- tacacs+ abort
- tacacs+ commit
- tacacs+ distribute
- tacacs-server deadtime
- tacacs-server directed-request
- tacacs-server host
- tacacs-server key
- tacacs-server test
- tacacs-server timeout
- telnet
- telnet server enable
- telnet6
- terminal verify-only
- test aaa authorization command-type
- time-range
- trustedCert
- use-vrf
- user-certdn-match
- user-pubkey-match
- user-switch-bind
- username
- userprofile
- vlan access-map
- vlan filter
- vlan policy deny
- vrf policy deny
T to V Commands
This chapter describes the Cisco NX-OS Security commands that begin with T to V.
tacacs+ abort
To discard a TACACS+ Cisco Fabric Services (CFS) distribution session in progress, use the tacacs+ abort command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, TACACS+ must be enabled using the feature tacacs+ command.
Examples
This example shows how to discard a TACACS+ CFS distribution session in progress:
Related Commands
|
|
---|---|
tacacs+ commit
To apply the pending configuration pertaining to the TACACS+ Cisco Fabric Services (CFS) distribution session in progress in the fabric, use the tacacs+ commit command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, TACACS+ must be enabled using the feature tacacs+ command.
Before committing the TACACS+ configuration to the fabric, all switches in the fabric must have distribution enabled using the tacacs+ distribute command.
CFS does not distribute the TACACS+ server group configurations, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
Examples
This example shows how to apply a TACACS+ configuration to the switches in the fabric.
Related Commands
|
|
---|---|
tacacs+ distribute
To enable Cisco Fabric Services (CFS) distribution for TACACS+, use the tacacs+ distribute command. To disable this feature, use the no form of the command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, TACACS+ must be enabled using the feature tacacs+ command.
CFS does not distribute the TACACS+ server group configurations, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
Examples
This example shows how to enable TACACS+ fabric distribution:
Related Commands
|
|
---|---|
tacacs-server deadtime
To set a periodic time interval where a nonreachable (nonresponsive) TACACS+ server is monitored for responsiveness, use the tacacs-server deadtime command. To disable the monitoring of the nonresponsive TACACS+ server, use the no form of this command.
tacacs -server deadtime minutes
no tacacs -server deadtime minutes
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Setting the time interval to zero disables the timer. If the dead-time interval for an individual TACACS+ server is greater than zero (0), that value takes precedence over the value set for the server group.
When the dead-time interval is 0 minutes, TACACS+ server monitoring is not performed unless the TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to configure the dead-time interval and enable periodic monitoring:
This example shows how to revert to the default dead-time interval and disable periodic monitoring:
Related Commands
|
|
---|---|
Sets a dead-time interval for monitoring a nonresponsive TACACS+ server. |
|
tacacs-server directed-request
To allow users to send authentication requests to a specific TACACS+ server when logging in, use the tacacs-server directed request command. To revert to the default, use the no form of this command.
tacacs -server directed-request
no tacacs -server directed-request
Syntax Description
Defaults
Sends the authentication request to the configured TACACS+ server groups
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
The user can specify the username@vrfname : hostname during login, where vrfname is the virtual routing and forwarding (VRF) name to use and hostname is the name of a configured TACACS+ server. The username is sent to the server name for authentication.
Note If you enable the directed-request option, the Cisco NX-OS device uses only the RADIUS method for authentication and not the default local method.
Examples
This example shows how to allow users to send authentication requests to a specific TACACS+ server when logging in:
This example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in:
Related Commands
|
|
---|---|
tacacs-server host
To configure TACACS+ server host parameters, use the tacacs-server host command. To revert to the default setting, use the no form of this command.
tacacs-server host { hostname | ipv4-address | ipv6-address }
[ key [ 0 | 7 ] shared-secret ] [ port port-number ]
[ test { idle-time time | password password | username name }]
[ timeout seconds ] [single-connection]
no tacacs-server host { hostname | ipv4-address | ipv6-address }
[ key [ 0 | 7 ] shared-secret ] [ port port-number ]
[ test { idle-time time | password password | username name }]
[ timeout seconds ] [single-connection]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
Examples
This example shows how to configure TACACS+ server host parameters:
Related Commands
|
|
---|---|
tacacs-server key
To configure a global TACACS+ shared secret key, use the tacacs-server key command. To removed a configured shared secret, use the no form of this command.
