|
|
This chapter describes the function and displays the syntax of the commands used to manage security on the network. For more information about defaults and usage guidelines, see the corresponding chapter of the Configuration Fundamentals Command Reference.
To enable an Authentication Authorization and Accounting (AAA) authentication method for AppleTalk Remote Access (ARA) users using TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.
aaa authentication arap {default | list-name} method1 [...[method4]]| default | Uses the listed methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
| method | A keyword. |
To enable AAA authentication to determine if a user can access the privileged command level, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.
aaa authentication enable default method1 [...[method4]]| method | At least one and up to four keywords. |
To have the router check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. Use the no form of this command to disable the override.
aaa authentication local-overrideTo set AAA authentication at login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.
aaa authentication login {default | list-name} method1 [...[method4]]| default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods activated when a user logs in. |
| method | At least one and up to four keywords. |
To specify AAA authentication for Netware Asynchronous Services Interface (NASI) clients connecting through the access server, use the aaa authentication nasi global configuration command. Use the no form of this command to disable authentication for NASI clients.
aaa authentication nasi {list-name | default} {methods list}| list-name | Character string used to name the following list of authentication methods activated when a user logs in. |
| default | Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in. |
| methods | At least one and up to four methods. |
To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point (PPP) when using TACACS+, use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.
aaa authentication ppp {default | list-name} method1 [...[method4]]| default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
| list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
| method | At least one and up to four keywords. |
Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function.
aaa authorization {network | exec | command level} method| network | Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol. |
| exec | Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information. |
| command | Runs authorization for all commands at the specified privilege level. |
| level | Specific command level that should be authorized. Valid entries are 0 through 15. |
| method | Keyword specifying how authorization is performed. |
To enable the AAA access control model, issue the aaa new-model global configuration command. Use the no form of this command to disable this functionality.
aaa new-modelTo enable AAA authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.
arap authentication {default | list-name}
Caution If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol is disabled on this line.
| default | Default list created with the aaa authentication arap command. |
| list-name | Indicated list created with the aaa authentication arap command. |
Use the clear kerberos creds command to delete the contents of your credentials cache.
clear kerberos credsTo specify what happens if the TACACS and extended TACACS servers used by the enable command do not respond, use the enable last-resort global configuration command. Use the no form of this command to restore the default.
enable last-resort {password | succeed}| password | Allows you to enable by entering the privileged command level password. A password must contain from 1 to 25 uppercase and lowercase alphanumeric characters |
| succeed | Allows you to enable without further question. |
To enable use of the TACACS to determine whether a user can access the privileged command level, use the enable use-tacacs global configuration command. Use the no form of this command to disable TACACS verification.
enable use-tacacs Caution If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or you will be locked out of the privileged command level.
Use the ip radius source-interface global configuration command to force RADIUS to use the IP address of a specified interface for all outgoing radius packets. This address is used as long as the interface is in the up/up state. Use the no form of this command to disable use of a specified interface IP address.
ip radius source-interface subinterface-name| subinterface-name | Name of the interface that RADIUS uses for all of its outgoing packets. |
Use the ip tacacs source-interface global configuration command to force TACACS to use the IP address of a specified interface for all outgoing TACACS packets. Use the no form of this command to disable use of a specified interface IP address.
ip tacacs source-interface subinterface-name| subinterface-name | Name of the interface that TACACS uses for all of its outgoing packets. |
Use the kerberos clients mandatory command to cause the rsh, rcp, rlogin, and telnet commands to fail if they fail to negotiate the Kerberos protocol with the remote server. Use the no form of this command to unconfigure this option (see "Usage Guidelines" for this command).
kerberos clients mandatoryUse the kerberos credentials forward command to force all network application clients on the router to forward the user credentials on successful Kerberos authentication. Use the no form of this command to turn off Kerberos credentials forwarding.
kerberos credential forwardThe kerberos instance map command maps Kerberos instances to Cisco IOS privilege levels. Use the no form of this command to remove a Kerberos instance map.
kerberos instance map {Kerberos instance} {IOS privilege level}| Kerberos instance | Name of a Kerberos instance. |
| IOS privilege level | The privilege level at which a user is set if the user's Kerberos principle contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. |
Use the kerberos local-realm global configuration command to define the name of the Kerberos realm in which the router is located. Use the no form of this command to unconfigure the default Kerberos realm for this router.
kerberos local-realm {kerberos-realm}| kerberos-realm | The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. |
It is more secure to use preauthentication when communicating with the KDC. The no form of this command is equivalent to kerberos preauth none.
kerberos preauth [encrypted-unix-timestamp | none]| encrypted-unix- timestamp none | Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.
