-
sc38book.html
-
Configuring AAA Services on Cisco IOS XR Software
-
Implementing Certification Authority Implementation on Cisco IOS XR Software
-
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software
-
Implementing IPSec Network Security on Cisco IOS XR Software
-
Implementing Keychain Management on Cisco IOS XR Software
-
Implementing Lawful Intercept on Cisco IOS XR Software
-
Implementing Management Plane Protection on Cisco IOS XR Software
-
Configuring Software Authentication Manager on Cisco IOS XR Software
-
Implementing Secure Shell on Cisco IOS XR Software
-
Implementing Secure Socket Layer on Cisco IOS XR Software
-
Index
-
Table Of Contents
A - B - C - D - E - H - I - K - L - M - N - O - P - R - S - T - U - V -
Index
A
AAA (authentication, authorization, and accounting)
accounting services, enabling SC-52
authentication SC-9
authorization, enabling SC-50
configuring
AAA service restrictions SC-3
accounting method lists SC-45
authentication method lists SC-39
authorization method lists SC-41
individual users SC-22
login parameters SC-54
prerequisites for AAA services SC-3
RADIUS server groups SC-35
remote AAA SC-8
router to RADIUS server communication SC-24
services (examples) SC-55
TACACS+ server SC-32
TACACS+ server groups, SC-37
task groups for task-based authorization SC-18
user groups SC-20
database SC-7
interim accounting records, generating SC-48
per VRF (VPN routing and forwarding) definition SC-30
task-based authorization
task groups, definition SC-6
task IDs SC-12
user and group attributes SC-4
user groups
definition SC-5
inheritance SC-5
predefined SC-5
privilege level mapping as an alternative to task IDs SC-15
XML schema SC-15
aaa accounting command SC-48
aaa accounting update command SC-48
accept-lifetime command SC-221
accept-tolerance command SC-216
address ipv4 (MPP) command SC-243
address ipv6 (MPP) command SC-246
antireplay window (IPSec)
checking a crypto profile SC-170
description SC-145
expanding and disabling globally procedure SC-169
auto-update definition SC-91
B
banner
definition SC-91
banner command SC-102
browser-proxy definition SC-91
C
certification authority interoperability
See also certificates; CRLs; IPSec; RAs
authenticating the CA SC-68
CA description SC-61
configuring
domain names (example) SC-64
host names (examples) SC-64
trusted points SC-66
description SC-268
generating RSA (Rivest, Shamir, and Adelman) key pairs SC-65
manual enrollment, cutting and pasting SC-70
requesting certificates from the CA SC-69
supported standards
Internet Key Exchange (IKE) Security protocol SC-61
IP Network Security (IPSec) protocol SC-61
Public-Key Cryptography Standard #10 (PKCS#10) SC-61
Public-Key Cryptography Standard #7(PKCS#7) SC-61
RSA (Rivest, Shamir, and Adelman) keys SC-61
Secure Socket Layer (SSL) protocol SC-61
X.509v3 certificate SC-61
Cisco Systems-supported security standards SC-79
clear crypto session command SC-90
clock set command SC-253
configuring
outbound traffic (key chain) SC-222
control-plane command SC-243
control plane protection, MPP
CoPP (Control Plane Policing) SC-241
definition SC-241
cryptographic-algorithm command SC-223
crypto ipsec df-bit command SC-167
crypto ipsec pmtu command SC-192
crypto ipsec pre-fragmentation command SC-177
crypto ipsec profile command SC-170
crypto ipsec security-association idle-time command SC-174
crypto ipsec security-association replay disable command SC-169
crypto ipsec security-association replay window-size command SC-169
crypto ipsec server send-update command SC-91
crypto ipsec transform-set command SC-160
crypto isakmp client configuration group command SC-102
crypto keyrings
configuring SC-116
guidelines and restrictions SC-116
crypto mib ipsec flowmib history failure size command SC-182
crypto nat-transparency command SC-172
D
deadtime command SC-36
DES (Data Encryption Standard)
IKE policy parameter SC-82
description (ISAKMP peer) command SC-90
DF (Don't Fragment) bit override
configuring SC-167
description SC-144
DPD (Dead Peer Detection) message, configuring SC-126
E
Easy VPN (Virtual Private Network) features
