Page 1 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-24740-01...
Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
Page 3: Table Of Contents
(server-group configuration) description (AAA) group (AAA) inherit taskgroup inherit usergroup key (RADIUS) key (TACACS+) login authentication password (AAA) radius-server dead-criteria time radius-server dead-criteria tries Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 4 (RADIUS) timeout (TACACS+) timeout login response usergroup username users group vrf (RADIUS) Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 5 Management Plane Protection Commands C H A P T E R 5 address ipv4 (MPP) allow control-plane inband interface (MPP) management-plane out-of-band show mgmt-plane Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 6 Software Authentication Manager Commands C H A P T E R 7 sam add certificate Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 7 Secure Socket Layer Protocol Commands C H A P T E R 9 show ssl Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 8 Contents Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 viii OL-24740-01...
Page 9: Obtaining Documentation And Submitting A Service Request
Preface This guide describes the commands used to display and configure system security on Cisco IOS XR software. For System Security configuration information and examples, refer to the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.
Page 10 Preface Obtaining Documentation and Submitting a Service Request Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 11 • inherit taskgroup, page 34 • inherit usergroup, page 36 • key (RADIUS), page 38 • key (TACACS+), page 40 • login authentication, page 42 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 12 104 • tacacs source-interface, page 105 • task, page 107 • taskgroup, page 109 • timeout (RADIUS), page 111 • timeout (TACACS+), page 113 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 13 115 • usergroup, page 117 • username, page 119 • users group, page 123 • vrf (RADIUS), page 125 • vrf (TACACS+), page 127 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 14: Aaa Accounting
• group named-group—Uses a named subset of TACACS+ or RADIUS servers for accounting, as defined by the aaa group server tacacs+ or aaa group server radius command. Command Default AAA accounting is disabled. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 15 The list name can be applied to a line (console, aux, or vty template) to enable accounting on that particular line. The Cisco IOS XR software supports both TACACS+ and RADIUS methods for accounting. The router reports user activity to the security server in the form of accounting records, which are stored on the security server.
Page 16 Authentication, Authorization, and Accounting Commands aaa accounting Related Commands Command Description aaa authorization , on page 16 Creates a method list for authorization. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 17: Aaa Accounting System Default
The default method list is automatically applied to all interfaces or lines. If no default method list is defined, then no accounting takes place. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 18 Description aaa authentication , on page 13 Creates a method list for authentication. aaa authorization , on page 16 Creates a method list for authorization. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 19: Aaa Accounting System Rp-Failover
Examples This is an example of configuring the aaa accounting system rp-failover command for default accounting list: RP/0/RP0/CPU0:router(config)# aaa accounting system rp-failover default start-stop none Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 20 Authentication, Authorization, and Accounting Commands aaa accounting system rp-failover Related Commands Command Description aaa attribute format Create an AAA attribute format name. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 21: Aaa Accounting Update
Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 22 Command Description aaa accounting, on page 4 Creates a method list for accounting. aaa authorization , on page 16 Creates a method list for authorization. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 23: Aaa Authentication
• line—Specifies a method list that uses the line password for authentication. Command Default Default behavior applies the local authentication on all ports. Command Modes Global configuration or Administration Configuration Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 24 The following example shows how to specify the remote method list for authentication, and also enable authentication for console in administration configuration mode: RP/0/RP0/CPU0:router# admin RP/0/RP0/CPU0:router (admin)# configure RP/0/RP0/CPU0:router(admin-config)# aaa authentication login remote local group tacacs+ Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 25 Groups different TACACS+ server hosts into distinct lists and distinct methods. login authentication, on page 42 Enables AAA authentication for logins. tacacs-server host, on page 99 Specifies a TACACS+ host. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 26: Aaa Authorization
Command Default Authorization is disabled for all actions (equivalent to the method none keyword). Command Modes Global configuration Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 27 TACACS+), in sequence. Method lists enable you to designate one or more security protocols for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, Cisco IOS XR software selects the next method listed in the method list.
Page 28 TACACS+ authorization is used: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authorization commands listname1 group tacacs+ Related Commands Command Description aaa accounting, on page 4 Creates a method list for accounting. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 29: Aaa Default-Taskgroup
Examples The following example shows how to specify taskgroup1 as the default task group for remote TACACS+ authentication: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa default-taskgroup taskgroup1 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 30: Aaa Group Server Radius
The server group cannot be named radius or tacacs. This command enters server group configuration mode. You can use the server command to associate a particular RADIUS server with the defined server group. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 31 RADIUS server to reply before retransmitting. vrf (RADIUS), on page 125 Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA RADIUS server group. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 32: Aaa Group Server Tacacs
Group name methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host Note command to configure the host servers. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 33 (TACACS+), on page 63 Specifies the host name or IP address of an external TACACS+ server. tacacs-server host, on page 99 Specifies a TACACS+ host. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 34: Accounting (Line)
If a method list is not specified this way, no accounting is applied to the selected line or group of lines. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 35 RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# accounting commands listname2 Related Commands Command Description aaa accounting, on page 4 Creates a method list for accounting. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 36: Authorization (Line)
Use the authorization command to apply the specified method lists (or, if none is specified, the default method list) to the selected line or group of lines. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 37 RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template configure RP/0/RP0/CPU0:router(config-line)# authorization commands listname4 Related Commands Command Description aaa authorization , on page 16 Creates a method list for authorization. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 38: Deadtime (Server-Group Configuration)
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server 1.1.1.1 auth-port 1645 acct-port 1646 RP/0/RP0/CPU0:router(config-sg-radius)# server 2.2.2.2 auth-port 2000 acct-port 2001 RP/0/RP0/CPU0:router(config-sg-radius)# deadtime 1 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 39 RADIUS server as dead. radius-server deadtime , on page 50 Defines the length of time in minutes for a RADIUS server to remain marked dead. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 40: Description (Aaa)
RP/0/RP0/CPU0:router(config-tg)# description this is a sample taskgroup The following example shows the creation of a user group description: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# usergroup alpha RP/0/RP0/CPU0:router(config-ug)# description this is a sample user group Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 41 IDs. usergroup, on page 117 Accesses user group configuration mode and configures a user group by associating it with a set of task groups. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 42: Group (Aaa)
The predefined group root-system may be specified only by root-system users while configuring administration. Use the group command in username configuration mode. To access username configuration mode, use the username, on page 119 command in global configuration mode. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 43 119 Accesses username configuration mode, configures a new user with a username, and establishes a password and permissions for that user. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 44: Inherit Taskgroup
Any changes made to the taskgroup from which they are inherited are reflected immediately in the group from which they are inherited. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 45 In the following example, the permissions of task group tg2 are inherited by task group tg1: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# taskgroup tg1 RP/0/RP0/CPU0:router(config-tg)# inherit taskgroup tg2 RP/0/RP0/CPU0:router(config-tg)# end Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 46: Inherit Usergroup
