ios sec comm ref
TRANSCRIPT
-
8/20/2019 Ios Sec Comm Ref
1/537
170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.com
Cisco Systems, Inc.Corporate Headquarters
Tel:800 553-NETS (6387)408 526-4000
Fax: 408 526-4100
Cisco IOS
Security
Command ReferenceRelease 12.2
Customer Order Number: DOC-7811748=
Text Part Number: 78-11748-02
-
8/20/2019 Ios Sec Comm Ref
2/537
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MAN UAL ARE SUBJECT TO CHANGE WITHOUT
NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE
PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR
APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATIONPACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO
LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of
UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED
“AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED,
INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDI RECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DA MAGE TO DATA ARISING OUT OF THE USE OR
INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAG ES.
AccessPath, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink , the Cisco NetWorks logo, the Cisco
Powered Network logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, Fast Step, Follow Me Browsing, FormShare,
FrameShare, GigaStack, IGX, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, the iQ Logo, iQ Net Readiness Scorecard, MGX,the Networkers logo, Packet , PIX, RateMUX, ScriptBuilder, ScriptShare, SlideCast, SMARTnet, TransPath, Unity, Voice LAN, Wavelength Router, and
WebViewer are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Discover All That’s Possible, and Empowering
the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Inter network Expert logo,
Cisco IOS, the Cisco IOS logo, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub,
FastSwitch, IOS, IP/TV, LightStream, MICA, Network Registrar, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, Swit chProbe, TeleRouter,
and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries.
All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner
does not imply a partnership r elationship between Cisco and any other company. (0102R)
Cisco IOS Security Command Reference
© 2001– 2006 Cisco Systems, Inc.
All rights reserved.
-
8/20/2019 Ios Sec Comm Ref
3/537
C O N T E N T S
iii
Cisco IOS Security Command Reference
78-11748-02
About Cisco IOS Software Documentation v
Using Cisco IOS Software xiii
Authentication, Authorization, and Accounting
Authentication Commands SR-3
Authorization Commands SR-69
Accounting Commands SR-85
Security Server Protocols
RADIUS Commands SR-113
TACACS+ Commands SR-167
Kerberos Commands SR-185
Traffic Filtering and Firewalls
Lock-and-Key Commands SR-201
Reflexive Access List Commands SR-209
TCP Intercept Commands SR-219
Context-Based Access Control Commands SR-239
Cisco IOS Firewall Intrusion Detection System Commands SR-271
Authentication Proxy Commands SR-289
Port to Application Mapping Commands SR-299
IP Security and Encryption
-
8/20/2019 Ios Sec Comm Ref
4/537
Contents
iv
Cisco IOS Security Command Reference
78-11748-02
IPSec Network Security Commands SR-309
Certification Authority Interoperability Commands SR-361
Internet Key Exchange Security Protocol Commands SR-399
Other Security Features
Passwords and Privileges Commands SR-445
IP Security Options Commands SR-465
Unicast Reverse Path Forwarding Commands SR-493
Secure Shell Commands SR-499
Index
-
8/20/2019 Ios Sec Comm Ref
5/537
v
Cisco IOS Security Command Reference
78-11748-02
About Cisco IOS Software Documentation
This chapter discusses the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation from Cisco Systems.
Documentation ObjectivesCisco IOS software documentation describes the tasks and commands necessary to configure and
maintain Cisco networking devices.
AudienceThe Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the tasks,
the relationship between tasks, or the Cisco IOS software commands necessary to perform particular
tasks. The Cisco IOS software documentation set is also intended for those users experienced with
Cisco IOS software who need to know about new features, new configuration options, and new softwarecharacteristics in the current Cisco IOS software release.
Documentation OrganizationThe Cisco IOS software documentation set consists of documentation modules and master indexes. In
addition to the main documentation set, there are supporting documents and resources.
Documentation Modules
The Cisco IOS documentation modules consist of configuration guides and corresponding commandreference publications. Chapters in a configuration guide describe protocols, configuration tasks, and
Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a
command reference publication provide complete Cisco IOS command syntax information. Use each
configuration guide in conjunction with its corresponding command reference publication.
-
8/20/2019 Ios Sec Comm Ref
6/537
About Cisco IOS Software Documentation
Documentation Organization
vi
Cisco IOS Security Command Reference
78-11748-02
Figure 1 shows the Cisco IOS software documentation modules.
Note The abbreviations (for example, FC and FR) next to the book icons are page designators,
which are defined in a key in the index of each document to help you with navigation. The
bullets under each module list the major technology areas discussed in the corresponding
books.
Figure 1 Cisco IOS Software Documentation Modules
Cisco IOSIP ConfigurationGuide
IPC
Cisco IOSConfigurationFundamentalsConfigurationGuide
Cisco IOSConfigurationFundamentalsCommandReference
Module FC/FR:
Cisco IOS UserInterfaces
• File Management• System Management
Cisco IOSIP CommandReference,Volume 2 of 3:RoutingProtocols
Module IPC/IP1R/IP2R/IP3R:
• IP Addressing and Services• IP Routing Protocols• IP Multicast
Cisco IOSAppleTalk andNovell IPXConfigurationGuide
Cisco IOSAppleTalk andNovell IPXCommandReference
Module P2C/P2R:
• AppleTalk• Novell IPX
Cisco IOSApollo Domain,Banyan VINES,DECnet, ISOCLNS, and XNSConfigurationGuide
Cisco IOSApollo Domain,Banyan VINES,DECnet, ISOCLNS, and XNSCommandReference
Module P3C/P3R:
• Apollo Domain• Banyan VINES• DECnet• ISO CLNS• XNS
Cisco IOSWide-AreaNetwork ingConfigurationGuide
Cisco IOSWide-AreaNetwork ingCommandReference
Module WC/WR:• ATM• Broadband Access• Frame Relay• SMDS• X.25 and LAPB
Cisco IOSSecurityConfigurationGuide
Cisco IOSSecurityCommandReference
Module SC/SR:• AAA Security Services• Security Server Protocols• Traffic Filtering and Firewalls• IP Security and Encryption• Passwords and Privileges• Neighbor Router Authentication• IP Security Options• Supported AV Pairs
Cisco IOSInterfaceConfigurationGuide
Cisco IOSInterfaceCommandReference
Module IC/IR:• LAN Interfaces• Serial Interfaces• Logical Interfaces
4 7 9 5 3
FC
FR
IP2R
WC
WR
SC
SR
MWC
MWR
Cisco IOSMobileWirelessConfigurationGuide
Cisco IOSMobileWirelessCommandReference
Module MWC/MWR:• General Packet
Radio Service
IC
IR
Cisco IOSIP CommandReference,Volume 1 of 3:Addressingand Services
Cisco IOSIP CommandReference,Volume 3 of 3:Multicast
P2C
P2R
IP1R
IP3R
P3C
P3R
-
8/20/2019 Ios Sec Comm Ref
7/537
About Cisco IOS Software Documentation
Documentation Organization
vii
Cisco IOS Security Command Reference
78-11748-02
Cisco IOSVoice, Video,and FaxConfigurationGuide
Cisco IOSVoice, Video,and FaxCommandReference
Module VC/VR:
• Voice over IP• Call Control Signalling• Voice over
Frame Relay• Voice over ATM• Telephony Applications• Trunk Management• Fax, Video, and
Modem Support