auto-update SC-91
banner SC-91
URL configuration description SC-92
encryption algorithm
See also IKE algorithms
end-time, key chain management SC-214
H
hash algorithm
See IKE, algorithms
high availability overview SC-149
hitless key rollover
accept-tolerance command SC-216
hitless key rollover, configuring SC-216
I
IKE (Internet Key Exchange Security Protocol)
Advanced Encryption Standard (AES)
definition SC-80
algorithms
encryption SC-95
hash SC-96
MD5 (Message Digest 5) SC-80
options SC-83
SHA (Secure Hash Algorithm), definition SC-80
authentication methods SC-83, SC-96
Call Admission Control (CAC)
limiting CPU resources consumed SC-89
Call Admission Control (CAC) definition SC-89
configuring
a banner as a client group attribute for Cisco Easy VPN Server SC-102
auto-update as a group attribute for the Cisco Easy VPN Server SC-103
browser-proxy as a client group attribute for the Cisco Easy VPN Server SC-105
client group attributes for Cisco Easy VPN Server SC-102
IKE security association (SA) limit for call admission control SC-112
ISAKMP group policy attributes SC-97
ISAKMP identity SC-85
policies SC-95
definition SC-79
DES (Data Encryption Standard)
definition SC-80
DH (Diffie-Hellman)
IKE policy parameter SC-82
specifying the group identifier SC-96
DPD (Dead Peer Detection)
periodic message SC-93
Easy VPN (Virtual Private Network) features
browser-proxy SC-91
enabling and disabling SC-93
enabling config-isakmp command mode SC-95
extended authentication SC-88
Internet Security Association and Key Management Protocol (ISAKMP)
definition SC-80
ISAKMP peer description SC-90
keyring configuration mode enablement SC-109
keys
mask preshared SC-86
preshared
configuring (example) 1
See keys, preshared; keys, preshared using AAA server; RSA keys
negotiations SC-82
Oakley Key Exchange Protocol definition SC-80
policies
configuring (example) SC-128
identifying SC-95
multiple SC-84
parameters SC-83
purpose SC-81
viewing SC-96
Public Key Cryptographic Protocol
Diffie-Hellman SC-80
public key cryptographic system
RSA (Rivest, Shamir, and Adelman)
signatures 1
requirements
RSA encrypted nonces method SC-85
RSA signatures method SC-85
RFC 2408, ISAKMP SC-80
RSA (Rivest, Shamir, and Adelman)
signatures
authentication method 1
Skeme Key Exchange Protocol
definition SC-80
VPN monitoring
adding an IKE peer description SC-118
clearing a crypto session SC-90, SC-120
X.509v3 certificates standard SC-81
See also IPSec; RSA encrypted nonces; SAs
inband management interface, MPP
allow command SC-243
definition SC-240
inband command SC-243
interface command SC-243
interface service-gre command SC-149
interface service-ipsec command SC-148
IP Network Security Protocol (IPSec)
definition SC-80
IPSec (IP Network Security Protocol)
CAs
implementing with SC-63
implementing without SC-63
checkpointing SC-144
configuring
default path MTU (maximum transmission unit) SC-192
IPSec failure history table size SC-182
NAT transparency SC-172
crypto access lists SC-142
cautions, creating SC-183
creating SC-158
purpose SC-142
crypto profiles SC-140
applying to transport SC-184
applying to tunnel-ipsec interfaces SC-183
configuring static or dynamic SC-161
dynamic crypto profile description SC-141
IPSec-protected GRE virtual interfaces, configuring SC-189
IPSec VPN SPA
antireplay window SC-145
DF bit override description SC-144
NAT transparency SC-145
prefragmentation SC-145
restrictions SC-139
load balancing SC-149
PFS (perfect forward secrecy) description SC-144
prerequisites for implementation SC-139
restrictions for implementation SC-139
setting global lifetimes SC-156
transform sets
defining SC-160
description SC-142
virtual interfaces
configuring IPSec-protected GRE SC-189
virtual interfaces (IPSec)
description SC-148
IPSec support for SNMP (Simple Network Management Protocol) SC-147
IPSec VPN SPA
description SC-147
displaying the SPA hardware type SC-147, SC-196
DPD message SC-93
load balancing and high availability SC-149
SA idle timers SC-145
ISAKMP
See also IKE
ISAKMP profile
description SC-86
