin-introduction template rather than the default template.
template http completion
Uses a custom completion template rather than the default template.
template http introduction
Uses a custom introduction template rather than the default template.
template http start
Directs the TTI registrar to use the custom start page template.
template http welcome
Uses a custom welcome template rather than the default template.
template http introduction
To use a custom introduction template rather than the default template, issue the template http introduction command in tti-registrar configuration mode.
Usage Guidelines
From a custom introduction page, the completion URL of the petitioner may be prefilled on the page for the user.
Examples
The following example shows how to direct the registrar to use the customer introduction template located at specified location:
template http introduction tftp://walnut.cisco.com/introduction.htmlRelated Commands
Command
Description
template http admin-introduction
Uses a custom admin-introduction template rather than the default template.
template http completion
Uses a custom completion template rather than the default template.
template http start
Directs the TTI registrar to use the custom start page template.
template http welcome
Uses a custom welcome template rather than the default template.
template http start
To direct the Trusted Transitive Introduction (TTI) registrar to use the custom start page template, issue the template http start command in tti-registrar configuration mode.
Command Default
If this command is not issued, the welcome page will be the initial communication between the introducer and the petitioner.
Usage Guidelines
Use the template http startcommand to display the start page on the registrar and make that page the starting point of the TTI transaction. From the start page, the registrar can direct the user to the welcome page on the petitioner.
Examples
The following example shows how to direct the registrar to use the start page template located at the specified location:
template http start tftp://walnut.cisco.com/start.htmlRelated Commands
Command
Description
template http admin-introduction
Uses a custom admin-introduction template rather than the default template.
template http completion
Uses a custom completion template rather than the default template.
template http introduction
Uses a custom introduction template rather than the default template.
template http welcome
Uses a custom welcome template rather than the default template.
template http welcome
To use a custom welcome template rather than the default template, issue the template http welcome command in tti-registrar configuration mode.
Usage Guidelines
From a custom welcome page, the introduction URL of the registrar may be prefilled on the page for the user.
Examples
The following example shows how to direct the registrar to use the welcome page template located at specified location:
template http welcome tftp://walnut.cisco.com/welcome.htmlRelated Commands
Command
Description
template http admin-introduction
Uses a custom admin-introduction template rather than the default template.
template http completion
Uses a custom completion template rather than the default template.
template http introduction
Uses a custom introduction template rather than the default template.
template http start
Directs the TTI registrar to use the custom start page template.
template location
To specify the location of the template that the SDP Registrar should use while responding to a request received through the URL profile, use the template locationcommand in tti-registrar configuration mode. To remove this configuration, use the no form of this command.
Usage Guidelines
The template locationcommand is required in the SDP registrar configuration, which is used to deploy Apple iPhones on a corporate network.
Examples
The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:
Router(config)# crypto provisioning registrar Router(tti-registrar)# url-profile start START Router(tti-registrar)# url-profile intro INTRO Router(tti-registrar)# match url /sdp/intro Router(tti-registrar)# match authentication trustpoint apple-tp Router(tti-registrar)# match certificate cat 10 Router(tti-registrar)# mime-type application/x-apple-aspen-config Router(tti-registrar)# template location flash:intro.mobileconfig Router(tti-registrar)# template variable p iphone-vpnRelated Commands
Command
Description
crypto provisioning registrar
Configures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.
url-profile
Specifies a URL profile that configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network.
match authentication trustpoint
Enters the trustpoint name that should be used to authenticate the peer’s certificate.
match certificate
Enters the name of the certificate map used to authorize the peer’s certificate.
match url
Specifies the URL to be associated with the URL profile.
mime-type
Specifies the MIME type that the SDP registrar should use to respond to a request received through the URL profile.
template location
Specifies the location of the template that the SDP Registrar should use while responding to a request received through the URL profile.
template variable p
Specifies the value that goes into the OU field of the subject name in the certificate to be issued.
template username
To establish a template username in which to access the file system, use the template username command in tti-registrar configuration mode.
Usage Guidelines
Use the template usernamecommand to create a username-based authentication system that allows you to access the configuration template, which is sent from the Secure Device Provisioning (SDP) registrar to the SDP petitioner during the Trusted Transitive Introduction (TTI) exchange.
template variable p
To specify the value that goes into the Organizational Unit (OU) field of the subject name in the trustpoint certificate to be issued by the SDP Registrar, use the template variablecommand in tti-registrar configuration mode. To remove this configuration, use the no form of this command.