Cisco IOSQuality ofServiceSolutionsConfigurationGuide
Cisco IOSQuality ofServiceSolutionsCommandReference
Module QC/QR:
• Packet Classification• Congestion Management• Congestion Avoidance• Policing and Shaping• Signalling• Link Efficiency
Mechanisms
Module DC/DR:
• Preparing for Dial Access• Modem and Dial Shelf Configuration
and Management• ISDN Configuration• Signalling Configuration• Dial-on-Demand Routing
Configuration• Dial-Backup Configuration• Dial-Related Addressing Services• Virtual Templates, Profiles, and
Networks• PPP Configuration• Callback and Bandwidth Allocation
Configuration• Dial Access Specialized Features• Dial Access Scenarios
Module BC/B1R:
• TransparentBridging
• SRB• Token Ring
Inter-Switch Link• Token Ring Route
Switch Module• RSRB• DLSw+• Serial Tunnel and
Block Serial Tunnel• LLC2 and SDLC• IBM Network
Media Translation• SNA Frame Relay
Access• NCIA Client/Server• Airline Product Set
Module BC/B2R:
• DSPU and SNAService Point
• SNA SwitchingServices
• Cisco TransactionConnection
• Cisco MainframeChannel Connection
• CLAW and TCP/IPOffload
• CSNA, CMPC,and CMPC+
• TN3270 Server
Cisco IOSSwitchingServicesConfigurationGuide
Cisco IOSSwitchingServicesCommandReference
Module XC/XR:
• Cisco IOSSwitching Paths
• NetFlow Switching• Multiprotocol Label Switching• Multilayer Switching• Multicast Distributed Switching• Virtual LANs• LAN Emulation
4 7 9 5 4
Cisco IOSBridging andIBM Network ingConfigurationGuide
Cisco IOSBridgingand IBMNetwork ingCommandReference,Volume 1 of 2
Cisco IOSBridgingand IBMNetwork ingCommandReference,Volume 2 of 2
XC
DC
DR
TC
TR
BC
XR
B1R B2R
QC
QR
VC
VR
Cisco IOSTerminalServicesConfigurationGuide
Cisco IOSTerminalServicesCommandReference
Module TC/TR:
• ARA• LAT• NASI
• Telnet• TN3270• XRemote• X.28 PAD• Protocol Translation
Cisco IOSDialTechnologiesConfigurationGuide
Cisco IOSDialTechnologiesCommandReference
-
8/20/2019 Ios Sec Comm Ref
8/537
About Cisco IOS Software Documentation
Documentation Organization
viii
Cisco IOS Security Command Reference
78-11748-02
Master Indexes
Two master indexes provide indexing information for the Cisco IOS software documentation set:
an index for the configuration guides and an index for the command references. Individual books also
contain a book-specific index.
The master indexes provide a quick way for you to find a command when you know the command namebut not which module contains the command. When you use the online master indexes, you can click
the page number for an index entry and go to that page in the online document.
Supporting Documents and Resources
The following documents and resources support the Cisco IOS software documentation set:
Cisco IOS Command Summary (three volumes)—This publication explains the function and syntax
of the Cisco IOS software commands. For more information about defaults and usage guidelines,
refer to the Cisco IOS command reference publications.
• Cisco IOS System Error Messages—This publication lists and describes Cisco IOS system error
messages. Not all system error messages indicate problems with your system. Some are purely
informational, and others may help diagnose problems with communications lines, internal
hardware, or the system software.
• Cisco IOS Debug Command Reference—This publication contains an alphabetical listing of the
debug commands and their descriptions. Documentation for each command includes a brief
description of its use, command syntax, usage guidelines, and sample output.
• Dictionary of Internetworking Terms and Acronyms—This Cisco publication compiles and defines
the terms and acronyms used in the internetworking industry.
• New feature documentation—The Cisco IOS software documentation set documents the mainline
release of Cisco IOS software (for example, Cisco IOS Release 12.2). New software features are
introduced in early deployment releases (for example, the Cisco IOS “T” release train for 12.2,
12.2(x)T). Documentation for these new features can be found in standalone documents called“feature modules.” Feature module documentation describes new Cisco IOS software and hardware
networking functionality and is available on Cisco.com and the Documentation CD-ROM.
• Release notes—This documentation describes system requirements, provides information about
new and changed features, and includes other useful information about specific software releases.
See the section “Using Software Release Notes” in the chapter “Using Cisco IOS Software” for
more information.
• Caveats documentation—This documentation provides information about Cisco IOS software
defects in specific software releases.
• RFCs—RFCs are standards documents maintained by the Internet Engineering Task Force (IETF).
Cisco IOS software documentation references supported RFCs when applicable. The full text of
referenced RFCs may be obtained on the World Wide Web at http://www.rfc-editor.org/.• MIBs—MIBs are used for network monitoring. For lists of supported MIBs by platform and
release, and to download MIB files, see the Cisco MIB website on Cisco.com at
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
-
8/20/2019 Ios Sec Comm Ref
9/537
About Cisco IOS Software Documentation
New and Changed Information
ix
Cisco IOS Security Command Reference
78-11748-02
New and Changed InformationThe following is new information since the last release of the Cisco IOS Security Command Reference
• A new chapter titled "Secure Shell Commands" has been added to the section "Other Security
Features." This chapter describes the SSH commands.
• The chapter titled “Cisco Encryption Technology Commands” has been deleted from the section
“IP Security and Encryption.” This functionality is no longer supported. For information regarding
CET commands, refer to Cisco IOS Security Command Reference, Release 12.1 or earlier.
Document ConventionsWithin Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.The Cisco IOS documentation set uses the following conventions:
Command syntax descriptions use the following conventions:
Nested sets of square brackets or braces indicate optional or required choices within optional or
required elements. For example:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Convention Description
boldface Boldface text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
Convention Description
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
-
8/20/2019 Ios Sec Comm Ref
10/537
About Cisco IOS Software Documentation
Obtaining Documentation
x
Cisco IOS Security Command Reference
78-11748-02
Examples use the following conventions:
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in
equipment damage or loss of data.
Note Means reader take note. Notes contain helpful suggestions or references to materials not
contained in this manual.
Timesaver Means the described action saves time. You can save time by performing the action
described in the paragraph.
Obtaining DocumentationThe following sections provide sources for obtaining documentation from Cisco Systems.
World Wide Web
The most current Cisco documentation is available on the World Wide Web at the following website:
http://www.cisco.com
Translated documentation is available at the following website:
http://www.cisco.com/public/countries_languages.html
Documentation CD-ROM
Cisco documentation and additional literature are available in a CD-ROM package, which ships
with your product. The Documentation CD-ROM is updated monthly and may be more current than
printed documentation. The CD-ROM package is available as a single unit or through an
annual subscription.