Operations read, write Examples The following example shows how to enable the purchasing user group to inherit properties from the sales user group: RP/0/RP0/CPU0:router# configure Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 47 Configures a task group to be associated with a set of task IDs. usergroup, on page 117 Configures a user group to be associated with a set of task groups. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 48: Key (Radius)
The following example shows how to set the encrypted key to anykey: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server radius group1 RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# key anykey Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 49 (RADIUS), on page 111 Specifies the number of seconds the router waits for the RADIUS server to reply before retransmitting. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 50: Key (Tacacs+)
TACACS+ server so that the packets are decrypted properly. If a mismatch occurs, the result fails. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 51 Specifies a TACACS+ host. tacacs-server key, on page 102 Globally sets the authentication encryption key used for all TACACS+ communications between the router and the TACACS+ daemon. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 52: Login Authentication
Before issuing this command, create a list of authentication processes by using the aaa authentication login command. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 53 RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template template2 RP/0/RP0/CPU0:router(config-line)# login authentication list1 Related Commands Command Description aaa authentication , on page 13 Creates a method list for authentication. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 54: Password (Aaa)
Note The show running-config command always displays the clear-text login password in encrypted form when the 0 option is used. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 55 Enters line template configuration mode for the specified line template. For more information, see the Cisco IOS XR System Management Command Reference. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 56: Radius-Server Dead-Criteria Time
If a packet has not been received since the router booted and there is a timeout, the time criterion is treated as though it were met. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 57 Defines the length of time, in minutes, for a RADIUS server to remain marked dead. show radius dead-criteria, on page 84 Displays information for the dead-server detection criteria. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 58: Radius-Server Dead-Criteria Tries
If you configure the radius-server dead-criteria tries command before the radius-server deadtime Note command, the radius-server dead-criteria tries command may not be enforced. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 59 Defines the length of time, in minutes, for a RADIUS server to remain marked dead. show radius dead-criteria, on page 84 Displays information for the dead-server detection criteria. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 60: Radius-Server Deadtime
This example specifies five minutes of deadtime for RADIUS servers that fail to respond to authentication requests for the radius-server deadtime command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server deadtime 5 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 61: Radius-Server Key
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 0 samplekey This example shows how to set the encrypted shared key to “anykey:” RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server key 7 anykey Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 62: Radius-Server Retransmit
To specify the number of times the Cisco IOS XR software retransmits a packet to a server before giving up, use the radius-server retransmit command. The no form of this command sets it to the default value of 3 .
Page 63 Authentication, Authorization, and Accounting Commands radius-server retransmit Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 64: Radius-Server Timeout
Task ID Task ID Operations read, write Examples This example shows how to change the interval timer to 10 seconds: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius-server timeout 10 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 65: Radius Source-Interface
RADIUS packets from a particular router have the same IP address. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 66 This example shows how to make RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# radius source-interface loopback 10 vrf vrf1 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 67: Retransmit (Radius)
RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# retransmit 100 Related Commands Command Description aaa group server tacacs+, on page 22 Groups different RADIUS server hosts into distinct lists. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 68 (RADIUS), on page 111 Specifies the number of seconds the router waits for the RADIUS server to reply before retransmitting. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 69: Secret
Usage Guidelines Cisco IOS XR software allows you to configure Message Digest 5 (MD5) encryption for username logins and passwords. MD5 encryption is a one-way hash function that makes reversal of an encrypted password impossible, providing strong encryption protection. Using MD5 encryption, you cannot retrieve clear-text passwords.
Page 70 119 Accesses username configuration mode and configures a new user with a username, establishing a password and granting permissions for that user. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 71: Server (Radius)
IP address and UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS host entries providing a specific AAA service. If two different host entries Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 72 Configures the deadtime value at the RADIUS server group level. server-private (RADIUS), on page 65 Configures the IP address of the private RADIUS server for the group server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 73: Server (Tacacs+)
The following example shows how to associate the TACACS+ server with the IP address 192.168.60.15 with the server group tac1: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ tac1 RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 192.168.60.15 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 74 Authentication, Authorization, and Accounting Commands server (TACACS+) Related Commands Command Description aaa group server tacacs+, on page 22 Groups different TACACS+ server hosts into distinct lists. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 75: Server-Private (Radius)
Command Default If no port attributes are defined, the defaults are as follows: • Authentication port: 1645 • Accounting port: 1646 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 76 , on page 51 Sets the authentication and encryption key for all RADIUS communication between the router and the RADIUS daemon. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 77 RADIUS server to reply before retransmitting. vrf (RADIUS), on page 125 Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA RADIUS server group. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 78: Server-Private (Tacacs+)
(for example, default tacacs+ server group) can still be referred by IP addresses and port Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 79 (AAA) server waits to receive a response from the TACACS+ server. vrf (TACACS+), on page 127 Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA TACACS+ server group. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 80: Show Aaa
Displays details for all task groups. For taskgroup keywords, see optional usergroup name Note keyword list. taskgroup-name (Optional) Task group whose details are to be displayed. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 81 IDs (including all inherited groups): Task: basic-services : READ WRITE EXECUTE DEBUG Task: : READ Task: diag : READ Task: ext-access : READ EXECUTE Task: logging : READ Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 82 Task: root-lr : READ (reserved) Task: route-map : READ WRITE EXECUTE DEBUG Task: route-policy : READ WRITE EXECUTE DEBUG Task: : READ WRITE EXECUTE DEBUG Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 83 DEBUG Task: : READ WRITE EXECUTE DEBUG Task: : READ WRITE EXECUTE DEBUG Task: : READ WRITE EXECUTE DEBUG Task: : READ WRITE EXECUTE DEBUG Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 84 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 85 Related Commands Command Description show user, on page 93 Displays task IDs enabled for the currently logged-in user. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 86: Show Radius
0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt Server: 2.2.2.2/1645/1646 is UP Timeout: 10 sec, Retransmit limit: 3 Authentication: Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 87 RADIUS server hosts before giving up. radius-server timeout , on page 54 Sets the interval for which a router waits for a server host to reply. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 88: Show Radius Accounting
0 requests, 0 pending, 0 retransmits 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 89 , on page 13 Creates a method list for authentication. show radius authentication, on page 80 Obtains information and detailed statistics for the RADIUS authentication server and port. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 90: Show Radius Authentication
0 requests, 0 pending, 0 retransmits 0 accepts, 0 rejects, 0 challenges 0 timeouts, 0 bad responses, 0 bad authenticators 0 unknown types, 0 dropped, 0 ms latest rtt Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 91 , on page 13 Creates a method list for authentication. show radius accounting, on page 78 Obtains information and detailed statistics for the RADIUS accounting server and port. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 92: Show Radius Client
Authentication, Authorization, and Accounting Commands show radius client show radius client To obtain general information about the RADIUS client on Cisco IOS XR software, use the show radius client command. show radius client Syntax Description This command has no keywords or arguments.