tacacs-server key [ 0 | 6 | 7 ] shared-secret
no tacacs-server key [ 0 | 6 | 7 ] shared-secret
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must configure the TACACS+ preshared key to authenticate the device to the TACACS+ server. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the device. You can override this global key assignment by using the key keyword in the tacacs-server host command.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
The following example shows how to configure TACACS+ server shared keys:
Related Commands
|
|
---|---|
tacacs-server test
To monitor the availability of all TACACS+ servers without having to configure the test parameters for each server individually, use the tacacs-server test command. To disable this configuration, use the no form of this command.
tacacs -server test { idle-time time | password password | username name }
no tacacs -server test { idle-time time | password password | username name }
Syntax Description
Defaults
Server monitoring: Disabled
Idle time: 0 minutes
Test username: test
Test password: test
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable TACACS+ authentication.
Any servers for which test parameters are not configured are monitored using the global level parameters.
Test parameters that are configured for individual servers take precedence over global test parameters.
When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
Examples
This example shows how to configure the parameters for global TACACS+ server monitoring:
Related Commands
|
|
---|---|
tacacs-server timeout
To specify the time between retransmissions to the TACACS+ servers, use the tacacs-server timeout command. To revert to the default, use the no form of this command.
no tacacs-server timeout seconds
Syntax Description
Seconds between retransmissions to the TACACS+ server. The range is from 1 to 60 seconds. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to configure the TACACS+ server timeout value:
This example shows how to revert to the default TACACS+ server timeout value:
Related Commands
|
|
---|---|
telnet
To create a Telnet session using IPv4 on the Cisco NX-OS device, use the telnet command.
telnet { ipv4-address | hostname } [ port-number ] [ vrf vrf-name ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the Telnet server using the feature telnet command.
To create a Telnet session with IPv6 addressing, use the telnet6 command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
Examples
This example shows how to start a Telnet session using an IPv4 address:
Related Commands
|
|
---|---|
telnet server enable
To enable the Telnet server for a virtual device context (VDC), use the telnet server enable command. To disable the Telnet server, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
This command was deprecated and replaced with the feature telnet command. |
|
Usage Guidelines
Examples
This example shows how to enable the Telnet server:
This example shows how to disable the Telnet server:
Related Commands
|
|
---|---|
telnet6
To create a Telnet session using IPv6 on the Cisco NX-OS device, use the telnet6 command.
telnet6 { ipv6-address | hostname } [ port-number ] [ vrf vrf-name ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the Telnet server using the feature telnet command.
To create a Telnet session with IPv4 addressing, use the telnet command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
Examples
This example shows how to start a Telnet session using an IPv6 address:
Related Commands
|
|
---|---|
terminal verify-only
To enable command authorization verification on the command-line interface (CLI), use the terminal verify-only command. To disable this feature, use the no form of this command.
terminal verify-only [ username username ]
terminal no verify-only [ username username ]
Syntax Description
(Optional) Specifies the username for which to verify command authorization. |
Defaults
The default for the username keyword is the current user session.
Command Modes
Command History
|
|
Usage Guidelines
When you enable command authorization verification, the CLI indicates if the command is successfully authorized for the user but does not execute the command.
The command authorization verification uses the methods configured in the aaa authorization commands default command and the aaa authorization config-commands default command.
Examples
This example shows how to enable command authorization verification:
This example shows how to disable command authorization verification:
Related Commands
|
|
---|---|
test aaa authorization command-type
To test the TACACS+ command authorization for a username, use the test aaa authorization command-type command.
test aaa authorization command-type { commands | config-commands } user username command command-string
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use the test aaa authorization command-type command, you must enable the TACACS+ feature using the feature tacacs+ command.