Usage Guidelines
The template variable pcommand can be specified optionally in the SDP registrar configuration.
Examples
The following example configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network from global configuration mode:
Router(config)# crypto provisioning registrar Router(tti-registrar)# url-profile start START Router(tti-registrar)# url-profile intro INTRO Router(tti-registrar)# match url /sdp/intro Router(tti-registrar)# match authentication trustpoint apple-tp Router(tti-registrar)# match certificate cat 10 Router(tti-registrar)# mime-type application/x-apple-aspen-config Router(tti-registrar)# template location flash:intro.mobileconfig Router(tti-registrar)# template variable p iphone-vpnRelated Commands
Command
Description
crypto provisioning registrar
Configures a device to become a registrar for the SDP exchange and enters tti-registrar configuration mode.
url-profile
Specifies a URL profile that configures the SDP registrar to run HTTPS in order to deploy Apple iPhones on a corporate network.
match authentication trustpoint
Enters the trustpoint name that should be used to authenticate the peer’s certificate.
match certificate
Enters the name of the certificate map used to authorize the peer’s certificate.
match url
Specifies the URL to be associated with the URL profile.
mime-type
Specifies the MIME type that the SDP registrar should use to respond to a request received through the URL profile.
template location
Specifies the location of the template that the SDP Registrar should use while responding to a request received through the URL profile.
test aaa group
To associate a dialed number identification service (DNIS) or calling line identification (CLID) user profile with the record that is sent to the RADIUS server or to manually test load-balancing server status, use the test aaa group command in privileged EXEC mode.
DNIS and CLID User Profile
test aaa group { group-name | radius } username password new-code [ profile profile-name ]
RADIUS Server Load Balancing Manual Testing
test aaa group group-name [ server ip-address ] [ auth-port port-number ] [ acct-port port-number ] username password new-code [ count requests ] [ rate requests-per-second ] [ blocked { yes | no } ]
Syntax Description
group-name
Subset of RADIUS servers that are used, as defined by the server group group-name.
radius
Uses RADIUS servers for authentication.
username
Name for the test user.
Caution If you use this command to manually test RADIUS load-balancing server state, it is recommended that a test user, one that is not defined on the RADIUS server, be used to protect against security issues that may arise if the test user is not correctly configured.
password
Password.
new-code
Code path through the new code, which supports a CLID or DNIS user profile association with a RADIUS server.
profile profile-name
(Optional) Identifies the user profile specified in the aaa user profile command. To associate a user profile with the RADIUS server, you must identify the user profile name.
server ip-address
(Optional) For RADIUS server load balancing, specifies to which server in the server group the test packets will be sent.
auth-port
(Optional) User Datagram Protocol (UDP) destination port for authentication requests.
port-number
(Optional) Port number for authentication requests; the host is not used for authentication if set to 0. If unspecified, the port number defaults to 1646.
acct-port
(Optional) UDP destination port for accounting requests.
port-number
(Optional) Port number for accounting requests; the host is not used for accounting if set to 0. If unspecified, the port number defaults to 1646.
count requests
(Optional) Number of authentication and accounting requests that are to be sent to the server for each port. Range: 1 to 50000. Default: 1.
rate requests-per-second
(Optional) Number of requests per second that are to be sent to the server. Range: 1 to 1000. Default: 10.
blocked {yes | no}
(Optional) Specifies whether the request is sent in blocking or nonblocking mode.
If the blocked keyword is not used and one request is sent, the default is yes; if more than one request is sent, the default is no.
DNIS and CLID User Profile
DNIS or CLID attribute values are not sent to the RADIUS server.
RADIUS Server Load Balancing Manual Testing
RADIUS server load-balancing server status manual testing does not occur.
Command History
Release
Modification
12.2(4)T
This command was introduced.
12.2(28)SB
The following keywords and arguments were added for configuring RADIUS load balancing manual testing functionality: server ip-address, auth-port port-number, acct-port port-number, count request, rate requests-per-second, blocked.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
12.2(31)ZV1
This command was enhanced to show user attributes returned from RADIUS authentication when authentication is successful.
Cisco IOS XE Release 2.4
This command was integrated into Cisco IOS XE Release 2.4.