Page 93 Associates a particular RADIUS server with a defined server group. show radius, on page 76 Displays information about the RADIUS servers that are configured in the system. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 94: Show Radius Dead-Criteria
RP/0/RP0/CPU0:router# show radius dead-criteria host 12.26.49.12 auth-port 11000 acct-port 11001 Server: 12.26.49.12/11000/11001 Dead criteria time: 10 sec (computed) tries: 10 (computed) This table describes the significant fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 95 RADIUS server as dead. radius-server deadtime , on page 50 Defines the length of time in minutes for a RADIUS server to remain marked dead. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 96: Show Radius Server-Groups
The following sample output is for the show radius server-groups command: RP/0/RP0/CPU0:router# show radius server-groups Global list of servers Contains 2 server(s) Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 97 0 responses, 0 timeouts, 0 bad responses 0 bad authenticators, 0 unknown types, 0 dropped 0 ms latest rtt This table describes the significant fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 98 Related Commands Command Description vrf (RADIUS), on page 125 Configures the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an AAA RADIUS server group. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 99: Show Tacacs
This table describes the significant fields shown in the display. Table 8: show tacacs Field Descriptions Field Description Server Server IP address. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 100 Number of TCP packets that have been received from the external server. packets out Number of TCP packets that have been sent to the external server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 101: Show Tacacs Server-Groups
Server 12.26.49.12/9000 Server 12.26.25.61/23432 Server 5.5.5.5/23456 Server 1.1.1.1/49 Server group ‘tac100’ has 1 servers Server 12.26.49.12 This table describes the significant fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 102 Table 9: show tacacs server-groups Field Descriptions Field Description Server Server IP address. Related Commands Command Description tacacs-server host, on page 99 Specifies a TACACS+ host. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 103: Show User
• The sample output to display whether or not a task is reserved for the tasks keyword was updated. Usage Guidelines Use the show user command to display all user groups and task IDs associated with the currently logged-in user. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 104 : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 105 : READ WRITE EXECUTE DEBUG Task: mpls-static : READ WRITE EXECUTE DEBUG Task: mpls-te : READ WRITE EXECUTE DEBUG Task: multicast : READ WRITE EXECUTE DEBUG Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 106 EXECUTE DEBUG Related Commands Command Description show aaa , on page 70 Displays the task maps for selected user groups, local users, or task groups. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 107: Single-Connection
This works only if the TACACS+ server is also configured in single-connection mode. To configure the TACACS+ server in single connection mode, refer to the respective server manual. RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226 RP/0/RP0/CPU0:router(config-tacacs-host)# single-connection Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 108 Authentication, Authorization, and Accounting Commands single-connection Related Commands Command Description tacacs-server host, on page 99 Specifies a TACACS+ host. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 109: Tacacs-Server Host
The port-name argument, if not specified, defaults to the standard port 49. The seconds argument, if not specified, defaults to 5 seconds. Command Modes Global configuration mode Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 110 Usage Guidelines You can use multiple tacacs-server host commands to specify additional hosts. Cisco IOS XR software searches for hosts in the order in which you specify them. Task ID...
Page 111 Specifies a timeout value that sets the length of time the authentication, authorization, and accounting (AAA) server waits to receive a response from the TACACS+ server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 112: Tacacs-Server Key
• auth-key Command History Release Modification Release 2.0 This command was introduced. Release 3.6.0 The following keywords were added: • 0 • 7 • auth-key Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 113 (TACACS+), on page 40 Specifies an authentication and encryption key shared between the AAA server and the TACACS+ server. tacacs-server host, on page 99 Specifies a TACACS+ host. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 114: Tacacs-Server Timeout
The following example shows the interval timer being changed to 10 seconds: RP/0/RP0/CPU0:router(config)# tacacs-server timeout 10 Related Commands Command Description tacacs-server host, on page 99 Specifies a TACACS+ host. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 115: Tacacs Source-Interface
When the specified interface does not have an IP address or is in a down state, TACACS+ behaves as if no source interface configuration is used. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 116 RP/0/RP0/CPU0:router(config)# tacacs source-interface GigabitEthernet 0/0/0/29 vrf abc Related Commands Command Description aaa group server tacacs+, on page 22 Groups different server hosts into distinct lists and distinct methods. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 117: Task
The following example shows how to enable execute privileges for the config-services task ID and associate that task ID with the task group named taskgroup1: RP/0/RP0/CPU0:router# configure Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 118 RP/0/RP0/CPU0:router(config-tg)# task execute config-services Related Commands Command Description taskgroup, on page 109 Configures a task group to be associated with a set of task IDs. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 119: Taskgroup
Global configuration mode Command History Release Modification Release 2.0 This command was introduced. Release 3.3.0 Support was added to display all task groups in global configuration mode. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 120 (AAA), on page 30 Creates a task group description in task configuration mode. task, on page 107 Adds a task ID to a task group. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 121: Timeout (Radius)
RP/0/RP0/CPU0:router(config-sg-radius)# server-private 10.1.1.1 auth-port 300 RP/0/RP0/CPU0:router(config-sg-radius-private)# timeout 500 Related Commands Command Description aaa group server tacacs+, on page 22 Groups different RADIUS server hosts into distinct lists. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 122 (RADIUS), on page 65 Configures the IP address of the private RADIUS server for the group server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 123: Timeout (Tacacs+)
The following example shows how to set the number of seconds for the timeout value: RP/0/RP0/CPU0:router(config)# tacacs-server host 209.165.200.226 RP/0/RP0/CPU0:router(config-tacacs-host)# timeout 500 Related Commands Command Description tacacs-server host, on page 99 Specifies a TACACS+ host. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 124 Authentication, Authorization, and Accounting Commands timeout (TACACS+) Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 125: Timeout Login Response
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# line template alpha RP/0/RP0/CPU0:router(config-line)# timeout login response 20 Related Commands Command Description login authentication, on page 42 Enables AAA authentication for logging in. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 126 Authentication, Authorization, and Accounting Commands timeout login response Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 127: Usergroup
From global configuration mode, you can display all the configured user groups. However, you cannot display all the configured user groups in usergroup configuration mode. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 128 Enables a user group to derive permissions from another user group. taskgroup, on page 109 Configures a task group to be associated with a set of task IDs. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 129: Username
(Optional) Name of a user group as defined with the usergroup command. Command Default No usernames are defined in the system. Command Modes Global configuration mode Administration configuration Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 130 (CHAP) challenges, one username command entry must be the same as the hostname entry that has already been assigned to the other networking device. Task ID Task ID Operations read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 131 Command Description aaa authentication , on page 13 Defines a method list for authentication. group (AAA), on page 32 Adds a user to a group. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 132 Description password (AAA), on page 44 Creates a login password for a user. secret, on page 59 Creates a secure login secret for a user. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 133: Users Group