Convention Description
screen Examples of information displayed on the screen are set in Courier font.
boldface screen Examples of text that you must enter are set in Courier bold font.< > Angle brackets enclose text that is not printed to the screen, such as passwords.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.
-
8/20/2019 Ios Sec Comm Ref
11/537
About Cisco IOS Software Documentation
Documentation Feedback
xi
Cisco IOS Security Command Reference
78-11748-02
Ordering Documentation
Cisco documentation can be ordered in the following ways:
• Registered Cisco Direct Customers can order Cisco product documentation from the Networking
Products MarketPlace:
http://www.cisco.com/cgi-bin/order/order_root.pl
• Registered Cisco.com users can order the Documentation CD-ROM through the online
Subscription Store:
http://www.cisco.com/go/subscription
• Nonregistered Cisco.com users can order documentation through a local account representative by
calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by
calling 800 553-NETS(6387).
Documentation FeedbackIf you are reading Cisco product documentation on the World Wide Web, you can submit technical
comments electronically. Click Feedback in the toolbar and select Documentation. After you complete
the form, click Submit to send it to Cisco.
You can e-mail your comments to [email protected].
To submit your comments by mail, use the response card behind the front cover of your document, or
write to the following address:
Cisco Systems, Inc.
Document Resource Connection
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical AssistanceCisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can
obtain documentation, troubleshooting tips, and sample configurations from online tools. For
Cisco.com registered users, additional troubleshooting tools are available from the TAC website.
Cisco.com
Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, openaccess to Cisco information and resources at anytime, from anywhere in the world. This highly
integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.
Cisco.com provides a broad range of features and services to help customers and partners streamline
business processes and improve productivity. Through Cisco.com, you can find information about Cisco
and our networking solutions, services, and programs. In addition, you can resolve technical issues with
online technical support, download and test software packages, and order Cisco learning materials and
merchandise. Valuable online skill assessment, training, and certification programs are also available.
-
8/20/2019 Ios Sec Comm Ref
12/537
About Cisco IOS Software Documentation
Obtaining Technical Assistance
xii
Cisco IOS Security Command Reference
78-11748-02
Customers and partners can self-register on Cisco.com to obtain additional personalized information
and services. Registered users can order products, check on the status of an order, access technical
support, and view benefits specific to their relationships with Cisco.
To access Cisco.com, go to the following website:
http://www.cisco.com
Technical Assistance Center
The Cisco TAC website is available to all customers who need technical assistance with a Cisco product
or technology that is under warranty or covered by a maintenance contract.
Contacting TAC by Using the Cisco TAC Website
If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC
website:
http://www.cisco.com/tacP3 and P4 level problems are defined as follows:
• P3—Your network performance is degraded. Network functionality is noticeably impaired, but
most business operations continue.
• P4—You need information or assistance on Cisco product capabilities, product installation, or basic
product configuration.
In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.
To register for Cisco.com, go to the following website:
http://www.cisco.com/register/
If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered
users can open a case online by using the TAC Case Open tool at the following website:http://www.cisco.com/tac/caseopen
Contacting TAC by Telephone
If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and
immediately open a case. To obtain a directory of toll-free numbers for your country, go to the following
website:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
P1 and P2 level problems are defined as follows:
• P1—Your production network is down, causing a critical impact to business operations if service
is not restored quickly. No workaround is available.
• P2—Your production network is severely degraded, affecting significant aspects of your business
operations. No workaround is available.
-
8/20/2019 Ios Sec Comm Ref
13/537
xiii
Cisco IOS Security Command Reference
78-11748-02
Using Cisco IOS Software
This chapter provides helpful tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes
• Getting Help
• Using the no and default Forms of Commands
• Saving Configuration Changes
• Filtering Output from the show and more Commands
• Identifying Supported Platforms
For an overview of Cisco IOS software configuration, refer to the Cisco IOS Configuration
Fundamentals Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the chapter
“About Cisco IOS Software Documentation” located at the beginning of this book.
Understanding Command ModesYou use the CLI to access Cisco IOS software. Because the CLI is divided into many different modes,
the commands available to you at any given time depend on the mode you are currently in. Entering a
question mark (?) at the CLI prompt allows you to obtain a list of commands available for each
command mode.
When you log in to the CLI, you are in user EXEC mode. User EXEC mode contains only a limited
subset of commands. To have access to all commands, you must enter privileged EXEC mode, normally
by using a password. From privileged EXEC mode you can issue any EXEC command—user or
privileged mode—or you can enter global configuration mode. Most EXEC commands are one-time
commands. For example, show commands show important status information, and clear commands
clear counters or interfaces. The EXEC commands are not saved when the software reboots.
Configuration modes allow you to make changes to the running configuration. If you later save the
running configuration to the startup configuration, these changed commands are stored when the
software is rebooted. To enter specific configuration modes, you must start at global configuration
mode. From global configuration mode, you can enter interface configuration mode and a variety of
other modes, such as protocol-specific modes.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a
valid software image is not found when the software boots or if the configuration file is corrupted at
startup, the software might enter ROM monitor mode.
-
8/20/2019 Ios Sec Comm Ref
14/537
Using Cisco IOS Software
Getting Help
xiv
Cisco IOS Security Command Reference
78-11748-02
Table 1 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
For more information on command modes, refer to the “Using the Command-Line Interface” chapter in
the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting HelpEntering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Table 1 Accessing and Exiting Command Modes
Command
Mode Access Method Prompt Exit Method
User EXEC Log in. Router> Use the logout command.
Privileged
EXEC
From user EXEC mode,
use the enable EXEC
command.
Router# To return to user EXEC mode, use the disable
command.
Global
configuration
From privileged EXEC
mode, use the configure
terminal privileged
EXEC command.
Router(config)# To return to privileged EXEC mode from global
configuration mode, use the exit or end command,
or press Ctrl-Z.
Interface
configuration
From global
configuration mode,
specify an interface usingan interface command.
Router(config-if)# To return to global configuration mode, use the exit
command.
To return to privileged EXEC mode, use the end
command, or press Ctrl-Z.
ROM monitor From privileged EXEC
mode, use the reload
EXEC command. Press
the Break key during the
first 60 seconds while the
system is booting.
> To exit ROM monitor mode, use the continue
command.
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry ? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry Completes a partial command name.
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)
-
8/20/2019 Ios Sec Comm Ref
15/537
Using Cisco IOS Software
Getting Help
xv
Cisco IOS Security Command Reference
78-11748-02
Example: How to Find Command Options
This section provides an example of how to display syntax for a command. The syntax can consist of
optional or required keywords and arguments. To display keywords and arguments for a command, enter
a question mark (?) at the configuration prompt or after entering part of a command followed by a space.
The Cisco IOS software displays a list and brief description of available keywords and arguments. Forexample, if you were in global configuration mode and wanted to see all the keywords or arguments for
the arap command, you would type arap ?.