Usage Guidelines
The test aaa group command can be used to
- Associate a DNIS or CLID named user profile with the record that is sent to the RADIUS server, which can then access DNIS or CLID information when the server receives a RADIUS record.
- Verify RADIUS load-balancing server status.
NoteThe test aaa groupcommand does not work with TACACS+.
Examples
The following example shows how to configure a dnis = dnisvalue user profile named prfl1 and associate it with a test aaa groupcommand:
aaa user profile prfl1 aaa attribute dnis aaa attribute dnis dnisvalue no aaa attribute clid ! Attribute not found. aaa attribute clid clidvalue no aaa attribute clid exit ! ! Associate the dnis user profile with the test aaa group command. test aaa group radius user1 pass new-code profile prfl1The following example shows the response from a load-balanced RADIUS server that is alive when the username "test" does not match a user profile. The server is verified alive when it issues an Access-Reject response to a AAA packet generated by the test aaa group command.
Router# test aaa group SG1 test lab new-code 00:06:07: RADIUS/ENCODE(00000000):Orig. component type = INVALID 00:06:07: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off 00:06:07: RADIUS(00000000): Config NAS IP: 192.0.2.4 00:06:07: RADIUS(00000000): sending 00:06:07: RADIUS/ENCODE: Best Local IP-Address 192.0.2.141 for Radius-Server 192.0.2.176 00:06:07: RADIUS(00000000): Send Access-Request to 192.0.2.176:1645 id 1645/1, len 50 00:06:07: RADIUS: authenticator CA DB F4 9B 7B 66 C8 A9 - D1 99 4E 8E A4 46 99 B4 00:06:07: RADIUS: User-Password [2] 18 * 00:06:07: RADIUS: User-Name [1] 6 "test" 00:06:07: RADIUS: NAS-IP-Address [4] 6 192.0.2.141 00:06:07: RADIUS: Received from id 1645/1 192.0.2.176:1645, Access-Reject, len 44 00:06:07: RADIUS: authenticator 2F 69 84 3E F0 4E F1 62 - AB B8 75 5B 38 82 49 C3 00:06:07: RADIUS: Reply-Message [18] 24 00:06:07: RADIUS: 41 75 74 68 65 6E 74 69 63 61 74 69 6F 6E 20 66 [Authentication ] 00:06:07: RADIUS: 61 69 6C 75 72 65 [failure] 00:06:07: RADIUS(00000000): Received from id 1645/1 00:06:07: RADIUS/DECODE: Reply-Message fragments, 22, total 22 bytesExamples
The following example shows the user attribute list that the RADIUS server returns when you issue the test aaa command and authentication is successful:
Router# test aaa group radius viral viral new-code blocked no AAA/SG/TEST: Sending 1 Access-Requests @ 10/sec, 0 Accounting-Requests @ 10/sec CLI-1# AAA/SG/TEST: Testing Status AAA/SG/TEST: Authen Requests to Send : 1 AAA/SG/TEST: Authen Requests Processed : 1 AAA/SG/TEST: Authen Requests Sent : 1 AAA/SG/TEST: Authen Requests Replied : 1 AAA/SG/TEST: Authen Requests Successful : 1 AAA/SG/TEST: Authen Requests Failed : 0 AAA/SG/TEST: Authen Requests Error : 0 AAA/SG/TEST: Authen Response Received : 1 AAA/SG/TEST: Authen No Response Received: 0 AAA/SG/TEST: Testing Status AAA/SG/TEST: Account Requests to Send : 0 AAA/SG/TEST: Account Requests Processed : 0 AAA/SG/TEST: Account Requests Sent : 0 AAA/SG/TEST: Account Requests Replied : 0 AAA/SG/TEST: Account Requests Successful : 0 AAA/SG/TEST: Account Requests Failed : 0 AAA/SG/TEST: Account Requests Error : 0 AAA/SG/TEST: Account Response Received : 0 AAA/SG/TEST: Account No Response Received: 0 USER ATTRIBUTES username "Username:viral" nas-ip-address 3.1.1.1 interface "210" service-type 1 [Login] Framed-Protocol 3 [ARAP] ssg-account-info "S20.5.0.2" ssg-command-code 0B 4C 32 54 50 53 55 52 46 RouterRelated Commands
Command
Description
aaa attribute
Adds DNIS or CLID attribute values to a user profile.
aaa user profile
Creates a AAA user profile.
load-balance
Enables RADIUS server load-balancing for RADIUS-named server groups.
radius-server host
Enables RADIUS automated testing for load balancing.
radius-server load-balance
Enables RADIUS server load-balancing for the global RADIUS server group.
test content-scan
Syntax Description
off-tower-check Disables Cloud Web Security tower validation.
on-tower-check Enables Cloud Web Security tower validation.
telemetry now Immediately sends telemetry and exceptions data to the Cloud Web Security tower.