Command Default None Command Modes Line template configuration Command History Release Modification Release 2.0 This command was introduced. Release 3.3.0 The serviceadmin keyword was added. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 134 In the following example, if a vty-pool is created with line template vty, users logging in through vty are given operator privileges: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa authen login vty-authen line RP/0/RP0/CPU0:router(config)# commit RP/0/RP0/CPU0:router(config)# line template vty RP/0/RP0/CPU0:router(config-line)# users group operator RP/0/RP0/CPU0:router(config-line)# login authentication Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 135: Vrf (Radius)
RP/0/RP0/CPU0:router(config-sg-radius)# vrf vrf1 Related Commands Command Description aaa group server tacacs+, on page 22 Groups different RADIUS server hosts into distinct lists and distinct methods. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 136 RADIUS packets. server-private (RADIUS), on page 65 Configures the IP address of the private RADIUS server for the group server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 137: Vrf (Tacacs+)
Examples This example shows how to use the vrf command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# aaa group server tacacs+ myserver RP/0/RP0/CPU0:router(config-sg-tacacs+)# server 9.27.10.6 RP/0/RP0/CPU0:router(config-sg-tacacs+)# vrf abc Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 138 TACACS+ packets. server-private (TACACS+), on page 68 Configures the IP address of the private TACACS+ server for the group server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 139: Ipsec Commands
• tunnel mode (IP), page 141 • tunnel tos (IP), page 142 • tunnel ttl (IP), page 143 • tunnel dfbit disable (IP), page 144 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 140: Clear Crypto Ipsec Sa
IPSec sessions or force IPSec to reestablish new SAs. Usually, the establishment of SAs is negotiated between peers through Internet Key Exchange (IKE) on behalf of IPSec. Task ID Task ID Operations crypto execute Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 141 The following example shows how to remove the SA with ID 100 from the SADB: RP/0/RP0/CPU0:router# clear crypto ipsec sa 100 Related Commands Command Description show crypto ipsec sa, on page 134 Displays the settings used by current SAs. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 142: Description (Ipsec Profile)
Examples The following example shows the creation of a profile description: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ipsec profile newprofile RP/0/RP0/CPU0:router(config-newprofile)# description this is a sample profile Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 143: Interface Tunnel-Ip (Gre)
Task ID Operations interface read, write Examples The following example shows how to use the interface tunnel-ip command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# interface tunnel-ip 50000 RP/0/RP0/CPU0:router(config-if)# Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 144: Show Crypto Ipsec Sa
• fvrf • ivrf • location Release 3.6.0 The upper limit for the sa-id argument range was increased to 64,500 sessions. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 145 DPD: disable, mode none, timeout 0s sa idle timeout: disable, 0s sa anti-replay (HW accel): enable, window 64 This table describes the significant fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 146 The following sample output is from the show crypto ipsec sa command for the peer keyword: RP/0/RP0/CPU0:router# show crypto ipsec sa peer 172.19.72.120 SA id: 2 interface: tunnel0 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 147 172.19.72.120, remote crypto endpt: 172.19.70.92 inbound esp sas: spi: 0x2777997c (662149500) transform: esp-3des-sha in use settings = Tunnel sa lifetime: 3600s, 4194303kb Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 148: Show Crypto Ipsec Summary
This table describes the significant fields shown in the display. Table 11: show crypto ipsec summary Field Descriptions Field Description Identifier for the security association. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 149 Mode Profile mode type. Profile Crypto profile in use. Transform Transform in use. Lifetime Lifetime value, displayed in seconds followed by kilobytes. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 150: Show Crypto Ipsec Transform-Set
Transform set combined-des-sha: {esp-des esp-sha-hmac} Transform set tsfm2: {esp-md5-hmac esp-3des } Mode: Transport Transform set tsfm1: {esp-md5-hmac esp-3des } Mode: Tunnel Transform set ts1: {esp-des Mode: Tunnel Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 151: Tunnel Mode (Ip)
The following example shows how to set the encapsulation mode of the tunnel interface: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# interface tunnel-ip 1 RP/0/RP0/CPU0:router(config-if)# tunnel mode gre ipv4 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 152: Tunnel Tos (Ip)
Examples The following example shows how to set the encapsulation mode of the tunnel interface: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# interface tunnel-ip 1 RP/0/RP0/CPU0:router(config-if)# tunnel tos 134 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 153: Tunnel Ttl (Ip)
Examples The following example shows how to set the encapsulation mode of the tunnel interface: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# interface tunnel-ip 1 RP/0/RP0/CPU0:router(config-if)# tunnel ttl 100 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 154: Tunnel Dfbit Disable (Ip)
Examples The following example shows how to set the encapsulation mode of the tunnel interface: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# interface tunnel-ip 1 RP/0/RP0/CPU0:router(config-if)# tunnel dfbit disable Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 155: Keychain Management Commands
(key chain), page 150 • key chain (key chain), page 152 • key-string (keychain), page 154 • send-lifetime, page 156 • show key chain, page 158 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 156: Accept-Lifetime
This command was introduced. Release 3.6.0 The range values were added for the start-time argument. Usage Guidelines Task ID Task ID Operations system read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 157 (keychain), on page 154 Specifies the text for the key string. send-lifetime, on page 156 Sends the valid key. show key chain, on page 158 Displays the keychain. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 158: Accept-Tolerance
Task ID Operations system read, write Examples The following example shows how to use the accept-tolerance command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# accept-tolerance infinite Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 159 Accepts the valid key. key chain (key chain), on page 152 Creates or modifies a keychain. show key chain, on page 158 Displays the keychain. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 160: Key (Key Chain)
RP/0/RP0/CPU0:router(config-isis-keys-0x8)# Related Commands Command Description accept-lifetime, on page 146 Accepts the valid key. key chain (key chain), on page 152 Creates or modifies a keychain. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 161 (keychain), on page 154 Specifies the text for the key string. send-lifetime, on page 156 Sends the valid key. show key chain, on page 158 Displays the keychain. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 162: Key Chain (Key Chain)
Examples The following example shows that the name of the keychain isis-keys is for the key chain command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# key chain isis-keys RP/0/RP0/CPU0:router(config-isis-keys)# Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 163 (keychain), on page 154 Specifies the text for the key string. send-lifetime, on page 156 Sends the valid key. show key chain, on page 158 Displays the keychain. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 164: Key-String (Keychain)
• The first two characters in the password string must be decimal numbers and the rest must be hexadecimals. • The first two digits must not be a number greater than 53. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 165 (key chain), on page 152 Creates or modifies a keychain. send-lifetime, on page 156 Sends the valid key. show key chain, on page 158 Displays the keychain. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 166: Send-Lifetime
This command was introduced. Release 3.6.0 The range values were added for the start-time argument. Usage Guidelines Task ID Task ID Operations system read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 167 Creates or modifies a keychain key. key chain (key chain), on page 152 Creates or modifies a keychain. key-string (keychain), on page 154 Specifies the text for the key string. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 168: Show Key Chain
[Valid now] Accept lifetime: 01:00:00, 29 Jun 2006 - Always valid [Valid now] Related Commands Command Description accept-lifetime, on page 146 Accepts the valid key. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 169 Creates or modifies a keychain. key-string (keychain), on page 154 Specifies the text for the key string. send-lifetime, on page 156 Sends the valid key. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 170 Keychain Management Commands show key chain Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 171: Lawful Intercept Commands
Lawful Intercept Commands This module describes the Cisco IOS XR software commands used to configure lawful intercept (LI). For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Lawful Intercept inthe Cisco IOS XR Software the Configuration Module .