The symbol in command help output stands for “carriage return.” On older keyboards, the carriage
return key is the Return key. On most modern keyboards, the carriage return key is the Enter key. The
symbol at the end of command help output indicates that you have the option to press Enter to
complete the command and that the arguments and keywords in the list preceding the symbol are
optional. The symbol by itself indicates that no more arguments or keywords are available and that
you must press Enter to complete the command.
Table 2 shows examples of how you can use the question mark (?) to assist you in entering commands.
The table steps you through configuring an IP address on a serial interface on a Cisco 7206 router that
is running Cisco IOS Release 12.0(3).
Table 2 How to Find Command Options
Command Comment
Router> enable
Password:
Router#
Enter the enable command and
password to access privileged EXEC
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#
Enter the configure terminal
privileged EXEC command to enter
global configuration mode. You are in
global configuration mode when theprompt changes to Router(config)#.
Router(config)# interface serial ?
Serial interface number
Router(config)# interface serial 4 ?
/
Router(config)# interface serial 4/ ?
Serial interface number
Router(config)# interface serial 4/0
Router(config-if)#
Enter interface configuration mode by
specifying the serial interface that you
want to configure using the interface
serial global configuration command.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter the serial
interface slot number and port number,
separated by a forward slash.
You are in interface configuration mode
when the prompt changes toRouter(config-if)#.
-
8/20/2019 Ios Sec Comm Ref
16/537
Using Cisco IOS Software
Getting Help
xvi
Cisco IOS Security Command Reference
78-11748-02
Router(config-if)# ?
Interface configuration commands:
.
.
.
ip Interface Internet Protocol config commands
keepalive Enable keepalive
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enablename-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Enter ? to display a list of all the
interface configuration commands
available for the serial interface. Thisexample shows only some of the
available interface configuration
commands.
Router(config-if)# ip ?
Interface IP configuration subcommands:
access-group Specify access control for packets
accounting Enable IP accounting on this interface
address Set the IP address of an interface
authentication authentication subcommands
bandwidth-percent Set EIGRP bandwidth limitbroadcast-address Set the broadcast address of an interface
cgmp Enable/disable CGMP
directed-broadcast Enable forwarding of directed broadcasts
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Enter the command that you want to
configure for the interface. This
example uses the ip command.
Enter ? to display what you must enter
next on the command line. This
example shows only some of the
available interface IP configuration
commands.
Table 2 How to Find Command Options (continued)
Command Comment
-
8/20/2019 Ios Sec Comm Ref
17/537
Using Cisco IOS Software
Using the no and default Forms of Commands
xvii
Cisco IOS Security Command Reference
78-11748-02
Using the no and default Forms of Commands
Almost every configuration command has a no form. In general, use the no form to disable a function.Use the command without the no keyword to reenable a disabled function or to enable a function that
is disabled by default. For example, IP routing is enabled by default. To disable IP routing, use the no
ip routing command; to reenable IP routing, use the ip routing command. The Cisco IOS software
command reference publications provide the complete syntax for the configuration commands and
describe what the no form of a command does.
Configuration commands also can have a default form, which returns the command settings to the
default values. Most commands are disabled by default, so in such cases using the default form has the
same result as using the no form of the command. However, some commands are enabled by default and
Router(config-if)# ip address ?
A.B.C.D IP address
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
Enter the command that you want to
configure for the interface. This
example uses the ip address command.Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return () is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address 172.16.0.1 ?
A.B.C.D IP subnet mask
Router(config-if)# ip address 172.16.0.1
Enter the keyword or argument you
want to use. This example uses the
172.16.0.1 IP address.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP subnet
mask.
A is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ?
secondary Make this IP address a secondary address
Router(config-if)# ip address 172.16.0.1 255.255.255.0
Enter the IP subnet mask. This example
uses the 255.255.255.0 IP subnet mask.
Enter ? to display what you must enter
next on the command line. In this
example, you can enter the secondary keyword, or you can press Enter.
A is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0
Router(config-if)#
In this example, Enter is pressed to
complete the command.
Table 2 How to Find Command Options (continued)
Command Comment
-
8/20/2019 Ios Sec Comm Ref
18/537
Using Cisco IOS Software
Saving Configuration Changes
xviii
Cisco IOS Security Command Reference
78-11748-02
have variables set to certain default values. In these cases, the default form of the command enables the
command and sets the variables to their default values. The Cisco IOS software command reference
publications describe the effect of the default form of a command if the command functions differently
than the no form.
Saving Configuration ChangesUse the copy system:running-config nvram:startup-config command to save your configuration
changes to the startup configuration so that the changes will not be lost if the software reloads or a
power outage occurs. For example:
Router# copy system:running-config nvram:startup-config
Building configuration...
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A Flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.
Filtering Output from the show and more CommandsIn Cisco IOS Release 12.0(1)T and later releases, you can search and filter the output of show and more
commands. This functionality is useful if you need to sort through large amounts of output or if you
want to exclude output that you need not see.
To use this functionality, enter a show or more command followed by the “pipe” character (|); one of
the keywords begin, include, or exclude; and a regular expression on which you want to search or filter
(the expression is case-sensitive):
command | {begin | include | exclude} regular-expression
The output matches certain lines of information in the configuration file. The following example
illustrates how to use output modifiers with the show interface command when you want the output to
include only lines in which the expression “protocol” appears:
Router# show interface | include protocol
FastEthernet0/0 is up, line protocol is up
Serial4/0 is up, line protocol is up
Serial4/1 is up, line protocol is up
Serial4/2 is administratively down, line protocol is down
Serial4/3 is administratively down, line protocol is down
For more information on the search and filter functionality, refer to the “Using the Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
-
8/20/2019 Ios Sec Comm Ref
19/537
Using Cisco IOS Software
Identifying Supported Platforms
xix
Cisco IOS Security Command Reference
78-11748-02
Identifying Supported PlatformsCisco IOS software is packaged in feature sets consisting of software images that support specific
platforms. The feature sets available for a specific platform depend on which Cisco IOS software
images are included in a release. To identify the set of software images available in a specific release
or to find out if a feature is available in a given Cisco IOS software image, see the following sections:• Using Feature Navigator
• Using Software Release Notes
Using Feature Navigator
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software
images support a particular set of features and which features are supported in a particular Cisco IOS
image.
Feature Navigator is available 24 hours a day, 7 days a week. To access Feature Navigator, you must
have an account on Cisco.com. If you have forgotten or lost your account information, e-mail theContact Database Administration group at [email protected]. If you do not have an account on
Cisco.com, go to http://www.cisco.com/register and follow the directions to establish an account.
To use Feature Navigator, you must have a JavaScript-enabled web browser such as Netscape 3.0 or
later, or Internet Explorer 4.0 or later. Internet Explorer 4.0 always has JavaScript enabled. To enable
JavaScript for Netscape 3.x or Netscape 4.x, follow the instructions provided with the web browser. For
JavaScript support and enabling instructions for other browsers, check with the browser vendor.
Feature Navigator is updated when major Cisco IOS software releases and technology releases occur.
