- aaa authentication banner through aaa group server tacacs+
- aaa nas port extended through address ipv6 (TACACS+)
- authentication command bounce-port ignore through auth-type
- clear dot1x through clear eap
- client through crl
- crypto ca authenticate through crypto ca trustpoint
- crypto key generate rsa
- Index
aaa nas port extended through address ipv6 (TACACS+)
- aaa nas port extended
- aaa new-model
- aaa route download
- aaa server radius dynamic-author
- access-list (IP standard)
- address ipv6 (config-radius-server)
- address ipv6 (TACACS+)
aaa nas port extended
To replace the NAS-Port attribute with RADIUS IETF attribute 26 and to display extended field information, use the aaa nas port extendedcommand inglobal configuration mode. To display no extended field information, use the no form of this command.
aaa nas port extended
no aaa nas port extended
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
11.3 |
This command was introduced. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Usage Guidelines
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation will not provide a unique NAS-Port attribute that permits distinguishing between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 will appear as NAS-Port = 20101 due to the 16-bit field size limitation associated with RADIUS IETF NAS-Port attribute.
In this case, the solution is to replace the NAS-Port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). Cisco’s vendor ID is 9, and the Cisco-NAS-Port attribute is subtype 2. Vendor-specific attributes (VSAs) can be turned on by entering the radius-server vsa send command. The port information in this attribute is provided and configured using the aaa nas port extended command.
The standard NAS-Port attribute (RADIUS IETF attribute 5) will continue to be sent. If you do not want this information to be sent, you can suppress it by using the no radius-server attribute nas-port command. When this command is configured, the standard NAS-Port attribute will no longer be sent.
Examples
The following example specifies that RADIUS will display extended interface information:
radius-server vsa send aaa nas port extended
Related Commands
Command |
Description |
---|---|
radius-server extended-portnames |
Displays expanded interface information in the NAS-Port attribute. |
radius-server vsa send |
Configures the network access server to recognize and use vendor-specific attributes. |
aaa new-model
To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.
aaa new-model
no aaa new-model
Syntax Description
This command has no arguments or keywords.
Command Default
AAA is not enabled.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
10.0 |
This command was introduced. |
12.4(4)T |
Support for IPv6 was added. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA |
12.2(33)SXI |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
Cisco IOS XE Release 2.5 |
This command was integrated into Cisco IOS XE Release 2.5. |
15.1(2)SNG |
This command was implemented on the Cisco ASR 901 Series Aggregation Services Routers. |
Usage Guidelines
This command enables the AAA access control system.
Examples
The following example initializes AAA:
aaa new-model
Related Commands
Command |
Description |
---|---|
aaa accounting |
Enables AAA accounting of requested services for billing or security purposes. |
aaa authentication arap |
Enables an AAA authentication method for ARAP using TACACS+. |
aaa authentication enable default |
Enables AAA authentication to determine if a user can access the privileged command level. |
aaa authentication login |
Sets AAA authentication at login. |
aaa authentication ppp |
Specifies one or more AAA authentication method for use on serial interfaces running PPP. |
aaa authorization |
Sets parameters that restrict user access to a network. |
aaa route download
To enable the static route download feature and set the amount of time between downloads, use the aaa route download command in global configuration mode. To disable this function, use the no form of this command.
aaa route download [time] [ authorization method-list ]
no aaa route download
Syntax Description
time |
(Optional) Time between downloads, in minutes. The range is from 1 to 1440 minutes. |
authorization method-list |
(Optional) Specify a named method list to which RADIUS authorization requests for static route downloads are sent. If these attributes are not set, all RADIUS authorization requests will be sent to the servers that are specified by the default method list. |
Command Default
The default period between downloads (updates) is 720 minutes.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.0(3)T |
This command was introduced. |
12.1 |
This command was integrated into Cisco IOS Release 12.1. |
12.2(8)T |
The authorization keyword was added; the method-list argument was added. |
12.2(28)SB |
This command was integrated into Cisco IOS Release 12.2(28)SB. |
12.2(33)SRC |
This command was integrated into Cisco IOS Release 12.2(33)SRC. |
Usage Guidelines
This command is used to download static route details from the authorization, authentication, and accounting (AAA) server if the name of the router is hostname. The name passed to the AAA server for static routes is hostname-1, hostname-2... hostname-n--the router downloads static routes until it fails an index and no more routes can be downloaded.