Command History
Usage Guidelines
NoteThis command is used by the Technical Assistance Center to troubleshoot issues.
Telemetry is an automated communications process in which measurements are made and data that is collected at remote sites is transmitted to receiving equipment for monitoring.
The device on which the Cloud Web Security is configured is monitored, and data is generated periodically. Because most of these devices do not have a lot memory or secondary storage, the generated data is exported and stored in the Cloud Web Security tower. The device connects to a URL hosted by the Cloud Web Security tower by using the HTTP POST method to periodically send telemetry data.
Because the Cloud Web Security tower does not have information about all web traffic, a connector (a persistent, out-of-band secure channel between the device and the Cloud Web Security tower) periodically sends all exception rules to the tower. The connector makes a POST request and pushes all exception rules to a URL. This URL is separate from the telemetry URL.
test crypto self-test
To test the crypto configuration to see if it passes or fails, use the test crypto self-testcommand in privileged or user EXEC mode.
Usage Guidelines
As a result of the test, a new SELF_TEST_RESULT system log is generated. If the crypto test fails, a SELF_TEST_FAILURE system log is generated.
Examples
The following example displays the output of the test crypto self-testcommand:
Router# test crypto self-test *Apr 23 01:48:49.678: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (Self test ac) *Apr 23 01:48:49.822: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (DH self test) *Apr 23 01:48:49.954: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (Software Cry) *Apr 23 01:48:50.054: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (Software che) *Apr 23 01:48:50.154: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (DES encrypti) Router# *Apr 23 01:48:50.254: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (3DES encrypt) *Apr 23 01:48:50.354: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (SHA hashing ) *Apr 23 01:48:50.454: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (Random KAT t) *Apr 23 01:48:50.674: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (AES encrypti) *Apr 23 01:48:50.774: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (HMAC-SHA ) Router# *Apr 23 01:48:50.874: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (SHA256 hashi) *Apr 23 01:48:50.974: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (SHA512 hashi) *Apr 23 01:48:50.974: %CRYPTO-6-SELF_TEST_RESULT: Self test info: (ALL TESTS PA)test urlf cache snapshot
text-color
NoteEffective with Cisco IOS Release 12.4(6)T, the text-colorcommand is not available in Cisco IOS software.
To set the color of the text on the title bars of a Secure Sockets Layer Virtual Private Network (SSLVPN), use the text-color command in Web VPN configuration mode. To revert to the default color, use the no form of this command.
threat-detection basic-threat
To configure basic threat detection for a zone, use the threat-detection basic-threat command in parameter-map type inspect configuration mode. To disable basic threat detection, use the no form of this command.
Usage Guidelines
You must configure the parameter-map type inspect-zone command before you can configure threat detection.
Threat detection refers to the ability of a security device to detect and take action against possible threats, anomalies, or attacks. Basic threat detection monitors the rate of predefined events per zone. Once the rate of a certain type of event exceeds the event rate monitoring limit, an alert is sent if the alert on command is configured.
NoteYou cannot associate a default zone to a zone parameter map. As a result, the Event Rate Monitoring feature is not configured as part of the default zone.
After you enable logging for a zone, a log message is logged for each threat detected.
Examples
The following example shows how to configure basic threat detection:
Router(config)# parameter-map type inspect-zone pmap-zone Router(config-profile)# threat-detection basic-threat Router(config-profile)# endRelated Commands
Command
Description
alert on
Turns on or off console display of Cisco IOS stateful packet inspection alert messages.
parameter-map type inspect-zone
Configures an inspect zone-type parameter map and enters parameter-map type inspect configuration mode.
show policy-firewall stats zone
Displays policy firewall statistics at a zone level.
threat-detection rate
Configures the threat detection rate for a zone.
threat-detection rate
To configure the threat detection rate for an event type, use the threat-detection rate command in parameter-map type inspect configuration mode. To disable basic threat detection, use the no form of this command.