You can access Feature Navigator at the following URL:
http://www.cisco.com/go/fn
Using Software Release NotesCisco IOS software releases include release notes that provide the following information:
• Platform support information
• Memory recommendations
• Microcode support information
• Feature set tables
• Feature descriptions
• Open and resolved severity 1 and 2 caveats for all platforms
Release notes are intended to be release-specific for the most current release, and the informationprovided in these documents may not be cumulative in providing information about features that first
appeared in previous releases.
-
8/20/2019 Ios Sec Comm Ref
20/537
Using Cisco IOS Software
Identifying Supported Platforms
xx
Cisco IOS Security Command Reference
78-11748-02
-
8/20/2019 Ios Sec Comm Ref
21/537
Authentication,
Authorization, and
Accounting
-
8/20/2019 Ios Sec Comm Ref
22/537
-
8/20/2019 Ios Sec Comm Ref
23/537
SR-3
Cisco IOS Security Command Reference
78-11748-02
Authentication Commands
This chapter describes the commands used to configure both AAA and non-AAA authentication
methods. Authentication identifies users before they are allowed access to the network and network
services. Basically, the Cisco IOS software implementation of authentication is divided into two main
categories:
• AAA Authentication Methods• Non-AAA Authentication Methods
Authentication, for the most part, is implemented through the AAA security services. We recommend
that, whenever possible, AAA be used to implement authentication.
For information on how to configure authentication using either AAA or non-AAA methods, refer to the
chapter “Configuring Authentication” in the Cisco IOS Security Configuration Guide. For configuration
examples using the commands in this chapter, refer to the section “Authentication Examples” located at
the end of the chapter “Configuring Authentication” in the Cisco IOS Security Configuration Guide.
-
8/20/2019 Ios Sec Comm Ref
24/537
Authentication Commands
aaa authentication arap
SR-4
Cisco IOS Security Command Reference
78-11748-02
aaa authentication arapTo enable an authentication, authorization, and accounting (AAA) authentication method for AppleTalk
Remote Access (ARA), use the aaa authentication arap command in global configuration mode. To
disable this authentication, use the no form of this command.
aaa authentication arap {default | list-name} method1 [method2...]
no aaa authentication arap {default | list-name} method1 [method2...]
Syntax Description
Defaults If the default list is not set, only the local user database is checked. This has the same effect as thefollowing command:
aaa authentication arap default local
Command Modes Global configuration
Command History
Usage Guidelines The list names and default that you set with the aaa authentication arap command are used with thearap authentication command. Note that ARAP guest logins are disabled by default when you enable
AAA. To allow guest logins, you must use either the guest or auth-guest method listed in Table 3. You
can only use one of these methods; they are mutually exclusive.
Create a list by entering the aaa authentication arap list-name method command, where list-name is
any character string used to name this list (such as MIS-access). The method argument identifies the list
of methods the authentication algorithm tries in the given sequence. See Table 3 for descriptions of
method keywords.
To create a default list that is used if no list is specified in the arap authentication command, use the
default keyword followed by the methods you want to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it
fails.
Use the more system:running-config command to view currently configured lists of authentication
methods.
default Uses the listed methods that follow this argument as the default list of
methods when a user logs in.
list-name Character string used to name the following list of authentication methods
tried when a user logs in.
method1 [method2...] At least one of the keywords described in Table 3.
Release Modification
10.3 This command was introduced.
12.0(5)T Group server and local-case support were added as method keywords for this
command.
-
8/20/2019 Ios Sec Comm Ref
25/537
Authentication Commands
aaa authentication arap
SR-5
Cisco IOS Security Command Reference
78-11748-02
Note In Table 3, the group radius, group tacacs+, and group group-name methods refer to a set of
previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server
host commands to configure the host servers. Use the aaa group server radius and aaa group
server tacacs+ commands to create a named group of servers.
Examples The following example creates a list called MIS-access, which first tries TACACS+ authentication andthen none:
aaa authentication arap MIS-access group tacacs+ none
The following example creates the same list, but sets it as the default list that is used for all ARA protocol
authentications if no other list is specified:
aaa authentication arap default group tacacs+ none
Related Commands
Table 3 aaa authentication arap Methods
Keyword Description
guest Allows guest logins. This method must be the first method listed, but it can be
followed by other methods if it does not succeed.
auth-guest Allows guest logins only if the user has already logged in to EXEC. This method
must be the first method listed, but can be followed by other methods if it does not
succeed.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group
group-name
Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Command Description
aaa new-model Enables the AAA access control model.
-
8/20/2019 Ios Sec Comm Ref
26/537
Authentication Commands
aaa authentication banner
SR-6
Cisco IOS Security Command Reference
78-11748-02
aaa authentication bannerTo configure a personalized banner that will be displayed at user login, use the aaa authentication
banner command in global configuration mode. To remove the banner, use the no form of this command.
aaa authentication banner dstringd
no aaa authentication banner
Syntax Description
Defaults Not enabled
Command Modes Global configuration
Command History
Usage Guidelines Use the aaa authentication banner command to create a personalized message that appears when a userlogs in to the system. This message or banner will replace the default message for user login.
To create a login banner, you need to configure a delimiting character, which notifies the system that the
following text string is to be displayed as the banner, and then the text string itself. The delimiting
character is repeated at the end of the text string to signify the end of the banner. The delimiting character
can be any character in the extended ASCII character set, but once defined as the delimiter, that character
cannot be used in the text string making up the banner.
Note The AAA authentication banner message is not displayed if TACACS+ is the first method in the method
list.
Examples The following example shows the default login message if aaa authentication banner is not configured.(RADIUS is specified as the default login authentication method.)
aaa new-model
aaa authentication login default group radius
d Any delimiting character at the beginning and end of the string that notifies the system
that the string is to be displayed as the banner. The delimiting character can be any
character in the extended ASCII character set, but once defined as the delimiter, that
character cannot be used in the text string making up the banner.
string Any group of characters, excluding the one used as the delimiter. The maximum
number of characters that you can display is 2996.
Release Modification
11.3(4)T This command was introduced.
-
8/20/2019 Ios Sec Comm Ref
27/537
Authentication Commands
aaa authentication banner
SR-7
Cisco IOS Security Command Reference
78-11748-02
This configuration produces the following standard output:
User Verification Access
Username:
Password:
The following example configures a login banner (in this case, the phrase “Unauthorized use isprohibited.”) that will be displayed when a user logs in to the system. In this case, the asterisk (*) symbol
is used as the delimiter. (RADIUS is specified as the default login authentication method.)
aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication login default group radius
This configuration produces the following login banner:
Unauthorized use is prohibited.
Username:
Related Commands Command Description
aaa authentication fail-message Configures a personalized banner that will be displayed when
a user fails login.
-
8/20/2019 Ios Sec Comm Ref
28/537
Authentication Commands
aaa authentication enable default
SR-8
Cisco IOS Security Command Reference
78-11748-02
aaa authentication enable defaultTo enable authentication, authorization, and accounting (AAA) authentication to determine if a user can
access the privileged command level, use the aaa authentication enable default command in global
configuration mode. To disable this authorization method, use the no form of this command.
aaa authentication enable default method1 [method2...]
no aaa authentication enable default method1 [method2...]