Examples
The following example sets the AAA route update period to 100 minutes:
aaa route download 100
The following example sets the AAA route update period to 10 minutes and sends static route download requests to the servers specified by the method list name “list1”:
aaa route download 10 authorization list1
Related Commands
Command |
Description |
---|---|
aaa authorization configuration default |
Downloads static route configuration information from the AAA server using TACACS+ or RADIUS. |
clear ip route download |
Clears static routes downloaded from a AAA server. |
show ip route |
Displays all static IP routes, or those installed using the AAA route download function. |
aaa server radius dynamic-author
To configure a device as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server, use the aaa server radius dynamic-authorcommand in global configuration mode. To remove this configuration, use the no form of this command.
aaa server radius dynamic-author
no aaa server radius dynamic-author
Syntax Description
This command has no arguments or keywords.
Command Default
The device will not function as a server when interacting with external policy servers.
Command Modes
Global configuration
Command History
Release |
Modification |
---|---|
12.2(28)SB |
This command was introduced. |
12.4 |
This command was integrated into Cisco IOS Release 12.4. |
Cisco IOS XE Release 2.6 |
This command was integrated into Cisco IOS XE Release 2.6. |
12.2(5)SXI |
This command was integrated into Cisco IOS Release 12.2(5)SXI. |
15.2(2)T |
This command was integrated into Cisco IOS Release 15.2(2)T. |
Usage Guidelines
Dynamic authorization allows an external policy server to dynamically send updates to a device. Once the aaa server radius dynamic-author command is configured, dynamic authorization local server configuration mode is entered. Once in this mode, the RADIUS application commands can be configured.
Dynamic Authorization for the Intelligent Services Gateway (ISG)
ISG works with external devices, referred to as policy servers, that store per-subscriber and per-service information. ISG supports two models of interaction between the ISG device and external policy servers: initial authorization and dynamic authorization.
The dynamic authorization model allows an external policy server to dynamically send policies to the ISG. These operations can be initiated in-band by subscribers (through service selection) or through the actions of an administrator, or applications can change policies on the basis of an algorithm (for example, change session quality of service (QoS) at a certain time of day). This model is facilitated by the Change of Authorization (CoA) RADIUS extension. CoA introduced peer-to-peer capability to RADIUS, enabling ISG and the external policy server each to act as a RADIUS client and server.
Examples
The following example configures the ISG to act as a AAA server when interacting with the client at IP address 10.12.12.12:
aaa server radius dynamic-author client 10.12.12.12 key cisco message-authenticator ignore
Related Commands
Command |
Description |
---|---|
auth-type (ISG) |
Specifies the server authorization type. |
client |
Specifies a RADIUS client from which a device will accept CoA and disconnect requests. |
default |
Sets a RADIUS application command to its default. |
domain |
Specifies username domain options. |
ignore |
Overrides a behavior to ignore certain paremeters. |
port |
Specifies a port on which local RADIUS server listens. |
server-key |
Specifies the encryption key shared with RADIUS clients. |
access-list (IP standard)
To define a standard IP access list, use the s tandard version of the access-list command in global configuration mode. To remove a standard access list, use the no form of this command.
access-list access-list-number { deny | permit } source [source-wildcard] [ log [word] ]
no access-list access-list-number
Syntax Description
Command Default
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Command Modes
Global configuration (config)
Command History
Release |
Modification |
---|---|
10.3 |
This command was introduced. |
11.3(3)T |
The log keyword was added. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
12.2SX |
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware. |
12.4(22)T |
The word argument was added to the log keyword. |
Usage Guidelines
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Caution | Enhancements to this command are backward compatible; migrating from releases prior to Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This condition could cause you severe security problems. Save your old configuration file before booting these images. |
Examples
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.168.34.0 0.0.0.255 access-list 1 permit 10.88.0.0 0.0.255.255 access-list 1 permit 10.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)
The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63 ! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 10.48.0.3 access-list 2 permit 10.48.0.3 0.0.0.0
The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63 ! (Note: all other access implicitly denied)
The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected. In addition, the logging mechanism is enabled and the word SampleUserValue is appended to each syslog entry.
