-
Cisco Security Appliance Command Reference, Version 7.1
-
About this Guide
-
Using the Command Line Interface
-
aaa accounting through accounting-server-group
-
acl-netmask-convert through auto-update timeout Commands
-
backup-servers through browse networks Commands
-
cache through clear compression Commands
-
clear configure through clear configure vpn-load-balancing Commands
-
clear console-output through clear xlate Commands
-
client-access-rule through crl-configure Commands
-
crypto ca authenticate through customization Commands
-
debug aaa through debug xdmcp Commands
-
default through duplex Commands
-
email through functions Commands
-
gateway through hw-module module shutdown Commands
-
icmp through imap4s Commands
-
inspect ctiqbe through inspect xdmcp Commands
-
interface-dhcp through issuer-name Commands
-
join-failover-group through kill Commands
-
ldap-attribute-map through log-adj-changes Commands
-
logging asdm through logout message Commands
-
mac-address through multicast-routing Commands
-
name through override-account-disable Commands
-
page style through pwd Commands
-
queue-limit through routerospf Commands
-
same-security-traffic through show asdm sessions Commands
-
show asp drop through show curpriv Commands
-
show debug through show ipv6 traffic Commands
-
show isakmp sa through show route Commands
-
show running-config through show running-config isakmp Commands
-
show running-config ldap through show running-config webvpn auto-signon Commands
-
show service-policy through show webvpn svc Commands
-
shun through sysopt uauth allow-http-cache Commands
-
tcp-map through tx-ring-limit Commands
-
urgent-flag through write terminal Commands
-
Feedback
Table Of Contents
ldap-attribute-map through log-adj-changes Commands
ldap-attribute-map (aaa-server host mode)
ldap attribute-map (global configuration mode)
ldap-attribute-map through log-adj-changes Commands
ldap-attribute-map (aaa-server host mode)
To bind an existing mapping configuration to an LDAP host, use the ldap-attribute-map command in aaa-server host mode.
To remove the binding, use the no form of this command.
ldap-attribute-map map-name
no ldap-attribute-map map-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
If the Cisco-defined LDAP attribute names do not meet your ease-of-use or other requirements, you can create your own attribute names, map them to Cisco attributes, and then bind the resulting attribute configuration to an LDAP server. Your typical steps would include:
1.
2.
3.
Examples
The following example commands, entered in aaa-server host configuration mode, bind an existing attribute map named myldapmap to an LDAP server named ldapsvr1:
hostname(config)# aaa-server ldapsvr1 host 10.10.0.1hostname(config-aaa-server-host)# ldap-attribute-map myldapmaphostname(config-aaa-server-host)#Related Commands
ldap attribute-map (global configuration mode)
To create and name an LDAP attribute map for mapping user-defined attribute names to Cisco LDAP attribute names, use the ldap attribute-map command in global configuration mode.
To remove the map, use the no form of this command.
ldap attribute-map map-name
no ldap attribute-map map-name
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
global configuration
•
•
•
•
—
Command History
Usage Guidelines
With the ldap attribute-map command, you can map your own attribute names and values to Cisco attribute names. You can then bind the resulting attribute map to an LDAP server. Your typical steps would be as follows:
1.
2.
3.
Note
Examples
The following example command, entered in global configuration mode, creates an LDAP attribute map named myldapmap prior to populating it or binding it to an LDAP server:
hostname(config)# ldap attribute-map myldapmaphostname(config-ldap-attribute-map)#Related Commands
ldap-base-dn
To specify the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request, use the ldap-base-dn command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, thus resetting the search to start at the top of the list, use the no form of this command.
ldap-base-dn string
no ldap-base-dn
Syntax Description
Defaults
Start the search at the top of the list.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for LDAP servers.
Examples
The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP base DN as starthere.
hostname(config)#aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry 7hostname(config-aaa-server-host)# ldap-base-dn startherehostname(config-aaa-server-host)#exitRelated Commands
ldap-defaults
To define LDAP default values, use the ldap-defaults command in crl configure configuration mode. Crl configure configuration mode is accessible from crypto ca trustpoint configuration mode. These default values are used only when the LDAP server requires them. To specify no LDAP defaults, use the no form of this command.
ldap-defaults server [port]
no ldap-defaults
Syntax Description
Defaults
The default setting is not set.