Syntax Description
Defaults If the default list is not set, only the enable password is checked. This has the same effect as thefollowing command:
aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process will succeed
anyway.
Command Modes Global configuration
Command History
Usage Guidelines Use the aaa authentication enable default command to create a series of authentication methods thatare used to determine whether a user can access the privileged command level. Method keywords are
described in Table 3. The additional methods of authentication are used only if the previous method
returns an error, not if it fails. To specify that the authent ication should succeed even if all methods return
an error, specify none as the final method in the command line.
All aaa authentication enable default requests sent by the router to a RADIUS or TACACS+ server
include the username “$enab15$.”
If a default authentication routine is not set for a function, the default is none and no authentication is
performed. Use the more system:running-config command to view currently configured lists ofauthentication methods.
Note In Table 3, the group radius, group tacacs+, and group group-name methods refer to a set of previously
defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server host commands
to configure the host servers. Use the aaa group server radius and aaa group server tacacs+
commands to create a named group of servers.
method1 [method2...] At least one of the keywords described in Table 3.
Release Modification
10.3 This command was introduced.
12.0(5)T Group server support was added as various method keywords for this
command.
-
8/20/2019 Ios Sec Comm Ref
29/537
Authentication Commands
aaa authentication enable default
SR-9
Cisco IOS Security Command Reference
78-11748-02
Examples The following example creates an authentication list that first tries to contact a TACACS+ server. If noserver can be found, AAA tries to use the enable password. If this attempt also returns an error (because
no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication enable default group tacacs+ enable none
Related Commands
Table 4 aaa authentication enable default Methods
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
Note The RADIUS method does not work on a per-username basis.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Command Description
aaa authorization Sets parameters that restrict network access to a user.
aaa new-model Enables the AAA access control model.
enable password Sets a local password to control access to various privilege
levels.
-
8/20/2019 Ios Sec Comm Ref
30/537
Authentication Commands
aaa authentication fail-message
SR-10
Cisco IOS Security Command Reference
78-11748-02
aaa authentication fail-messageTo configure a personalized banner that will be displayed when a user fails login, use the aaa
authentication fail-message command in global configuration mode. To remove the failed login
message, use the no form of this command.
aaa authentication fail-message dstringd
no aaa authentication fail-message
Syntax Description
Defaults Not enabled
Command Modes Global configuration
Command History
Usage Guidelines Use the aaa authentication fail-message command to create a personalized message that appears whena user fails login. This message will replace the default message for failed login.
To create a failed-login banner, you need to configure a delimiting character, which notifies the system
that the following text string is to be displayed as the banner, and then the text string itself. The
delimiting character is repeated at the end of the text string to signify the end of the banner. The
delimiting character can be any character in the extended ASCII character set, but once defined as the
delimiter, that character cannot be used in the text string making up the banner.
Examples The following example shows the default login message and failed login message that is displayed if aaa
authentication banner and aaa authentication fail-message are not configured. (RADIUS is specifiedas the default login authentication method.)
aaa new-model
aaa authentication login default group radius
This configuration produces the following standard output:
User Verification Access
Username:
Password:
d The delimiting character at the beginning and end of the string that notifies the system
that the string is to be displayed as the banner. The delimiting character can be any
character in the extended ASCII character set, but once defined as the delimiter, that
character cannot be used in the text string making up the banner.
string Any group of characters, excluding the one used as the delimiter. The maximum
number of characters that you can display is 2996.
Release Modification
11.3(4)T This command was introduced.
-
8/20/2019 Ios Sec Comm Ref
31/537
Authentication Commands
aaa authentication fail-message
SR-11
Cisco IOS Security Command Reference
78-11748-02
% Authentication failed.
The following example configures both a login banner (“Unauthorized use is prohibited.”) and a
login-fail message (“Failed login. Try again.”). The login message will be displayed when a user logs in
to the system. The failed-login message will display when a user tries to log in to the system and fails.
(RADIUS is specified as the default login authentication method.) In this example, the asterisk (*) is
used as the delimiting character.aaa new-model
aaa authentication banner *Unauthorized use is prohibited.*
aaa authentication fail-message *Failed login. Try again.*
aaa authentication login default group radius
This configuration produces the following login and failed login banner:
Unauthorized use is prohibited.
Username:
Password:
Failed login. Try again.
Related Commands Command Description
aaa authentication banner Configures a personalized banner that will be displayed at user
login.
-
8/20/2019 Ios Sec Comm Ref
32/537
Authentication Commands
aaa authentication login
SR-12
Cisco IOS Security Command Reference
78-11748-02
aaa authentication loginTo set authentication, authorization, and accounting (AAA) authentication at login, use the aaa
authentication login command in global configuration mode. To disable AAA authentication, use the
no form of this command.
aaa authentication login {default | list-name} method1 [method2...]
no aaa authentication login {default | list-name} method1 [method2...]
Syntax Description
Defaults If the default list is not set, only the local user database is checked. This has the same effect as thefollowing command:
aaa authentication login default local
Note On the console, login will succeed without any authentication checks if default is not set.
Command Modes Global configuration
Command History
Usage Guidelines The default and optional list names that you create with the aaa authentication login command are usedwith the login authentication command.
Create a list by entering the aaa authentication login list-name method command for a particular
protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence.
Method keywords are described in Table 5.
To create a default list that is used if no list is assigned to a line, use the login authentication command
with the default argument followed by the methods you want to use in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it
fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the
final method in the command line.
default Uses the listed authentication methods that follow this argument as the
default list of methods when a user
logs in.
list-name Character string used to name the list of authentication methods activated
when a user logs in.
method1 [method2...] At least one of the keywords described in Table 5.
Release Modification
10.3 This command was introduced.
12.0(5)T Group server and local-case support were added as method keywords for this
command.
-
8/20/2019 Ios Sec Comm Ref
33/537
Authentication Commands
aaa authentication login
SR-13
Cisco IOS Security Command Reference
78-11748-02
If authentication is not specifically set for a line, the default is to deny access and no authentication is
performed. Use the more system:running-config command to display currently configured lists of
authentication methods.
Note In Table 5, the group radius, group tacacs+, and group group-name methods refer to a set of
previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-serverhost commands to configure the host servers. Use the aaa group server radius and aaa group
server tacacs+ commands to create a named group of servers.
Examples The following example creates an AAA authentication list called MIS-access. This authentication firsttries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to
use the enable password. If this attempt also returns an error (because no enable password is configured
on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access group tacacs+ enable none
The following example creates the same list, but it sets it as the default list that is used for all login
authentications if no other list is specified:
aaa authentication login default group tacacs+ enable none
The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol
when using Telnet to connect to the router:
aaa authentication login default krb5
Related Commands
Table 5 aaa authentication login Methods
Keyword Description
enable Uses the enable password for authentication.
krb5 Uses Kerberos 5 for authentication.
krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to
the router.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Command Description
aaa new-model Enables the AAA access control model.
login authentication Enables AAA authentication for logins.