Page 172: Lawful-Intercept Disable
If you disable lawful intercept, all Mediation Devices and associated TAPs are deleted. Task ID Task ID Operations read, write Examples This example shows how to configure the lawful-intercept disable command: RP/0/RP0/CPU0:router(config)# lawful-intercept disable Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 173: Management Plane Protection Commands
For detailed information about keychain management concepts, configuration tasks, and examples, see the Implementing Management Plane Protection on the Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router Software configuration module.
Page 174: Address Ipv4 (Mpp)
The following example shows how to configure the peer IPv6 address 33::33 for management traffic: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inbandout-of-band RP/0/RP0/CPU0:router(config-mpp-inbandoutband)# interface GigabitEthernet POS 0/16/10/12 RP/0/RP0/CPU0:router(config-mpp-inbandoutband-GigabitEthernet0_1_1_1POS0_6_0_2)# allow Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 175 175 Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. show mgmt-plane, on page 177 Displays the management plane. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 176: Allow
• The peer keyword was added to support peer-filtering. • Management plane protection out-of-band interface configuration mode was added. Release 4.0.0 The XML keyword was added. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 177 RP/0/RP0/CPU0:router(config-ctrl-mpp)# inband interface all allow xml peer address ipv4 172.10.10.1 Related Commands Command Description control-plane, on page 169 Configures the control plane. inband, on page 170 Configures an inband interface or protocol. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 178 175 Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. show mgmt-plane, on page 177 Displays the management plane. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 179: Control-Plane
The following example shows how to enter control plane configuration mode using the control-plane command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# Related Commands Command Description management-plane, on page 174 Configures management plane protection to allow and disallow protocols. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 180: Inband
The following example shows how to enter management plane protection inband configuration mode using the inband command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# inband RP/0/RP0/CPU0:router(config-mpp-inband)# Related Commands Command Description control-plane, on page 169 Configures the control plane. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 181 175 Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. show mgmt-plane, on page 177 Displays the management plane. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 182: Interface (Mpp)
For the instance argument, you cannot configure Management Ethernet interfaces as inband interfaces. Task ID Task ID Operations system read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 183 175 Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. show mgmt-plane, on page 177 Displays the management plane. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 184: Management-Plane
Examples The following example shows how to enter management plane protection configuration mode using the management-plane command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 185: Out-Of-Band
The following example shows how to enter management plane protection out-of-band configuration mode using the out-of-band command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# control-plane RP/0/RP0/CPU0:router(config-ctrl)# management-plane RP/0/RP0/CPU0:router(config-mpp)# out-of-band RP/0/RP0/CPU0:router(config-mpp-outband)# Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 186 177 Displays the management plane. vrf (MPP), on page 179 Configures a Virtual Private Network (VPN) routing and forwarding (VRF) reference of an out-of-band interface. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 187: Show Mgmt-Plane
• Both inband and out-of-band keywords were added. • The vrf keyword was added only for out-of-band VRF configurations. • Sample output was updated to display inband and out-of-band interface configurations. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 188 Management Plane Protection - out-of-band VRF - my_out_of_band Related Commands Command Description management-plane, on page 174 Configures management plane protection to allow and disallow protocols. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 189: Vrf (Mpp)
The following example shows how to configure the VRF: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# vrf my_out_of_band RP/0/RP0/CPU0:router(config-vrf)# address-family ipv4 unicast RP/0/RP0/CPU0:router(config-vrf-af)# exit RP/0/RP0/CPU0:router(config-vrf)# address-family ipv6 unicast RP/0/RP0/CPU0:router(config-vrf-af)# commit RP/0/RP0/CPU0:router(config-vrf-af)# end RP/0/RP0/CPU0:router# Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 190 175 Configures out-of-band interfaces or protocols and enters management plane protection out-of-band configuration mode. show mgmt-plane, on page 177 Displays the management plane. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 191: Public Key Infrastructure Commands
This module describes the commands used to configure Public Key Infrastructure (PKI). For detailed information about PKI concepts, configuration tasks, and examples, see the Implementing Certification Authority Interoperability on the Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.
Page 192 226 • show crypto ca crls, page 228 • show crypto key mypubkey dsa, page 229 • show crypto key mypubkey rsa, page 231 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 193: Clear Crypto Ca Certificates
The following example shows how to clear the certificates associated with trustpoints that no longer exist in the configuration file: RP/0/RP0/CPU0:router# clear crypto ca certificates tp_1 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 194: Clear Crypto Ca Crl
RP/0/RP0/CPU0:router# show crypto ca crls RP/0/RP0/CPU0:router# Related Commands Command Description show crypto ca crls, on page 228 Displays the information about CRLs on the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 195 Public Key Infrastructure Commands clear crypto ca crl Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 196: Crl Optional (Trustpoint)
CRL. This example also specifies a nonstandard retry period and retry count. RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca RP/0/RP0/CPU0:router(config-trustp)# enrollment url http://ca_server RP/0/RP0/CPU0:router(config-trustp)# enrollment retry period 20 RP/0/RP0/CPU0:router(config-trustp)# enrollment retry count 100 RP/0/RP0/CPU0:router(config-trustp)# crl optional Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 197 208 Specifies the wait period between certificate request retries. enrollment url, on page 211 Specifies the URL of the CA. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 198: Crypto Ca Authenticate
CA administrator sees to what the router displays on the screen. If the fingerprint on the display matches the fingerprint displayed by the CA administrator, you should accept the certificate as valid. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 199 Configures a trusted point with a selected name. show crypto ca certificates, on page 226 Displays information about your certificate and the certificate of the CA. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 200: Crypto Ca Cancel-Enroll
191 Obtains a router certificate from the CA. rsakeypair, on page 217 Specifies a named RSA key pair for a trustpoint. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 201: Crypto Ca Enroll
The crypto ca enroll command is not saved in the router configuration. Task ID Task ID Operations crypto execute Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 202 194 Configures a trusted point with a selected name. rsakeypair, on page 217 Specifies a named RSA key pair for a trustpoint. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 203: Crypto Ca Import
Configures a trusted point with a selected name. show crypto ca certificates, on page 226 Displays information about your certificate and the certification authority (CA) certificate. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 204: Crypto Ca Trustpoint
URL of the CA. • ip-address (trustpoint), on page 213command—A dotted IP address that is included as an unstructured address in the certificate request. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 205 Specifies a named RSA key pair for this trustpoint. sftp-password (trustpoint), on page 220 Secures the FTP password. sftp-username (trustpoint), on page 222 Secures the FTP username. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 206 Public Key Infrastructure Commands crypto ca trustpoint Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 207: Crypto Key Generate Dsa
Choose the size of your DSA key modulus. Modulus size can be 512, 768, or 1024 bits. Choosing a key modulus How many bits in the modulus [1024]: 512 Generating DSA keys... Done w/ crypto generate keypair [OK] Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 208 202 Deletes a DSA key pair from your router. show crypto key mypubkey dsa, on page 229 Displays the DSA public keys for your router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 209: Crypto Key Generate Rsa