Router(config)# access-list 1 permit 10.29.2.64 0.0.0.63 log SampleUserValue
Related Commands
Command |
Description |
---|---|
access-class |
Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list. |
access-list (IP extended) |
Defines an extended IP access list. |
access-list remark |
Writes a helpful comment (remark) for an entry in a numbered IP access list. |
deny (IP) |
Sets conditions under which a packet does not pass a named access list. |
distribute-list in (IP) |
Filters networks received in updates. |
distribute-list out (IP) |
Suppresses networks from being advertised in updates. |
ip access-group |
Controls access to an interface. |
ip access-list logging hash-generation |
Enables hash value generation for ACE syslog entries. |
permit (IP) |
Sets conditions under which a packet passes a named access list. |
remark (IP) |
Writes a helpful comment (remark) for an entry in a named IP access list. |
show access-lists |
Displays the contents of current IP and rate-limit access lists. |
show ip access-list |
Displays the contents of all current IP access lists. |
address ipv6 (config-radius-server)
To configure the IPv6 address for the RADIUS server accounting and authentication parameters, use the address ipv6 command in RADIUS server configuration mode. To remove the specified RADIUS server accounting and authentication parameters, use the no form of this command.
address ipv6 { hostname | ipv6address } [ acct-port port | alias { hostname | ipv6address } | auth-port port [ acct-port port ] ]
no address ipv6 { hostname | ipv6address } [ acct-port port | alias { hostname | ipv6address } | auth-port port [ acct-port port ] ]
Syntax Description
hostname |
Domain Name System (DNS) name of the RADIUS server host. |
ipv6address |
RADIUS server IPv6 address. |
acct-port port |
(Optional) Specifies the User Datagram Protocol (UDP) port for the RADIUS accounting server for accounting requests. The default port is 1646. |
alias {hostname | ipv6address} |
(Optional) Specifies an alias for this server. The alias can be an IPv6 address or hostname. Up to eight aliases can be configured for this server. |
auth-port port |
(Optional) Specifies the UDP port for the RADIUS authentication server. The default port is 1645. |
Command Default
The RADIUS server accounting and authentication parameters are not configured.
Command Modes
RADIUS server configuration (config-radius-server)
Command History
Release |
Modification |
---|---|
15.2(2)T |
This command was introduced. |
Usage Guidelines
The aaa new-model command must be configured before accessing this command.
The Cisco TrustSec (CTS) feature uses Secure RADIUS to prescribe a process of authentication, authorization, session association, encryption, and traffic filtering.
Before an alias can be configured for the RADIUS server, the server’s IPv6 address or DNS name must be configured. This is accomplished by using the address ipv6 command and the hostname argument. An alias can then be configured by using the address ipv6 command, the alias keyword, and the hostname argument.
Examples
The following example shows how to configure the RADIUS server accounting and authentication parameters:
Device(config)# aaa new-model Device(config)# radius server myserver Device(config-radius-server)# address ipv6 2001:DB8:1::1 acct-port 1813 auth-port 1812
Related Commands
Command |
Description |
---|---|
aaa new-model |
Enables the AAA access control model. |
address ipv4 |
Configures the IPv4 address for the RADIUS server accounting and authentication parameters. |
radius server |
Specifies the name for the RADIUS server configuration and enters RADIUS server configuration mode. |
address ipv6 (TACACS+)
To configure the IPv6 address of the TACACS+ server, use the address ipv6 command in TACACS+ server configuration mode. To remove the IPv6 address, use the no form of this command.
address ipv6 ipv6-address
no address ipv6 ipv6-address
Syntax Description
ipv6-address |
The private TACACS+ server host. |
Command Default
No TACACS+ server is configured.
Command Modes
TACACS+ server configuration (config-server-tacacs)
Command History
Release |
Modification |
---|---|
Cisco IOS XE Release 3.2S |
This command was introduced. |
Usage Guidelines
Use the address ipv6 (TACACS+) command after you have enabled the TACACS+ server using the tacacs server command.
Examples
The following example shows how to specify the IPv6 address on a TACACS+ server named server1:
Router (config)# tacacs server server1 Router(config-server-tacacs)# address ipv6 2001:0DB8:3333:4::5
Related Commands
Command |
Description |
---|---|
tacacs server |
Configures the TACACS+ server for IPv6 or IPv4 and enters config server tacacs mode. |