Do not use Kerberos preauthentication. |
Use the kerberos realm global configuration command to map a host name or Domain Name System (DNS) domain to a Kerberos realm. The router can be located in more than one realm at a time. Use the no form of this command to remove a Kerberos realm map.
kerberos realm {dns-domain | host} {kerberos-realm}| dns-domain | Name of a DNS domain or host. A domain begins with a full-stop. |
| host | Name of a DNS host. A host name does not begin with a full-stop. |
| kerberos-realm | Name of the Kerberos realm the specified domain or host belongs to. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. |
Use the kerberos server global configuration command to specify the location of the Kerberos server for a given Kerberos realm. Use the no form of this command to unconfigure the location of a Kerberos server for the specified Kerberos realm.
kerberos server {kerberos-realm} {hostname | ip-address} [port-number]| kerberos-realm | Name of the Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters. |
| hostname | Name of the host functioning as a Kerberos server for the specified Kerberos realm. |
| ip-address | IP address of the host functioning as a Kerberos server for the specified Kerberos realm. |
| port-number | (Optional) Port that the KDC/TGS listens. |
The Kerberos SRVTAB entry is the router's locally stored srvtab. Use the no form of this command to remove a SRVTAB entry from the router's configuration.
kerberos srvtab entry {Kerberos Principle} {Principle Type} {Timestamp} {Key Version Number} {Key Type} {key length} {encrypted keytab}| Kerberos Principle | A service on the router. |
| Principle Type | Version of the Kerberos SRVTAB. |
| Timestamp | Large number representing the date and time the SRVTAB entry was created. |
| Key Version Number | Version of the encryption key format. |
| Key Type | Type of encryption used. |
| key length | Length, in bytes, of the encryption key. |
| encrypted keytab | The encrypted key. |
Use the kerberos srvtab remote command to retrieve a krb5 SRVTAB file from the specified host.
kerberos srvtab remote {hostname | ip-address} {filename}| hostname | Machine with the Kerberos SRVTAB file. |
| IP address | IP address of the machine with the Kerberos SRVTAB file. |
| filename | Name of the SRVTAB file. |
Use the key config-key global configuration command to define a private DES key for the router. Use the no form of this command to delete a private Data Encryption Standard (DES) key for the router.
key config-key 1 string| string | Private DES key (can be up to 8 alphanumeric characters). |
To configure your router to use TACACS user authentication, use the login tacacs line configuration command. Use the no form of this command to disable TACACS user authentication for a line.
login tacacsTo enable TACACS+ authentication for NetWare Asynchronous Services Interface (NASI) clients connecting to a router, use the nasi authentication line configuration command. Use the no form of the command to return to the default, as specified by the aaa authentication nasi command.
nasi authentication {default | list-name}| default | Uses the default list created with the aaa authentication nasi command. |
| list-name | Uses the list created with the aaa authentication nasi command. |
To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) and to enable an Authentication Authorization and Accounting (AAA) authentication method on an interface, use the ppp authentication interface configuration command. Use the no form of this command to disable this authentication.
ppp authentication {chap | chap pap | pap chap | pap } [if-needed] [list-name | default] Caution If you use a list-name value that was not configured with the aaa authentication ppp command, you will disable PPP on this interface.
| chap | Enables CHAP on a serial interface. |
| pap | Enables PAP on a serial interface. |
| chap pap | Enables both CHAP and PAP, and performs CHAP authentication before PAP. |
| pap chap | Enables both CHAP and PAP, and performs PAP authentication before CHAP. |
| if-needed | (Optional) Used with TACACS and extended TACACS. Does not perform CHAP or PAP authentication if the user has already provided authentication. This option is available only on asychronous interfaces. |
| list-name | (Optional) Used with AAA/TACACS+. Specifies the name of a list of TACACS+ methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command. |
| default | The name of the method list is created with the aaa authentication ppp command. |
| callin | Specifies authentication on incoming (received) calls only. |
Use the ppp chap hostname interface configuration command to create a pool of dialup routers that all appear to be the same host when authenticating with CHAP. To disable this function, use the no form of the command.
ppp chap hostname hostname| hostname | The name sent in the CHAP challenge. |
Use the ppp chap password interface configuration command to enable a router calling a collection of routers that do not support this command (such as routers running older Cisco IOS software images) to configure a common CHAP secret password to use in response to challenges from an unknown peer. To disable this function, use the no form of this command.
ppp chap password secret| secret | The secret password used to compute the response value for any CHAP challenge from an unknown peer. |
To reenable remote PAP support for an interface and use the sent-username and password in the PAP authentication request packet to the peer, use the ppp pap sent-username interface configuration command. Use the no form of this command to disable remote PAP support.
ppp pap sent-username username password password
no ppp pap sent-username
| username | Username sent in the PAP authentication request. |
| password | Password sent in the PAP authentication request. |
| password | Must contain from 1 to 25 uppercase and lowercase alphanumeric characters. |
To enable TACACS for PPP authentication, use the ppp use-tacacs interface configuration command. Use the no form of the command to disable TACACS for PPP authentication.
ppp use-tacacs [single-line] Caution mal CHAP authentications prevent the cleartext password from being transmitted over the link. When you use the single-line option, passwords cross the link as cleartext.
| single-line | (Optional) Accept the username and password in the username field. This option applies only when using CHAP authentication. |
Caution mal CHAP authentications prevent the cleartext password from being transmitted over the link. When you use the single-line option, passwords cross the link as cleartext.
