C H A P T E R 1 aaa accounting through aaa local authentication attempts max-fail 1

aaa accounting 3
aaa accounting-list 11
aaa accounting (IKEv2 profile) 12
aaa accounting connection h323 13
aaa accounting delay-start 15
aaa accounting gigawords 18
aaa accounting include auth-profile 19
aaa accounting-list 20
aaa accounting jitter maximum 21
aaa accounting nested 22
aaa accounting redundancy 23
aaa accounting resource start-stop group 25
aaa accounting resource stop-failure group 27
aaa accounting send counters ipv6 29
aaa accounting send stop-record always 30
aaa accounting send stop-record authentication 31
aaa accounting session-duration ntp-adjusted 38
aaa accounting suppress null-username 39
aaa accounting update 40
aaa attribute 42
aaa attribute list 43
aaa authentication (IKEv2 profile) 45
aaa authentication (WebVPN) 47
aaa authentication arap 49
aaa authentication attempts login 51
Cisco IOS Security Command Reference: Commands A to C
iii
aaa authentication auto (WebVPN) 52
aaa authentication banner 53
aaa authentication dot1x 55
aaa authentication enable default 57
aaa authentication eou default enable group radius 59
aaa authentication fail-message 60
aaa authentication login 62
aaa authentication nasi 66
aaa authentication password-prompt 69
aaa authentication ppp 71
aaa authentication sgbp 74
aaa authentication suppress null-username 76
aaa authentication token key 77
aaa authentication username-prompt 78
aaa authorization 80
aaa authorization (IKEv2 profile) 85
aaa authorization cache filterserver 88
aaa authorization config-commands 90
aaa authorization console 92
aaa authorization list 93
aaa authorization reverse-access 94
aaa authorization template 97
aaa cache filter 98
aaa cache filterserver 100
aaa cache profile 101
aaa common-criteria policy 103
aaa configuration 105
aaa dnis map accounting network 107
aaa dnis map authentication group 109
aaa dnis map authorization network group 111
aaa group server diameter 113
aaa group server ldap 114
aaa group server radius 115
aaa group server tacacs+ 117
Cisco IOS Security Command Reference: Commands A to C
iv
Contents
aaa intercept 119
aaa local authentication attempts max-fail 121
C H A P T E R 2 aaa max-sessions through algorithm 123
aaa max-sessions 125
aaa memory threshold 126
aaa nas cisco-nas-port use-async-info 128
aaa nas port extended 129
aaa nas port option82 130
aaa nas redirected-station 131
aaa new-model 133
aaa password 135
aaa pod server 137
aaa preauth 139
aaa processes 141
aaa route download 143
aaa server radius dynamic-author 145
aaa service-profile 147
aaa session-id 148
aaa session-mib 150
aaa traceback recording 152
aaa user profile 153
access (firewall farm) 154
access (server farm) 156
access (virtual server) 158
access session passthru-access-group 160
access-class 161
access-enable 163
access-group (identity policy) 165
access-group mode 166
access-list (IP extended) 168
access-list (IP standard) 181
access-list (NLSP) 185
access-list compiled 188
Cisco IOS Security Command Reference: Commands A to C
v
Contents
access-listcompileddata-linklimitmemory 189
access-listcompiledipv4limitmemory 191
access-list dynamic-extend 193
access-list remark 194
access-profile 195
access-restrict 198
access-session accounting 200
access-template 201
accounting 203
accounting (gatekeeper) 205
accounting (line) 207
accounting (server-group) 209
accounting acknowledge broadcast 213
accounting dhcp source-ip aaa list 214
acl (ISAKMP) 215
acl (WebVPN) 216
acl drop 217
action-type 219
activate 220
add (WebVPN) 221
address 222
address (IKEv2 keyring) 224
address ipv4 226
address ipv4 (config-radius-server) 227
address ipv6 (config-radius-server) 229
address ipv4 (GDOI) 231
address ipv6 (TACACS+) 232
addressed-key 233
administrator authentication list 235
administrator authorization list 237
alert 239
alert (zone-based policy) 240
alert-severity 242
alg sip blacklist 243
Cisco IOS Security Command Reference: Commands A to C
vi
Contents
alg sip processor 245
alg sip timer 246
algorithm 247
C H A P T E R 3 allprofile map configuration through browser-proxy 249