locally sourced and destined traffic procedure SC-121
K
key (key chain) command SC-218
key chain command SC-215
key chain management
key identifiers SC-217
key string text SC-219
outbound traffic SC-222
description SC-214
end-time SC-214
key lifetime SC-214
key validation SC-220
start-time SC-214
keyring command SC-121
key-string command SC-220
L
lawful intercept, implementing SC-229
M
MAC (message authentication code) SC-223
authentication option SC-214
cryptographic algorithm procedure SC-223
management plane
MPP feature SC-242
management-plane command SC-243
match identity command SC-121
MD5 (Message Digest 5)
IKE policy parameter SC-82
MPLS (Multiprotocol Label Switching), encapsulated packets SC-149
MPP (Management Plane Protection)
benefits SC-242
control plane protection SC-241
device configuration SC-243
management interface
inband SC-240
out-of-band SC-241
management plane
description SC-241
peer-filtering option SC-241
N
NAT transparency (IPSec) description SC-145
O
Oakley key exchange protocol
See also IKE
out-of-band command SC-246
out-of-band management interface, MPP
definition SC-241
P
peer-filtering option
definition SC-241
peer keyword
inband interface SC-244
out-of-band interface SC-247
per VRF (VPN routing and forwarding) AAA
procedure SC-30
server-private command SC-31
supported VSAs SC-30
prefragmentation
dependencies SC-146
description SC-145
disabling
service-gre interfaces SC-178
service-ipsec interfaces SC-177
preshared keys
using the AAA Server SC-87
R
RADIUS
configuring
dead-server detection SC-28
UDP ports SC-25
operation SC-17
radius-server dead-criteria time command SC-29
radius-server dead-criteria tries command SC-29
radius-server deadtime command SC-28
RAs (registration authorities)
See CAs
reverse-route command SC-162, SC-180
RFC 2409, The Internet Key Exchange SC-79
RRI (reverse-route injection)
configuring in a crypto profile SC-180
description SC-150
RSA (Rivest, Shamir, and Adelman)
encrypted nonces
keys
configuring manually SC-106
configuring peers SC-108
deleting SC-66
generating SC-106
signatures SC-85
requirements SC-84
S
SA (security association) for IPSec VPN SPA
idle timers
configuring for each crypto profile SC-175
configuring globally SC-174
description SC-145
lifetimes SC-174
SAM (Software Authentication Manager) description SC-253
SAs (security associations)
lifetimes
configuring SC-96
global values 1
IKE policy parameter SC-82
operation SC-143
resource limit configuration SC-114
self-identity command SC-121
send-lifetime command SC-223
server-private command SC-31, SC-35
service-location command SC-148
set interface tunnel-ipsec command SC-121
set pfs command SC-144
set security-association idle-time command SC-162
set security-association lifetime command SC-162
set security-association replay disable command SC-162
set session-key inbound ah command SC-162
set session-key inbound esp command SC-162
set session-key outbound ah command SC-162
set session-key outbound esp command SC-162
SHA (Secure Hash Algorithm)
IKE policy parameter SC-82
show crypto session command SC-90
show diags command SC-147
show key chain command SC-216
show mgmt-plane command SC-243
show radius dead-criteria host command SC-29
show route command SC-180, SC-186, SC-190
Skeme key exchange protocol
See also IKE
SSH (Secure Shell)
client
3DES support SC-258
configuring SC-262
description SC-258
server support SC-258
configuring SC-258
prerequisites SC-256
restrictions SC-256
server SC-257
SFTP (Standard File Transfer Protocol) description SC-258
supported versions SC-255
troubleshooting SC-263
SSL (Secure Socket Layer)
configuring SC-269
description SC-267
prerequisites SC-268
start-time, key chain management SC-214
static IPSec virutal interfaces, configuring SC-186
T
tunnel vrf (IPSec) command SC-149
U
URL configuration description SC-92
V
VPN monitoring
enhancements SC-89
per-IKE peer, function SC-90
summary status SC-90
vrf (AAA) command SC-31
vrf (IPSec) command SC-149
vrf (MPP) command SC-246
vrf-aware (IPSec) description SC-149
VSAs (vendor-specific attributes)
per VRF AAA SC-30
supported VSAs SC-30