To specify a server host, use the radius-server host global configuration command. You can use multiple radius-server host commands to specify multiple hosts. The software searches for the hosts in the order that you specify. Use the no form of this command to delete the specified name or address.
radius-server host {hostname | ip-address}| hostname | DNS name of the RADIUS server host. |
| ip-address | IP address of the RADIUS server host. |
Use the radius-server key command to set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.Use the no form of the command to disable the key.
radius-server key {string}| string | (Optional) The key used to set authentication and encryption. This key must match the encryption used on the RADIUS daemon. |
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit global configuration command. Use the no form of this command to disable retransmition.
radius-server retransmit retries| retries | Maximum number of retransmission attempts. |
To set the interval a router waits for a server host to reply, use the radius-server timeout global configuration command. Use the no form of this command to restore the default.
radius-server timeout seconds| seconds | Integer that specifies the timeout interval in seconds. |
Use the show kerberos creds EXEC command to display the contents of your credentials cache. The show kerberos creds command is equivalent to the UNIX klist command.
show kerberos credsTo display your current level of privilege, use the show privilege EXEC command.
show privilegeTo control the number of login attempts that can be made on a line set up for TACACS verification, use the tacacs-server attempts global configuration command. Use the no form of this command to remove this feature and restore the default.
tacacs-server attempts count| count | Integer that sets the number of attempts. |
To have the Cisco IOS software indicate whether a user can perform an attempted action under TACACS and extended TACACS, use the tacacs-server authenticate command.
tacacs-server authenticate { [always]enable | slip [always] [access-lists]}| enable | Configures a required response when a user enters the enable command. |
| slip | Configures a required response when a user starts a SLIP or PPP session. |
| always | (Optional) Performs authentication even when a user is not logged in. This option only applies to the slip keyword. |
| access-lists | (Optional) Requests and installs access lists. This option only applies to the slip keyword. |
To send only a username to a specified server when a direct request is issued, use thetacacs-server directed-request global configuration command. Use the no form of this command to disable the direct-request feature.
tacacs-server directed-requestTo enable an extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.
tacacs-server extended| hostname | Name or IP address of the host. |
| single-connection | Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure only). This command contains no auto-detect and fails if the specified host is not running a CiscoSecure daemon. |
| port | Specify a server port number. |
| integer | Port number of the server (in the range 1 to 10,000). |
| timeout | Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only. |
| integer | Integer value, in seconds, of the timeout interval. |
| key | Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only. |
| string | Character string specifying authentication and encryption key. |
Use the tacacs-server key command to set the authentication/encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon. Use the no form of the command to disable the key.
tacacs-server key key| key | Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon. |
To cause the network server to request the privileged password as verification, or to force successful login without further input from the user, use the tacacs-server last-resort global configuration command. Use the no tacacs-server last-resort command to restore the system to the default behavior.
tacacs-server last-resort {password | succeed}| password | Allows the user to access the EXEC command mode by entering the password set by the enable command. |
| succeed | Allows the user to access the EXEC command mode without further question. |
Use the tacacs-server notify global configuration command to cause a message to be transmitted to the TACACS server, with retransmission being performed by a background process for up to 5 minutes. Use the no form of this command to disable notification.
tacacs-server notify { [always] | enable | logout [always] | slip [always]}| always | (Optional) Sends a message even when a user is not logged in. This option applies only to SLIP or PPP sessions and can be used with the logout or slip keywords. |
| enable | Specifies that a message be transmitted when a user enters the enable command. |
| logout | Specifies that a message be transmitted when a user logs out. |
| slip | Specifies that a message be transmitted when a user starts a SLIP or PPP session. |
To specify that the first TACACS request to a TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.
tacacs-server optional-passwordsTo specify the number of times the Cisco IOS software searches the list of TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. Use the no form of this command to disable retransmission.
tacacs-server retransmit retries| retries | Integer that specifies the retransmit count. |
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. Use the no form of this command to restore the default.
tacacs-server timeout seconds| seconds | Integer that specifies the timeout interval in seconds. |
|
|