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
•
•
•
•
•
Command History
Examples
The following example defines LDAP default values on the default port (389):
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# ldap-defaults ldapdomain4 8389Related Commands
crl configure
Enters ca-crl configuration mode.
crypto ca trustpoint
Enters trustpoint configuration mode.
protocol ldap
Specifies LDAP as a retrieval method for CRLs
ldap-dn
To pass a X.500 distinguished name and password to an LDAP server that requires authentication for CRL retrieval, use the ldap-dn command in crl configure configuration mode. Crl configure configuration mode is accessible from crypto ca trustpoint configuration mode. These parameters are used only when the LDAP server requires them.
To specify no LDAP DN, use the no form of this command.
ldap-dn x.500-name password
no ldap-dn
Syntax Description
Defaults
The default setting is not on.
Command Modes
The following table shows the modes in which you can enter the command:
Crl configure configuration
•
—
•
—
—
Command History
Examples
The following example specifies an X.500 name CN=admin,OU=devtest,O=engineering and a password xxzzyy for trustpoint central:
hostname(config)# crypto ca trustpoint centralhostname(ca-trustpoint)# crl configurehostname(ca-crl)# ldap-dn cn=admin,ou=devtest,o=engineering xxzzyyRelated Commands
crl configure
Enters crl configure configuration mode.
crypto ca trustpoint
Enters ca trustpoint configuration mode.
protocol ldap
Specifies LDAP as a retrieval method for CRLs.
ldap-login-dn
To specify the name of the directory object that the system should bind this as, use the ldap-login-dn command in aaa-server host mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command.
ldap-login-dn string
no ldap-login-dn
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for LDAP servers. The maximum supported string length is 128 characters.
Some LDAP servers, including the Microsoft Active Directory server, require that the security applianceestablish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The security appliance identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field describes the authentication characteristics of the security appliance. These characteristics should correspond to those of a user with administrator privileges.
For the string variable, enter the name of the directory object for VPN Concentrator authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com. For anonymous access, leave this field blank.
Examples
The following example configures an LDAP AAA server named svrgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP login DN as myobjectname.
hostname(config)#aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry 7hostname(config-aaa-server-host)# ldap-login-dn myobjectnamehostname(config-aaa-server-host)#Related Commands
ldap-login-password
To specify the login password for the LDAP server, use the ldap-login-password command in aaa-server host mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this password specification, use the no form of this command:
ldap-login-password string
no ldap-login-password
Syntax Description
string
A case-sensitive, alphanumeric password, up to 64 characters long. The password cannot contain space characters.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for LDAP servers. The maximum password string length is 64 characters.
Examples
The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP login password as obscurepassword.
hostname(config)#aaa-server svrgrp1 protocol ldaphostname(config)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server)#timeout 9hostname(config-aaa-server)#retry 7hostname(config-aaa-server)# ldap-login-password obscurepasswordhostname(config-aaa-server)#Related Commands
ldap-naming-attribute
To specify the Relative Distinguished Name attribute, use the ldap-naming-attribute command in aaa-server host mode. Aaa-server host configuration mode is accessible from aaa-server protocol configuration mode. To remove this specification, use the no form of this command:
ldap-naming-attribute string
no ldap-naming-attribute
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
aaa-server host
•
•
•
•
—
Command History
Usage Guidelines
Enter the Relative Distinguished Name attribute that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).
This command is valid only for LDAP servers. The maximum supported string length is 128 characters.
Examples
The following example configures an LDAP AAA server named srvgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP naming attribute as cn.
hostname(config)#aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry 7hostname(config-aaa-server-host)# ldap-naming-attribute cnhostname(config-aaa-server-host)#Related Commands
ldap-over-ssl
To establish a secure SSL connection between the security appliance and the LDAP server, use the ldap-over-ssl command in aaa-server host configuration mode.
To disable SSL for the connection, use the no form of this command.
ldap-over-ssl enable
no ldap-over-ssl enable
Syntax Description
Syntax DescriptionSyntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
Use this command to specify that SSL secures a connection between the security appliance and an LDAP server.