You must configure a TACACS+ group on the Cisco NX-OS device using the aaa server group command before you can test the command authorization.
Examples
This example shows how to test the TACACS+ command authorization for a username:
Related Commands
|
|
---|---|
time-range
To configure a time range, use the time-range command. To remove a time range, use the no form of this command.
Syntax Description
Name of the time range, which can be up to 64 alphanumeric, case-sensitive characters. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command does not require a license.
You can use a time range in permit and deny commands for IPv4 and IPv6 ACLs.
Examples
This example shows how to use the time-range command and enter time range configuration mode:
Related Commands
|
|
---|---|
Specifies a time range that has a specific start date and time. |
|
Specifies a time range that is active one or more times per week. |
|
trustedCert
To configure the attribute name, search filter, and base-DN for the trusted certificate search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the trustedCert command. To disable this configuration, use the no form of this command.
trustedCert attribute-name attribute-name search-filter filter base-DN base-DN-name
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the trusted certificate search operation in order to send a search query to the LDAP server:
Related Commands
|
|
---|---|
use-vrf
To specify a virtual routing and forwarding instance (VRF) name for a RADIUS, TACACS+, or LDAP server group, use the use-vrf command. To remove the VRF name, use the no form of this command.
Syntax Description
Defaults
Command Modes
RADlUS server group configuration
TACACS+ server group configuration
LDAP server group configuration
Command History
|
|
Usage Guidelines
You can configure only one VRF instance for a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode, the aaa group server tacacs+ command to enter TACACS+ server group configuration mode, or the aaa group server ldap command to enter LDAP server group configuration mode.
If the server is not found, use the radius-server host command, the tacacs-server host command, or the ldap-server host command to configure the server.
Note You must use the feature tacacs+ command before you configure TACACS+ or the feature ldap command before you configure LDAP.
Examples
This example shows how to specify a VRF name for a RADIUS server group:
This example shows how to specify a VRF name for a TACACS+ server group:
This example shows how to remove the VRF name from a TACACS+ server group:
This example shows how to specify a VRF name for an LDAP server group:
This example shows how to remove the VRF name from an LDAP server group:
Related Commands
|
|
---|---|
user-certdn-match
To configure the attribute name, search filter, and base-DN for the certificate DN match search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the user-certdn-match command. To disable this configuration, use the no form of this command.
user-certdn-match attribute-name attribute-name search-filter filter base-DN base-DN-name
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the certificate DN match search operation in order to send a search query to the LDAP server:
Related Commands
|
|
---|---|
user-pubkey-match
To configure the attribute name, search filter, and base-DN for the public key match search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the user-pubkey-match command. To disable this configuration, use the no form of this command.
user-pubkey-match attribute-name attribute-name search-filter filter base-DN base-DN-name
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the public key match search operation in order to send a search query to the LDAP server:
Related Commands
|
|
---|---|
user-switch-bind
To configure the attribute name, search filter, and base-DN for the user-switchgroup search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the user-switch-bind command. To disable this configuration, use the no form of this command.
user-switch-bind attribute-name attribute-name search-filter filter base-DN base-DN-name
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the user-switchgroup search operation in order to send a search query to the LDAP server:
Related Commands
|
|
---|---|
username
To create and configure a user account in a virtual device context (VDC), use the username command. To remove a user account, use the no form of this command.
username user-id [ expire date ] [ password [ 0 | 5 ] password ] [ role role-name ]
username user-id [ sshkey { key | file filename }]
username user-id [ keypair generate { rsa [ bits [force]] | dsa [force]}]
username user-id [ keypair {export | import} {bootflash: filename | volatile: filename } {rsa | dsa} [force]]
username user-id [ priv-lvl n] [ expire date ] [ password [ 0 | 5 ] password ]
Syntax Description
Defaults
Unless specified, usernames have no expire date, password, or SSH key.
In the default VDC, the default role is network-operator if the creating user has the network-admin role, or the default role is vdc-operator if the creating user has the vdc-admin role.