To remove an RSA key, use the crypto key zeroize rsa command. Task ID Task ID Operations crypto execute Examples The following example shows how to generate an RSA key pair: RP/0/RP0/CPU0:router# crypto key generate rsa Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 210 203 Deletes the RSA key pair for your router. show crypto key mypubkey rsa, on page 231 Displays the RSA public keys for your router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 211: Crypto Key Import Authentication Rsa
Once the public key is generated, the key must be placed on the router where you wish to enable RSA based authentication. Task ID Task ID Operations crypto execute Examples The following example displays how to import a public key: RP/0/RP0/CPU0:k2#crypto key import authentication rsa Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 212: Crypto Key Zeroize Dsa
197 Generates DSA key pairs. show crypto key mypubkey dsa, on page 229 Displays the DSA public keys for your router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 213: Crypto Key Zeroize Rsa
The following example shows how to delete the general-purpose RSA key pair that was previously generated: RP/0/RP0/CPU0:router# crypto key zeroize rsa key1 % Keys to be removed are named key1 Do you really want to remove these keys? [yes/no]: yes Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 214 199 Generates RSA key pairs. show crypto key mypubkey rsa, on page 231 Displays the RSA public keys for your router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 215: Description (Trustpoint)
Examples The following example shows how to create a trustpoint description: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca RP/0/RP0/CPU0:router(config-trustp)# description this is the primary trustpoint Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 216: Enrollment Retry Count
The following example shows how to declare a CA, change the retry period to 10 minutes, and change the retry count to 60 retries. The router resends the certificate request every 10 minutes until receipt of the certificate Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 217 208 Specifies the wait period between certificate request retries. enrollment url, on page 211 Specifies the certification authority (CA) location by naming the CA URL. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 218: Enrollment Retry Period
The following example shows how to declare a CA and change the retry period to 5 minutes: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca RP/0/RP0/CPU0:router(config-trustp)# enrollment retry period 5 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 219 Configures a trusted point with a selected name. enrollment retry count, on page 206 Specifies the number of times a router resends a certificate request. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 220: Enrollment Terminal
RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca RP/0/RP0/CPU0:router(config-trustp)# enrollment terminal Related Commands Command Description crypto ca trustpoint, on page 194 Configures a trusted point with a selected name. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 221: Enrollment Url
This table lists the available enrollment methods. Table 12: Certificate Enrollment Methods Enrollment Method Description SFTP Enroll through SFTP: file system TFTP Enroll through TFTP: file system Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 222 Configures a trusted point with a selected name. ip-address (trustpoint), on page 213 Specifies a dotted IP address that is included as an unstructured address in the certificate request. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 223: Ip-Address (Trustpoint)
RP/0/RP0/CPU0:router(config-trustp)# subject-name OU=Spiral Dept., O=tiedye.com RP/0/RP0/CPU0:router(config-trustp)# ip-address 172.19.72.120 The following example shows that an IP address is not to be included in the certificate request: RP/0/RP0/CPU0:router# configure Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 224 Specifies whether the router serial number should be included in the certificate request. subject-name (trustpoint), on page 224 Specifies the subject name in the certificate request. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 225: Query Url
The following example shows the configuration required to declare a CA when the CA supports LDAP: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca RP/0/RP0/CPU0:router(config-trustp)# query url ldap://my-ldap.domain.com Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 226 Public Key Infrastructure Commands query url Related Commands Command Description crypto ca trustpoint, on page 194 Configures a trusted point with a selected name. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 227: Rsakeypair
RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint myca RP/0/RP0/CPU0:router(config-trustp)# rsakeypair key1 Related Commands Command Description crypto key generate rsa, on page 199 Generates RSA key pairs. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 228: Serial-Number (Trustpoint)
The following example shows how to omit a serial number from the root certificate request: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint root RP/0/RP0/CPU0:router(config-trustp)# enrollment url http://10.3.0.7:80 RP/0/RP0/CPU0:router(config-trustp)# ip-address none RP/0/RP0/CPU0:router(config-trustp)# serial-number none RP/0/RP0/CPU0:router(config-trustp)# subject-name ON=Jack, OU=PKI, O=Cisco Systems, C=US Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 229 Specifies a dotted IP address that is included as an unstructured address in the certificate request. subject-name (trustpoint), on page 224 Specifies the subject name in the certificate request. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 230: Sftp-Password (Trustpoint)
The following example shows how to secure the FTP password in an encrypted form: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint msiox RP/0/RP0/CPU0:router(config-trustp)# sftp-password password xxxxxx Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 231 Command Description crypto ca trustpoint, on page 194 Configures a trusted point with a selected name. sftp-username (trustpoint), on page 222 Secures the FTP username. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 232: Sftp-Username (Trustpoint)
Command Description crypto ca trustpoint, on page 194 Configures a trusted point with a selected name. sftp-password (trustpoint), on page 220 Secures the FTP password. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 233 Public Key Infrastructure Commands sftp-username (trustpoint) Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 234: Subject-Name (Trustpoint)
The following example shows how to specify the subject name for the frog certificate: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# crypto ca trustpoint frog RP/0/RP0/CPU0:router(config-trustp)# enrollment url http://frog.phoobin.com RP/0/RP0/CPU0:router(config-trustp)# subject-name OU=Spiral Dept., O=tiedye.com RP/0/RP0/CPU0:router(config-trustp)# ip-address 172.19.72.120 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 235 Specifies a dotted IP address that is included as an unstructured address in the certificate request. serial-number (trustpoint), on page 218 Specifies whether the router serial number should be included in the certificate request. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 236: Show Crypto Ca Certificates
CN= CA2 Issued By cn=CA2 Validity Start : 07:51:51 UTC Wed Jul 06 2005 Validity End : 08:00:43 UTC Tue Jul 06 2010 CRL Distribution Point Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 237 TFTP, SFTP, or cut and paste it at the terminal. crypto ca trustpoint, on page 194 Configures a trustpoint with a selected name. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 238: Show Crypto Ca Crls
Next Update : [UTC] Thu Jan 17 13:21:14 2002 CRL Distribution Point : http://xyz-w2k.cisco.com/CertEnroll/xyz-w2k-root.crl Related Commands Command Description clear crypto ca crl, on page 184 Clears all the CRLs stored on the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 239: Show Crypto Key Mypubkey Dsa
AA817460 87EFD503 C668AD8C D606050B 225CC277 7C0A0974 8072D7D7 2ADDDE42 329FE896 AB015ED1 3A414254 6935FDCA 0043BA4F 66 Related Commands Command Description crypto key generate dsa, on page 197 Generates DSA key pairs. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 240 Public Key Infrastructure Commands show crypto key mypubkey dsa Command Description crypto key zeroize dsa, on page 202 Deletes all DSA keys from the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 241: Show Crypto Key Mypubkey Rsa
Data : 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C7DE73 7B3EA447 CCE8F3DF DD1327D8 C1C30C45 2EEB4981 B1B48D2B 1AF14665 178058FB 8F6BB6BB E08C6163 FA0EE356 395C8E5F 2AC59383 0706BDDF EC8E5822 9B020301 0001 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 242 199 Generates RSA key pairs. crypto key zeroize rsa, on page 203 Deletes all RSA keys from the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 243: Software Authentication Manager Commands
For detailed information about SAM concepts, configuration tasks, and examples, see the Configuring Software Authentication Manager on the Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router Software configuration module.