-
8/20/2019 Ios Sec Comm Ref
34/537
Authentication Commands
aaa authentication nasi
SR-14
Cisco IOS Security Command Reference
78-11748-02
aaa authentication nasiTo specify authentication, authorization, and accounting (AAA) authentication for Netware
Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa
authentication nasi command in global configuration mode. To disable authentication for NASI clients,
use the no form of this command.
aaa authentication nasi {default | list-name} method1 [method2...]
no aaa authentication nasi {default | list-name} method1 [method2...]
Syntax Description
Defaults If the default list is not set, only the local user database is selected. This has the same effect as thefollowing command:
aaa authentication nasi default local
Command Modes Global configuration
Command History
Usage Guidelines The default and optional list names that you create with the aaa authentication nasi command are usedwith the nasi authentication command.
Create a list by entering the aaa authentication nasi command, where list-name is any character string
that names the list (such as MIS-access). The method argument identifies the list of methods the
authentication algorithm tries in the given sequence. Method keywords are described in Table 6.
To create a default list that is used if no list is assigned to a line with the nasi authentication command,
use the default argument followed by the methods that you want to use in default situations.
The remaining methods of authentication are used only if the previous method returns an error, not if it
fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the
final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is
performed. Use the more system:running-config command to display currently configured lists of
authentication methods.
default Makes the listed authentication methods that follow this argument the default
list of methods used when a user logs in.
list-name Character string used to name the list of authentication methods activated
when a user logs in.
method1 [method2...] At least one of the methods described in Table 6.
Release Modification
11.1 This command was introduced.
12.0(5)T Group server support and local-case were added as method keywords for this
command.
-
8/20/2019 Ios Sec Comm Ref
35/537
Authentication Commands
aaa authentication nasi
SR-15
Cisco IOS Security Command Reference
78-11748-02
Note In Table 6, the group radius, group tacacs+, and group group-name methods refer to a set of
previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server
host commands to configure the host servers. Use the aaa group server radius and aaa group
server tacacs+ commands to create a named group of servers.
Examples The following example creates an AAA authentication list called list1. This authentication first tries tocontact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the
enable password. If this attempt also returns an error (because no enable password is configured on the
server), the user is allowed access with no authentication.
aaa authentication nasi list1 group tacacs+ enable none
The following example creates the same list, but sets it as the default list that is used for all loginauthentications if no other list is specified:
aaa authentication nasi default group tacacs+ enable none
Related Commands
Table 6 aaa authentication nasi Methods
Keyword Description
enable Uses the enable password for authentication.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Command Description
ip trigger-authentication (global) Enables the automated part of double
authentication at a device.
ipx nasi-server enable Enables NASI clients to connect to
asynchronous devices attached to a router.
nasi authentication Enables AAA authentication for NASI clients
connecting to a router.show ipx nasi connections Displays the status of NASI connections.
show ipx spx-protocol Displays the status of the SPX protocol stack
and related counters.
-
8/20/2019 Ios Sec Comm Ref
36/537
Authentication Commands
aaa authentication password-prompt
SR-16
Cisco IOS Security Command Reference
78-11748-02
aaa authentication password-promptTo change the text displayed when users are prompted for a password, use the aaa authentication
password-prompt command in global configuration mode. To return to the default password prompt
text, use the no form of this command.
aaa authentication password-prompt text-string
no aaa authentication password-prompt text-string
Syntax Description
Defaults There is no user-defined text-string, and the password prompt appears as “Password.”
Command Modes Global configuration
Command History
Usage Guidelines Use the aaa authentication password-prompt command to change the default text that the Cisco IOSsoftware displays when prompting a user to enter a password. This command changes the password
prompt for the enable password as well as for login passwords that are not supplied by remote securityservers. The no form of this command returns the password prompt to the default value:
Password:
The aaa authentication password-prompt command does not change any dialog that is supplied by a
remote TACACS+ server.
The aaa authentication password-prompt command works when RADIUS is used as the login method.
The password prompt that is defined in the command will be shown even when the RADIUS server is
unreachable. The aaa authentication password-prompt command does not work with TACACS+.
TACACS+ supplies the network access server (NAS) with the password prompt to display to the users.
If the TACACS+ server is reachable, the NAS gets the password prompt from the server and uses that
prompt instead of the one defined in the aaa authentication password-prompt command. If the
TACACS+ server is not reachable, the password prompt that is defined in the aaa authenticationpassword-prompt command may be used.
Examples The following example changes the text for the password prompt:
aaa authentication password-prompt “Enter your password now:”
text-string String of text that will be displayed when the user is prompted to enter a
password. If this text-string contains spaces or unusual characters, it must be
enclosed in double-quotes (for example, “Enter your password:”).
Release Modification
11.0 This command was introduced.
-
8/20/2019 Ios Sec Comm Ref
37/537
Authentication Commands
aaa authentication password-prompt
SR-17
Cisco IOS Security Command Reference
78-11748-02
Related Commands Command Description
aaa authentication
username-prompt
Changes the text displayed when users are prompted to enter
a username.
aaa new-model Enables the AAA access control model.
enable password Sets a local password to control access to various privilege
levels.
-
8/20/2019 Ios Sec Comm Ref
38/537
Authentication Commands
aaa authentication ppp
SR-18
Cisco IOS Security Command Reference
78-11748-02
aaa authentication pppTo specify one or more authentication, authorization, and accounting (AAA) authentication methods for
use on serial interfaces that are running PPP, use the aaa authentication ppp command in global
configuration mode. To disable authentication, use the no form of this command.
aaa authentication ppp {default | list-name} method1 [method2...]
no aaa authentication ppp {default | list-name} method1 [method2...]
Syntax Description
Defaults If the default list is not set, only the local user database is checked. This has the same effect as thatcreated by the following command:
aaa authentication ppp default local
Command Modes Global configuration
Command History
Usage Guidelines The lists that you create with the aaa authentication ppp command are used with the pppauthentication command. These lists contain up to four authentication methods that are used when a
user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-name method command, where list-name is any
character string used to name this list (such as MIS-access). The method argument identifies the list of
methods that the authentication algorithm tries in the given sequence. You can enter up to four methods.
Method keywords are described in Table 7.
The additional methods of authentication are used only if the previous method returns an error, not if it
fails. Specify none as the final method in the command line to have authentication succeed even if all
methods return an error.
If authentication is not specifically set for a function, the default is none and no authentication is
performed. Use the more system:running-config command to display currently configured lists of
authentication methods.
default Uses the listed authentication methods that follow this keyword as the
default list of methods when a user logs in.
list-name Character string used to name the list of authentication methods tried when
a user logs in.
method1 [method2...] Identifies the list of methods that the authentication algorithm tries in the
given sequence. You must enter at least one method; you may enter up to four
methods. Method keywords are described in Table 7.
Release Modification
10.3 This command was introduced.
12.0(5)T Group server support and local-case were added as method keywords.