threat-detection rate { fw-drop | inspect-drop | syn-attack } average-time-frame seconds average-threshold packets-per-second burst-threshold packets-per-second
no threat-detection rate { fw-drop | inspect-drop | syn-attack }
Syntax Description
fw-drop
Configures the threat detection rate for firewall drop events.
inspect-drop
Configures the threat detection rate for firewall inspection-based drop events.
syn-attack
Configures the threat detection rate for SYN attack events.
average-time-frame seconds
Configures the average time frame for threat detection, in seconds. Valid values are from 600 to 3600.
average-threshold packet-per-second
Configures the average threat detection threshold, in packets per second. Valid values are from 1 to 4294967295.
burst-threshold packets-per-second
Configures the burst threshold for threat detection, in packets per second. Valid values are from 1 to 1000000000.
Usage Guidelines
You must configure the parameter-map type inspect-zone command before you can configure the threat detection rate.
You must configure the threat-detection basic-threat command before you can configure the threat-detection rate command that configures the event rate monitoring rate limit.
Threat detection refers to the ability of a security device to detect possible threats, anomalies, or attacks and to take action against them.
NoteBecause you cannot associate a default zone to a zone parameter map, the Event Rate Monitoring feature is not configured as part of the default zone.
When you enable logging for a zone, a log message is logged for each threat detected.
Examples
The following example shows how to configure the threat detection rate for inspection-based drop events for a zone:
Router(config)# parameter-map type inspect-zone pmap-zone Router(config-profile)# threat-detection rate inspect-drop average-time-frame 200 average-threshold 30 burst-threshold 40 Router(config-profile)# endRelated Commands
Command
Description
parameter-map type inspect-zone
Configures an inspect zone-type parameter map and enters parameter-map type inspect configuration mode.
show policy-firewall stats zone
Displays policy firewall statistics at a zone level.
threat-detection basic-threat
Configures basic threat detection for a zone.
throttle
To configure server group throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server, use the throttlecommand in server group configuration mode. To disable server group throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server, use the no form of this command.
throttle [ accounting threshold ] [ access threshold [ access-timeout number-of-timeouts ] ]
no throttle [ accounting threshold ] [ access threshold [ access-timeout number-of-timeouts ] ]
Syntax Description
accounting threshold
Configures the specified server group threshold value for accounting requests sent to a RADIUS server. The range is 0 through 65536. The default value is 0 (throttling disabled).
access threshold
Configures the specified server group threshold value for access requests sent to a RADIUS server. The range is 0 through 65536. The default value is 0 (throttling disabled).
access-timeout number-of-timeouts
(Optional) Specifies the number of consecutive access timeouts that are allowed before the access request from the specified server group is dropped. The range is 1 through 10. The default value is 3.
Usage Guidelines
Use this command to configure server group throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server. Server group configurations are used to enable or disable throttling for a particular server group and to specify the threshold value for that server group.
Examples
The following examples shows how to configure server group throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server.
The following example shows how to limit the number of accounting requests sent to server-group-A to 100:
Router> enable Router# configure terminal Router(config)# aaa group server radius server-group-A Router(config-sg-radius)# throttle accounting 100The following example shows how to limit the number of access requests packets sent to server-group-A to 200 and sets the number of timeouts allowed per transactions to 2:
Router> enable Router# configure terminal Router(config)# aaa group server radius server-group-A Router(config-sg-radius)# throttle access 200 access-timeout 2The following example shows how to throttle both accounting and access request packets for server-group-A:
Router> enable Router# configure terminal Router(config)# aaa group server radius server-group-A Router(config-sg-radius)# throttle accounting 100 access 200Related Commands
Command
Description
radius-server host
Specifies a RADIUS server host.
radius-server key
Sets the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
radius-server retransmit
Specifies the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up.
radius-server throttle
Configures global throttling of access (authentication and authorization) and accounting records that are sent to the RADIUS server.
radius-server timeout
Specifies the number of seconds a router waits for a server host to reply before timing out.
show radius statistics
Displays the RADIUS statistics for accounting and authentication packets.
timeout (application firewall application-configuration)
To specify the elapsed length of time before an inactive connection is torn down, use the timeout command in the appropriate configuration mode. To return to the default value, use the no form of this command.
Command Default
If this command is not issued, the default value specified via the ip inspect tcp idle-timecommand will be used.