Page 244: Sam Add Certificate
Use of the trust keyword assumes that you received the new certificate from a source that you trust, and therefore have enough confidence in its authenticity to bypass validation by the SAM. One example of acquiring Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 245 Software Authentication Manager Commands sam add certificate a certificate from a trusted source is downloading it from a CA server (such as Cisco.com) that requires user authentication. Another example is acquiring the certificate from a person or entity that you can verify, such as by checking the identification badge for a person.
Page 246: Sam Delete Certificate
The following example shows how to delete the certificate identified by the index number 2 from the memory location: RP/0/RP0/CPU0:router# sam delete certificate mem 2 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 247 Adds a new certificate to the certificate table. show sam certificate, on page 242 Displays records in the certificate table, including the location of the certificates stored. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 248: Sam Prompt-Interval
SAM detects CA certificate (Code Signing Server Certificate Authority) has expired. The validity period is Oct 17, 2000 01:46:24 UTC - Oct 17, 2015 01:51:47 UTC. Continue at risk? (Y/N) [Default:N w/in 10]: Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 249 RP/0/RP0/CPU0:router/CPU0:router# configure RP/0/RP0/CPU0:router(config)# sam prompt-interval 30 terminate Related Commands Command Description show sam sysinfo, on page 253 Displays the current status information for the SAM. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 250: Sam Verify
If the message digest matches the message digest generated by the sam verify command, the software component is valid. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 251 The following example shows how to use MD5 to generate a message digest and then uses that message digest as input to perform the digest comparison: RP/0/RP0/CPU0:router# sam verify disk0: /crl_revoked.bin MD5 38243ffbbe6cdb7a12fa9fa6452956ac RP/0/RP0/CPU0:router# sam verify disk0: /crl_revoked.bin MD5 38243ffbbe6cdb7a12fa9fa6452956ac Same digest values Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 252: Show Sam Certificate
When used with the brief keyword, the location argument displays selected attributes for only the certificates stored in a specific location. Use one of the following: root, mem, disk0, disk1, or other flash device on router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 253 Certificate Index Index number that the Software Authentication Manager automatically assigns to the certificate. Certificate Flag One of the following: TRUSTED, VALIDATED, EXPIRED, or REVOKED. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 254 18 ff 9f 5c e9 99 66 f0 d3 90 ae 49 3f c8 cc [..\..f..I?..] 32 6b db 64 da fd f5 42 ea bc f3 b0 8a 2f 17 d8 [2k.d...B../..] Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 255 Certificate signature Encrypted hash value (or signature) of the certificate. The hash value of the certificate is encrypted using the private key of the issuer. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 256: Show Sam Crl
RP/0/RP0/CPU0:router# show sam crl summary ----------------------- SUMMARY OF CRLs -------------------------- CRL Index Issuer:CN = Code Sign Server Certificate Manager, OU = Cisco HFR mc , O = Cisco, L = San Jose, ST = CA, C = US, EA =<16> iosmx-css-cert@cisco.com Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1...
Page 257 CRL Index -------------- CERTIFICATE REVOCATION LIST (CRL) ----------------- Issuer:CN = Code Sign Server Certificate Manager, OU = Cisco HFR mc , O = Cisco, L = San Jose, ST = CA, C = US, EA =<16> iosmx-css-cert@cisco.com Including updates of:...
Page 258: Show Sam Log
06/16/02 12:39:30 UTC SAM server restarted through router reboot 06/16/02 12:39:30 UTC SAM server restarted through router reboot 06/16/02 12:40:57 UTC Added certificate in table mem/1 CN = Certificate Manage, 0x1e Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 259 Each line of output shows a particular logged event such as a table change, expired or revoked certificates, table digest mismatches, or SAM server restarts. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 260: Show Sam Package
The following sample output is from the show sam package command: RP/0/RP0/CPU0:router# show sam package mem:12k-rp-1.0.0 ------------------------------------------------------------ Certificate Location :mem Certificate Index Certificate Flag :VALIDATED ----------------------- CERTIFICATE ------------------------ Serial Number :01:27:FE:79:00:00:00:00:00:05 Subject Name Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 261 Manager (SAM) automatically assigns to the certificate. Certificate Flag One of the following: TRUSTED, VALIDATED, EXPIRED, or REVOKED. Serial Number Unique serial number of the certificate, assigned by its issuer. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 262 Cisco IOS XR System Management Command Reference for the Cisco CRS Router. show sam certificate, on page 242 Displays records in the SAM certificate table. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 263: Show Sam Sysinfo
Software Authentication Manager System Information ============================================== Status : running Prompt Interval : 10 sec Prompt Default Response : NO This table describes the significant fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 264 SAM responds when it does not receive user input within the specified interval. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 265: Secure Shell Commands
This module describes the Cisco IOS XR software commands used to configure Secure Shell (SSH). For detailed information about SSH concepts, configuration tasks, and examples, see the Implementing Secure Shell on the Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.