-
8/20/2019 Ios Sec Comm Ref
39/537
Authentication Commands
aaa authentication ppp
SR-19
Cisco IOS Security Command Reference
78-11748-02
Note In Table 7, the group radius, group tacacs+, and group group-name methods refer to a set of
previously defined RADIUS or TACACS+ servers. Use the radius-server host and tacacs+-server
host commands to configure the host servers. Use the aaa group server radius and aaa group
server tacacs+ commands to create a named group of servers.
Examples The following example creates a AAA authentication list called MIS-access for serial lines that use PPP.This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is
allowed access with no authentication.
aaa authentication ppp MIS-access group tacacs+ none
Related Commands
Table 7 aaa authentication ppp Methods
Keyword Description
if-needed Does not authenticate if the user has already been authenticated on a tty line.
krb5 Uses Kerberos 5 for authentication (can be used only for Password
Authentication Protocol [PAP] authentication).
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by
the aaa group server radius or aaa group server tacacs+ command.
Command Description
aaa group server radius Groups different RADIUS server hosts into distinct lists and
distinct methods.
aaa group server tacacs+ Groups different server hosts into distinct lists and distinct
methods.
aaa new-model Enables the AAA access control model.
more system:running-config Displays the contents of the currently running configuration
file, the configuration for a specific interface, or map class
information.
ppp authentication Enables CHAP or PAP or both and specifies the order in which
CHAP and PAP authentication are selected on the interface.
radius-server host Specifies a RADIUS server host.
tacacs+-server host Specifies a TACACS host.
-
8/20/2019 Ios Sec Comm Ref
40/537
Authentication Commands
aaa authentication username-prompt
SR-20
Cisco IOS Security Command Reference
78-11748-02
aaa authentication username-promptTo change the text displayed when users are prompted to enter a username, use the aaa authentication
username-prompt command in global configuration mode. To return to the default username prompt
text, use the no form of this command.
aaa authentication username-prompt text-string
no aaa authentication username-prompt text-string
Syntax Description
Defaults There is no user-defined text-string, and the username prompt appears as “Username.”
Command Modes Global configuration
Command History
Usage Guidelines Use the aaa authentication username-prompt command to change the default text that the Cisco IOSsoftware displays when prompting a user to enter a username. The no form of this command returns the
username prompt to the default value:
Username:
Some protocols (for example, TACACS+) have the ability to override the use of local username prompt
information. Using the aaa authentication username-prompt command will not change the username
prompt text in these instances.
Note The aaa authentication username-prompt command does not change any dialog that is supplied by
a remote TACACS+ server.
Examples The following example changes the text for the username prompt:
aaa authentication username-prompt “Enter your name here:”
text-string String of text that will be displayed when the user is prompted to enter a
username. If this text-string contains spaces or unusual characters, it must be
enclosed in double-quotes (for example, “Enter your name:”).
Release Modification
11.0 This command was introduced.
-
8/20/2019 Ios Sec Comm Ref
41/537
Authentication Commands
aaa authentication username-prompt
SR-21
Cisco IOS Security Command Reference
78-11748-02
Related Commands Command Description
aaa authentication
password-prompt
Changes the text that is displayed when users are prompted
for a password.
aaa new-model Enables the AAA access control model.
enable password Sets a local password to control access to various privilege
levels.
-
8/20/2019 Ios Sec Comm Ref
42/537
Authentication Commands
aaa dnis map authentication login group
SR-22
Cisco IOS Security Command Reference
78-11748-02
aaa dnis map authentication login groupTo map a Dialed Number Information Service (DNIS) number to a particular authentication,
authorization, and accounting (AAA) server group for the login service (this server group will be used
for AAA authentication), use the aaa dnis map authentication login group command in global
configuration mode. To unmap this DNIS number from the defined server group, use the no form of thiscommand.
aaa dnis map dnis-number authentication login group server-group-name
no aaa dnis map dnis-number authentication login group server-group-name
Syntax Description
Defaults Disabled
Command Modes Global configuration
Command History
Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group; thus, the server groupcan process the AAA authentication requests for login service for users dialing into the network using
that particular DNIS.
To use this command, you must first enable AAA, define an AAA server group, and enable DNIS
mapping.
Examples The following example shows how to map DNIS number 7777 to the RADIUS server group calledgroup1. group1 will use RADIUS server 172.30.0.0 for AAA authentication requests for login service
for users dialing in with DNIS 7777.
aaa new-model
radius-server host 172.30.0.0 auth-port 1645 key cisco1aaa group server radius group1
server 172.30.0.0
exit
aaa dnis map enable
aaa dnis map 7777 authentication login group group1
dnis-number Number of the DNIS.
server-group-name Character string used to name a group of security servers associated in a
server group.
Release Modification
12.1 This command was introduced.
-
8/20/2019 Ios Sec Comm Ref
43/537
Authentication Commands
aaa dnis map authentication login group
SR-23
Cisco IOS Security Command Reference
78-11748-02
Related Commands Command Description
aaa dnis map accounting
network group
Maps a DNIS number to a particular accounting server group.
aaa dnis map enable Enables AAA server selection based on DNIS.
aaa group server Groups different server hosts into distinct lists and methods.
aaa new-model Enables the AAA access control model.
radius-server host Specifies a RADIUS server host.
-
8/20/2019 Ios Sec Comm Ref
44/537
Authentication Commands
aaa dnis map authentication ppp group
SR-24
Cisco IOS Security Command Reference
78-11748-02
aaa dnis map authentication ppp groupTo map a Dialed Number Information Service (DNIS) number to a particular authentication server group
(this server group will be used for authentication, authorization, and accounting (AAA) authentication),
use the aaa dnis map authentication ppp group command in global configuration mode. To remove
the DNIS number from the defined server group, use the no form of this command.
aaa dnis map dnis-number authentication ppp group server-group-name
no aaa dnis map dnis-number authentication ppp group server-group-name
Syntax Description
Defaults Disabled
Command Modes Global configuration
Command History
Usage Guidelines This command lets you assign a DNIS number to a particular AAA server group, so that the server groupcan process authentication requests for users dialing in to the network using that particular DNIS. To usethis command, you must first enable AAA, define an AAA server group, and enable DNIS mapping.
Examples The following example maps DNIS number 7777 to the RADIUS server group called group1. Servergroup group1 will use RADIUS server 172.30.0.0 for authentication requests for users dialing in with
DNIS 7777.
aaa new-model
radius-server host 172.30.0.0 auth-port 1645 key cisco1
aaa group server radius group1
server 172.30.0.0
aaa dnis map enable
aaa dnis map 7777 authentication ppp group group1
dnis-number Number of the DNIS.
server-group-name Character string used to name a group of security servers associated
in a server group.
Release Modification
12.0(7)T This command was introduced.
-
8/20/2019 Ios Sec Comm Ref
45/537
Authentication Commands
aaa dnis map authentication ppp group
SR-25
Cisco IOS Security Command Reference
78-11748-02
Related Commands Command Description
aaa dnis map accounting
network group
Maps a DNIS number to a particul