Command Modes
cfg-appfw-policy-http
configuration
cfg-appfw-policy-aim configuration
cfg-appfw-policy-ymsgr configuration
cfg-appfw-policy-msnmsgr configurationUsage Guidelines
The timeout command overrides the global TCP idle timeout value for HTTP traffic or for traffic of a specified instant messenger application (AOL, Yahoo, or MSN).
Before you can issue the timeout command, you must enable protocol inspection via the application command, which allows you to specify whether you want to inspect HTTP traffic or instant messenger application traffic. The application command puts the router in appfw-policy-protocolconfiguration mode, where "protocol" is dependent upon the specified protocol.
Examples
The following example shows how to define the HTTP application firewall policy "mypolicy." This policy includes all supported HTTP policy rules. After the policy is defined, it is applied to the inspection rule "firewall," which will inspect all HTTP traffic entering the FastEthernet0/0 interface.
! Define the HTTP policy. appfw policy-name mypolicy application http strict-http action allow alarm content-length maximum 1 action allow alarm content-type-verification match-req-rsp action allow alarm max-header-length request 1 response 1 action allow alarm max-uri-length 1 action allow alarm port-misuse default action allow alarm request-method rfc default action allow alarm request-method extension default action allow alarm transfer-encoding type default action allow alarm timeout 60 ! ! ! Apply the policy to an inspection rule. ip inspect name firewall appfw mypolicy ip inspect name firewall http ! ! ! Apply the inspection rule to all HTTP traffic entering the FastEthernet0/0 interface. interface FastEthernet0/0 ip inspect firewall in ! !timeout (config-radius-server)
To specify the time interval (in seconds) that the router waits for the RADIUS server to reply before retransmitting, use the timeout command in RADIUS server configuration mode. To restore the default value, use the no form of this command.
Usage Guidelines
Use the timeout command to set the number of seconds a router waits for a server host to reply before timing out.
If the RADIUS server is only a few hops from the router, it is recommended that you configure the RADIUS server timeout to 15 seconds.
Examples
The following example shows how to set the interval timer to 10 seconds:
Device(config)# aaa new-model Device(config)# radius server myserver Device(config-radius-server)# address ipv4 192.0.2.2 Device(config-radius-server)# timeout 10timeout (GTP)
To configure timeout values for General Packet Radio Service (GPRS) Tunneling Protocol (GTP), use the timeout command in parameter-map type inspect configuration mode. To remove the configured timeout values, use the no form of this command.
Usage Guidelines
When you configure the timeout pdp-context command, inactive PDP request queues are dropped based on the timeout value. Similarly, when you configure timeout request-queue command, GTP requests that are queued to wait for a response are dropped based on the timeout value.
timeout (parameter-map)
To configure the time interval for content scanning, use the timeout command in parameter-map type inspect configuration. To disable the time interval for content scanning, use the no form of this command.
timeout { server seconds | session-inactivity seconds }
no timeout { server seconds | session-inactivity seconds }
Usage Guidelines
The timeout command configures the timeout to check the availability of the ScanSafe servers and to determine the active tower. The primary tower is tried first and if it fails, the secondary tower is chosen as the active. The secondary tower falls back to the primary tower, if the primary is detected to be active for three consecutive timeouts. The session inactivity timer is used to remove the sessions that are inactive for the configured duration.
timeout (policy group)
To configure the length of time that an end user session can remain idle or the total length of time that the session can remain connected, use the timeout command in webvpn group policy configuration mode. To configure timeout timers to default values, use the no form of this command.
Command Default
The following default values are used if this command is not configured or if the no form is entered:
idle 2100 session 43200
Usage Guidelines
This command is used to configure the idle or session timer value. The idle timer sets the length of time that a session will remain connected when the end user generates no activity. The session timer sets the total length of time that a session will remain connected, with or without activity. Upon expiration of either timer, the end user connection is closed. The user must login or reauthenticate to access the Secure Sockets Layer Virtual Private Network (SSL VPN).
NoteThe idle timer is not the same as the dead peer timer. The dead peer timer is reset when any packet type is received over the Cisco AnyConnect VPN Client tunnel. The idle timer is reset only when the end user generates activity.
timeout (TACACS+)
To configure the time to wait for a reply from the specified TACACS server, use the timeoutcommand in TACACS+ server configuration mode. To return to the command default, use the no form of this command.