Page 266: Clear Ssh
The clear ssh command is then used to terminate the incoming session with the ID number 0. show ssh RP/0/RP0/CPU0:router# SSH version: Cisco-2.0 session location state userid host -------------------------------------------------------------------- Incoming sessions vty0 0/33/1 SESSION_OPEN cisco 172.19.72.182 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 267 SESSION_OPEN cisco 3333::50 RP/0/RP0/CPU0:router# clear ssh 0 Related Commands Command Description show ssh, on page 265 Displays the incoming and outgoing connections to the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 268: Sftp
The srcfile keyword was removed and was replaced by an argument for this same purpose. Support was added for the vrf and the source-interface keywords. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 269 308413 bytes copied in 0 sec (338172)bytes/sec RP/0/RP0/CPU0:router#dir disk0:/V6copy Directory of disk0: 70144 -rwx 308413 Sun Oct 16 23:06:52 2011 V6copy 2102657024 bytes total (1537638400 bytes free) Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 270 Specifies the source IP address of a selected interface for all outgoing SSH connections. ssh client vrf, on page 276 Configures a new VRF for use by the SSH client. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 271 Secure Shell Commands sftp Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 272: Sftp (Interactive Mode)
'non-acknowledged' or outstanding requests to the server, the server might buffer or queue these requests for convenience. Therefore, there might be a logical sequence to the order of requests. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 273 In the following example, user admin is downloading and uploading a file from/to an external SFTP server using an IPv6 address: RP/0/RP0/CPU0:router#sftp admin@[2:2:2::2] Connecting to 2:2:2::2... Password: Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 274 Specifies the source IP address of a selected interface for all outgoing SSH connections. ssh client vrf, on page 276 Configures a new VRF for use by the SSH client. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 275: Show Ssh
0/RP0/CPU0 SESSION_OPEN cisco 172.20.10.3 3 vty3 0/RP0/CPU0 SESSION_OPEN cisco 3333::50 Outgoing sessions 0/RP0/CPU0 SUSPENDED root 172.19.72.182 This table describes significant fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 276 Reference for the Cisco CRS Router show ssh session details, on page 267 Displays the details for all the incoming and outgoing SSHv2 connections, to the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 277: Show Ssh Session Details
Incoming Session diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5 Outgoing connection diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5 This table describes the significant fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 278 Displays information about open Telnet or rlogin connections. show ssh, on page 265 Displays all the incoming and outgoing connections to the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 279: Ssh
(Optional) Specifies a remote command. Adding this keyword prompts the SSHv2 server to parse and execute thesshcommand in non-interactive mode instead of initiating the interactive session. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 280 Use the command keyword to enable the SSHv2 server to parse and execute the ssh command in non-interactive mode instead of initiating an interactive session. Task ID Task ID Operations crypto execute basic-services execute Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 281 RP/0/RP0/CPU0:router# sshvrf green username userabc Password: Remote-host> Related Commands Command Description show ssh, on page 265 Displays all the incoming and outgoing connections to the router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 282: Ssh Client Knownhost
Operations crypto read, write Examples The following sample output is from the ssh client knownhost command: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh client knownhost disk0:/ssh.knownhost RP/0/RP0/CPU0:router(config)# commit Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 283 Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Password: RP/0/RP0/CPU0:host1# exit RP/0/RP0/CPU0:router# ssh host1 username user1234 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 284: Ssh Client Source-Interface
The system database (Sysdb) verifies that the interface specified in the command has a corresponding IP address (in the same family) configured. Task ID Task ID Operations crypto read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 285 The following example shows how to set the IP address of the Management Ethernet interface for all outgoing SSH connections: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh client source-interface MgmtEth 0/RP0/CPU0/0 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 286: Ssh Client Vrf
Examples The following example shows the SSH client being configured to start with the specified VRF: configure RP/0/RP0/CPU0:router# ssh client vrf green RP/0/RP0/CPU0:router(config)# Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 287 SSH Client supports setting DSCP value in the outgoing packets. If not configured, the default DSCP value set in packets is 16 (for both client and server). Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 288: Ssh Server
To verify that the SSH server is up and running, use the show process sshd command. Task ID Task ID Operations crypto read, write Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 289 SSH server supports setting DSCP value in the outgoing packets. If not configured, the default DSCP value set in packets is 16 (for both client and server). Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 290: Ssh Server Logging
Task ID Task ID Operations crypto read, write Examples The following example shows the initiation of an SSH server logging: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh server logging Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 291 Secure Shell Commands ssh server logging Related Commands Command Description ssh server, on page 278 Initiates the SSH server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 292: Ssh Server Rate-Limit
The following example shows how to set the limit of incoming SSH connection requests to 20 per minute: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh server rate-limit 20 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 293: Ssh Server Session-Limit
Examples The following example shows how to set the limit of incoming SSH connections to 50: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh server session-limit 50 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 294 Description show processes Displays information about the SSH server. For more information, see Cisco IOS XR System Management Command Reference for the Cisco CRS Router. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 295: Ssh Server V2
The following example shows how to initiate the SSH server version to be only SSHv2: RP/0/RP0/CPU0:router#configure RP/0/RP0/CPU0:router(config)# ssh server v2 Related Commands Command Description ssh server, on page 278 Initiates the SSH server. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 296: Ssh Timeout
Examples In the following example, the timeout value for AAA user authentication is set to 60 seconds: RP/0/RP0/CPU0:router# configure RP/0/RP0/CPU0:router(config)# ssh timeout 60 Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 297: Secure Socket Layer Protocol Commands
This module describes the commands used to configure the Secure Socket Layer (SSL) protocol. For detailed information about SSL concepts, configuration tasks, and examples, see the Implementing Secure Socket Layer on the Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.
Page 298: Show Ssl
The following sample output is from the show ssl command: RP/0/RP0/CPU0:router# show ssl Method Type Peer Port Cipher-Suite ============================================================================ 1261711 sslv3 Server 172.16.0.5 1296 DES-CBC3-SHA This table describes the fields shown in the display. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 299 Triple DES and the Integrity (message digest algorithm) is SHA. Related Commands Command Description run pidin Displays the process ID for all processes that are running. Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 300 Secure Socket Layer Protocol Commands show ssl Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01...
Page 301 (keychain) command crypto key zeroize dsa command crypto key zeroize rsa command lawful-intercept disable command login authentication command deadtime (server-group configuration) command Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01 IN-1...
Page 302 (IP) command show aaa command tunnel tos (IP) command show crypto ca certificates command tunnel ttl (IP) command show crypto ca crls command Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 IN-2 OL-24740-01...
Page 303 Index usergroup command vrf (MPP) command username command vrf (RADIUS) command users group command vrf (TACACS+) command Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 OL-24740-01 IN-3...
Page 304 Index Cisco IOS XR System Security Command Reference for the Cisco CRS Router, Release 4.1 IN-4 OL-24740-01...

Cisco CRS User Manual

CHAPTER 1 Authentication,Authorization,Andaccountingcommands

Ipsec Commands

Keychain Management Commands

Lawful Intercept Commands

Management Plane Protection Commands

Public Key Infrastructure Commands

Software Authentication Manager Commands

Secure Shell Commands

Secure Socket Layer Protocol Commands

Quick Links

Related Manuals for Cisco CRS

Summary of Contents for Cisco CRS