Note
Examples
The following commands, entered in aaa-server host configuration mode, enable SSL for a connection between the security appliance and the LDAP server named ldapsvr1 at IP address 10.10.0.1. They also configure the plain SASL authentication mechanism.
hostname(config)# aaa-server ldapsvr1 protocol ldaphostname(config-aaa-server-host)# aaa-server ldapsvr1 host 10.10.0.1hostname(config-aaa-server-host)# ldap-over-ssl enablehostname(config-aaa-server-host)#Related Commands
ldap-scope
To specify the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request, use the ldap-scope command in aaa-server host configuration mode. Aaa-server host configuration mode is accessibile from aaa-server protocol configuration mode. To remove this specification, use the no form of this command:
ldap-scope scope
no ldap-scope
Syntax Description
Defaults
The default value is onelevel.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host
•
•
•
•
—
Command History
Usage Guidelines
Specifying the scope as onelevel results in a faster search, because only one level beneath the Base DN is searched. Specifying subtree is slower, because all levels beneath the Base DN are searched.
This command is valid only for LDAP servers.
Examples
The following example configures an LDAP AAA server named svrgrp1 on host 1.2.3.4, sets a timeout of 9 seconds, sets a retry-interval of 7 seconds, and configures the LDAP scope to include the subtree levels.
hostname(config)#aaa-server svrgrp1 protocol ldaphostname(config-aaa-server-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#timeout 9hostname(config-aaa-server-host)#retry 7hostname(config-aaa-server-host)# ldap-scope subtreehostname(config-aaa-server-host)#Related Commands
leap-bypass
To enable LEAP Bypass, use the leap-bypass enable command in group-policy configuration mode. To disable LEAP Bypass, use the leap-bypass disable command. To remove the LEAP Bypass attribute from the running configuration, use the no form of this command. This option allows inheritance of a value for LEAP Bypass from another group policy.
LEAP Bypass lets LEAP packets from wireless devices behind a VPN hardware client travel across a VPN tunnel prior to user authentication, when enabled. This lets workstations using Cisco wireless access point devices establish LEAP authentication. Then they authenticate again per user authentication.
leap-bypass {enable | disable}
no leap-bypass
Syntax Description
Defaults
LEAP Bypass is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
This feature does not work as intended if you enable interactive hardware client authentication.
For further information, see the Cisco Security Appliance Command Line Configuration Guide.
Note
Examples
The following example shows how to set LEAP Bypass for the group policy named "FirstGroup":
hostname(config)# group-policy FirstGroup attributeshostname(config-group-policy)# leap-bypass enableRelated Commands
lmfactor
To set a revalidation policy for caching objects that have only the last-modified timestamp, and no other server-set expiration values, use the lmfactor command in cache mode. To set a new policy for revalidating such objects, use the command again. To reset the attribute to the default value of 20, enter the no version of the command.
lmfactor value
no lmfactor
Syntax Description
Defaults
The default value is 20.
Command Modes
The following table shows the modes in which you enter the command:
Cache mode
•
—
•
—
—
Command History
Usage Guidelines
The security appliance uses the value of the lmfactor to estimate the length of time for which it considers a cached object to be unchanged. This is known as the expiration time. The security appliance estimates th expiration time by the time elapsed since the last modification multiplied by the lmfactor.
Setting the lmfactor to zero is equivalent to forcing an immediate revalidation, while setting it to 100 results in the longest allowable time until revalidation.
Examples
The following example shows how to set an lmfactor of 30:
hostname(config)#webvpnhostname(config-webvpn)#cachehostname(config-webvpn-cache)# lmfactor 30hostname(config-webvpn-cache)#Related Commands
log-adj-changes
To configure the router to send a syslog message when an OSPF neighbor goes up or down, use the log-adj-changes command in router configuration mode. To turn off this function, use the no form of this command.
log-adj-changes [detail]
no log-adj-changes [detail]
Syntax Description
detail
(Optional) Sends a syslog message for each state change, not just when a neighbor goes up or down.
Defaults
This command is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The log-adj-changes command is enabled by default; it appears in the running configuration unless removed with the no form of the command.
Examples
The following example disables the sending of a syslog message when an OSPF neighbor goes up or down:
hostname(config)# router ospf 5hostname(config-router)# no log-adj-changesRelated Commands
router ospf
Enters router configuration mode.
show ospf
Displays general information about the OSPF routing processes.