Usage Guidelines
Use the timeout command to set the time, in seconds, to wait for a reply from the TACACS server. If the timeout command is configured, the specified number of seconds overrides the default time of 5 seconds.
timeout file download
To specify how often the consent webpage should be downloaded from the file server, use the timeout file download command in parameter-map-type consent configuration mode. To remove the configured download time, use the no form of this command with the configured time.
Usage Guidelines
Using the timeout file downloadcommand ensures that the consent file has the most current parameter map defintions.
Examples
In the following example, the file "consent_page.html" will be downloaded from the file server every 35791 minutes:
parameter-map type consent consent_parameter_map copy tftp://192.168.104.136/consent_page.html flash:consent_page.html authorize accept identity consent_identity_policy timeout file download 35791 file flash:consent_page.html logging enabled exit ! parameter-map type consent default copy tftp://192.168.104.136/consent_page.html flash:consent_page.html authorize accept identity test_identity_policy timeout file download 35791 file flash:consent_page.html logging enabled exit !timeout login response
To specify how long the system will wait for login input (such as username and password) before timing out, use the timeout login responsecommand in line configuration mode. To set the timeout value to 30 seconds (which is the default timeout value), use the noform of this command.
Command History
Release
Modification
11.3
This command was introduced.
12.2(33)SRA
This command was integrated into Cisco IOS release 12.(33)SRA.
12.2SX
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
timeout retransmit
To set an interval for a router to wait for a reply from the Lightweight Directory Access Protocol (LDAP) server before it times out, use the timeout retransmitcommand in LDAP server configuration. To restore the default, use the no form of this command.
timer (Diameter peer)
To configure the Diameter Credit Control Application (DCCA) for peer-to-peer communication, use the timer command in Diameter peer configuration mode. To disable the configured protocol, use the no form of this command.
timer { connection | transaction | watchdog } value
no timer { connection | transaction | watchdog } value
Syntax Description
connection
Maximum interval, in seconds, for the Gateway General Packet RadioService (GPRS) Support Node (GGSN) to attempt reconnection to a Diameter peer after after being disconnected because of a transport failure. The range is from 1 to 1000. The default is 30.
A value of 0 configures the GGSN not to attempt reconnection.
transaction
Maximum interval, in seconds, the GGSN waits for a Diameter peer to respond before trying another peer. The range is from 1 to 1000. The default is 30.
watchdog
Maximum interval, in seconds, the GGSN waits for a Diameter peer response to a watchdog packet. The range is from 1 to 1000. The default is 30.
Note When the watchdog timer expires, a device watchdog request (DWR) is sent to the Diameter peer and the watchdog timer is reset. If a device watchdog answer (DWA) is not received before the next expiration of the watchdog timer, a transport failure to the Diameter peer has occurred.
value
The valid range, in seconds, from 1 to 1000. The default is 30.
Usage Guidelines
When configuring timers, the value for the transaction timer should be larger than the transmission-timeout value, and, on the Serving GPRS Support Node (SGSN), the values configured for the number of GPRS Tunneling Protocol (GTP) N3 requests and T3 retransmissions must be larger than the sum of all possible server timers (RADIUS, Diameter Credit Control Application (DCCA), and Cisco Content Services Gateway (CSG)). Specifically, the SGSN N3*T3 must be greater than 2 x RADIUS timeout + N x DCCA timeout + CSG timeout where:
- The factor 2 is for both authentication and accounting.
- The value N is for the number of Diameter servers configured in the server group.
timer reauthentication (config-if-cts-dot1x)
To set the reauthentication timer period to be used if the authentication server does not specify a period, use the timer reauthentication command in CTS dot1x interface configuration mode. Use the no form of the command to disable the timer.
Usage Guidelines
When the reauthentication timer expires, the device reauthenticates to the CTS network (NDAC).
Examples
The following example sets the reauthentication timer to 44 seconds:
Router(config-if-cts-dot1x)# timer reauthentication 44Related Commands
Command
Description
cts dot1x
Enables Network Device Admission Control (NDAC) and configure NDAC authentication parameters.
propagate sgt (config-if-cts-dot1x)
Enables Security Group Tag (SGT) propagation on a Cisco TrustSec (CTS) 802.1X interface.
sap mode-list (config-if-cts-dot1x)
Configures CTS Security Association Protocol (SAP) authentication.
show cts interface
Displays CTS interface status and configurations.
show dot1x interface
Displays IEEE 802.1x configurations and statistics.
timers delay
To configure the time that a redundancy group takes to delay role negotiations that start after a fault occurs or the system is reloaded, use the timers delaycommand in redundancy application group configuration mode. To disable the timer, use the no form of this command.