In nondefault VDCs, the default user role is vdc-operator.
You cannot delete the default admin user role. Also, you cannot change the expire date or remove the network-admin role for the default admin user role.
To specify privilege levels, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command. There is no default privilege level.
Command Modes
Command History
|
|
Usage Guidelines
The Cisco NX-OS software creates two default user accounts in the VDC: admin and adminbackup. The nondefault VDCs have one default user account: admin. You cannot remove a default user account.
User accounts are local to the VDCs. You can create user accounts with the same user identifiers in different VDCs.
The Cisco NX-OS software accepts only strong passwords when you have password-strength checking enabled using the password strength-check command. The characteristics of a strong password include the following:
- At least eight characters long
- Does not contain many consecutive characters (such as “abcd”)
- Does not contain many repeating characters (such as “aaabbb”)
- Does not contain dictionary words
- Does not contain proper names
- Contains both uppercase and lowercase characters
- Contains numbers
To use this command, you must enable the cumulative privilege of roles using the feature privilege command.
A passphrase is required when you export or import the key-pair. The passphrase encrypts the exported private key for the user and decrypts it during import.
Examples
This example shows how to create a user account with a password and a user role:
This example shows how to configure the SSH key for a user account:
This example shows how to generate the SSH public and private keys and store them in the home directory of the Cisco NX-OS device for the user:
This example shows how to export the public and private keys from the home directory of the Cisco NX-OS device to the bootflash directory:
The private key is exported as the file that you specify, and the public key is exported with the same filename followed by a.pub extension.
This example shows how to import the exported public and private keys from the bootflash directory to the home directory of the Cisco NX-OS device:
The private key is imported as the file that you specify, and the public key is imported with the same filename followed by a.pub extension.
This example shows how to assign privilege level 15 to the user:
Related Commands
|
|
---|---|
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. |
|
Displays the current privilege level, username, and status of cumulative privilege support. |
|
userprofile
To configure the attribute name, search filter, and base-DN for the user profile search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the userprofile command. To disable this configuration, use the no form of this command.
userprofile attribute-name attribute-name search-filter filter base-DN base-DN-name
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the user profile search operation in order to send a search query to the LDAP server:
Related Commands
|
|
---|---|
vlan access-map
spec indicates that there are sequence numbers for access maps and each seq number can have an action and match command. no seq numbers on CLI.
To create a new VLAN access-map entry or to configure an existing VLAN access-map entry, use the vlan access-map command. To remove a VLAN access-map entry, use the no form of this command.
vlan access-map map-name [ sequence-number ]
no vlan access-map map-name [ sequence-number ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Each VLAN access-map entry can include one action command and one or more match command.
Use the statistics per-entry command to configure the device to record statistics for a VLAN access-map entry.
Examples
This example shows how to create a VLAN access map named vlan-map-01, add two entries that each have two match commands and one action command, and enable statistics for the packets matched by the second entry:
Related Commands
vlan filter
To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.
vlan filter map-name vlan-list VLAN-list
no vlan filter map-name vlan-list VLAN-list
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
You can apply a VLAN access map to one or more VLANs.
You can apply only one VLAN access map to a VLAN.
The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.
Examples
This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:
This example show how to use the no form of the command to unapply the VLAN access map named vlan-map-01 from VLANs 30 through 32, which leaves the access map applied to VLANs 20 through 29 and 33 through 45:
Related Commands
vlan policy deny
To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command denies all VLANs to the user role except for those that you allow using the permit vlan command in user role VLAN policy configuration mode.
Examples
This example shows how to enter user role VLAN policy configuration mode for a user role:
This example shows how to revert to the default VLAN policy for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
vrf policy deny
To enter virtual forwarding and routing instance (VRF) policy configuration mode for a user role, use the vrf policy deny command. To revert to the default VRF policy for a user role, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command denies all VRFs to the user role except for those that you allow using the permit vrf command in user role VRF policy configuration mode.
Examples
This example shows how to enter VRF policy configuration mode for a user role:
This example shows how to revert to the default VRF policy for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|