Examples
The following example shows how to set the timer delay value and reload value for a redundancy group named group 1:
Router# configure terminal Router(config)# redundancy Router(config-red)# application redundancy Router(config-red-app)# group 1 Router(config-red-app-grp)# timers delay 100 reload 400Related Commands
Command
Description
application redundancy
Enters redundancy application configuration mode.
authentication
Configures clear text authentication and MD5 authentication for a redundancy group.
control
Configures the control interface type and number for a redundancy group.
data
Configures the data interface type and number for a redundancy group.
group(firewall)
Enters redundancy application group configuration mode.
name
Configures the redundancy group with a name.
preempt
Enables preemption on the redundancy group.
protocol
Defines a protocol instance in a redundancy group.
redundancy rii
Configures the RII for the redundancy group.
timers hellotime
To configure timers for hellotime and holdtime messages for a redundancy group, use the timers hellotimecommand in redundancy application protocol configuration mode. To disable the timers in the redundancy group, use the no form of this command.
timers hellotime [msec] seconds holdtime [msec] seconds
no timers hellotime [msec] seconds holdtime [msec] seconds
Syntax Description
msec
(Optional) Specifies the interval, in milliseconds, for hello messages.
seconds
Interval time, in seconds, for hello messages. The range is from 1 to 254.
holdtime
Specifies the hold timer.
msec
Specifies the interval, in milliseconds, for hold time messages.
seconds
Interval time, in milliseconds, for hold time messages. The range is from 6 to 255.
Command Default
The default value for the hellotime interval is 3 seconds and for the holdtime interval is 10 seconds.
Usage Guidelines
The hello time is an interval in which hello messages are sent. The holdtime is the time before the active or the standby device is declared to be in down state. Use the msec keyword to configure the timers in milliseconds.
NoteIf you allocate a large amount of memory to the log buffer (e.g. 1 GB), then the CPU and memory utilization of the router increases. This issue is compounded if small intervals are set for the hellotime and the holdtime. If you want to allocate a large amount of memory to the log buffer, we recommend that you accept the default values for the hellotime and holdtime. For the same reason, we also recommend that you do not use the preempt command.
Examples
The following example shows how to configure the hellotime and holdtime messages:
Router# configure terminal Router(config)# redundancy Router(config-red)# application redundancy Router(config-red-app)# protocol 1 Router(config-red-app-prtcl)# timers hellotime 100 holdtime 100Related Commands
Command
Description
application redundancy
Enters redundancy application configuration mode.
authentication
Configures clear text authentication and MD5 authentication for a redundancy group.
group(firewall)
Enters redundancy application group configuration mode.
name
Configures the redundancy group with a name.
preempt
Enables preemption on the redundancy group.
protocol
Defines a protocol instance in a redundancy group.
title
To configure the HTML title string that is shown in the browser title and on the title bar of a Secure Sockets Layer Virtual Private Network (SSL VPN), use the title command in webvpn context configuration mode. To revert to the default text string, use the no form of this command.
Command Default
If this command is not configured or if the no form is entered, the following text is displayed:
"WebVPN Service"
Usage Guidelines
The optional form of the title command is entered to configure a custom text string. If this command is issued without entering a text string, a title will not be displayed in the browser window. If the no form of this command is used, the default title string "WebVPN Service" is displayed.
title-color
To specify the color of the title bars on the login and portal pages of a Secure Sockets Layer Virtual Private Network (SSL VPN), use the title-color command in webvpn context configuration mode. To remove the color, use the no form of this command.
Syntax Description
color
The value for the color argument is entered as a comma-separated red, green, blue (RGB) value, an HTML color value (beginning with a"#"), or the name of the color that is recognized in HTML (no spaces between words or characters). The value is limited to 32 characters. The value is parsed to ensure that it matches one of the following formats (using Perl regex notation):
- \#/x{6}
- \d{1,3},\d{1,3},\d{1,3} (and each number is from 1 to 255)
- \w+
The default is purple.
Command Default
The color purple is used if this command is not configured or if the no form is entered.