all (profile map configuration) 252
allow-mode 253
appfw policy-name 254
appl (webvpn) 256
application (application firewall policy) 257
application-inspect 260
application redundancy 262
arap authentication 263
ase collector 265
ase enable 266
ase group 267
ase signature extraction 268
asymmetric-routing 269
attribute (server-group) 271
attribute map 273
attribute nas-port format 274
attribute type 277
audit filesize 279
audit interval 281
audit-trail 283
audit-trail (zone) 285
authentication 286
authentication (IKE policy) 288
authentication (IKEv2 profile) 290
authentication bind-first 294
authentication command 296
authentication command bounce-port ignore 298
authentication command disable-port ignore 299
authentication compare 300
Cisco IOS Security Command Reference: Commands A to C
vii
Contents
authentication control-direction 301
authentication critical recovery delay 302
authentication event fail 303
authentication event no-response action 305
authentication event server alive action reinitialize 306
authentication event server dead action authorize 307
authentication fallback 308
authentication host-mode 309
authentication list (tti-registrar) 311
authentication open 313
authentication order 314
authentication periodic 315
authentication port-control 317
authentication priority 319
authentication terminal 320
authentication timer inactivity 321
authentication timer reauthenticate 322
authentication timer restart 324
authentication trustpoint 325
authentication violation 327
authentication url 328
authorization 330
authorization (server-group) 332
authorization (tti-registrar) 334
authorization address ipv4 336
authorization identity 337
authorization list (global) 338
authorization list (tti-registrar) 339
authorization username 341
authorization username (tti-registrar) 343
authorize accept identity 345
auth-type 346
auth-type (ISG) 347
auto-enroll 348
Cisco IOS Security Command Reference: Commands A to C
viii
Contents
auto-rollover 350
auto-update client 353
automate-tester (config-ldap-server) 355
automate-tester (config-radius-server) 356
auto secure 358
backoff exponential 360
backup-gateway 362
backup group 364
banner 365
banner (parameter-map webauth) 366
banner (WebVPN) 368
base-dn 370
bidirectional 371
binary file 373
bind authenticate 375
block count 377
browser-attribute import 379
browser-proxy 380
C H A P T E R 4 ca trust-point through clear eou 381
ca trust-point 383
cabundle url 385
cache authentication profile (server group configuration) 387
cache authorization profile (server group configuration) 388
cache clear age 389
cache disable 390
cache expiry (server group configuration) 391
cache max 392
cache refresh 393
call admission limit 394
call guard-timer 395
category (ips) 396
cdp-url 397
certificate 401
Cisco IOS Security Command Reference: Commands A to C
ix
Contents
chain-validation (ca-trustpool) 403
chain-validation 405
cifs-url-list 407
cipherkey 409
ciphervalue 410
cisco (ips-auto-update) 412
cisp enable 413
citrix enabled 414
class type inspect 415
class type urlfilter 418
class-map type inspect 420
class-map type urlfilter 424
clear aaa cache filterserver acl 427
clear aaa cache filterserver group 428
clear aaa cache group 429
clear aaa counters servers 430
clear aaa local user fail-attempts 431
clear aaa local user lockout 432
clear access-list counters 433
clear access-template 434
clear appfw dns cache 436
clear ase signatures 437
clear authentication sessions 439
clear content-scan 441
clear crypto call admission statistics 442
clear crypto ctcp 443
clear crypto datapath 444
clear crypto engine accelerator counter 445
clear crypto gdoi 448
clear crypto gdoi ks cooperative role 450
clear crypto ikev2 sa 451
clear crypto ikev2 stats 452
clear crypto ipsec client ezvpn 453
clear crypto isakmp 455
Cisco IOS Security Command Reference: Commands A to C
x
Contents
clear crypto sa 457
clear crypto session 460
clear crypto pki benchmarks 462
clear crypto pki crls 463
clear cws 464
clear dmvpn session 465
clear dmvpn statistics 467
clear dot1x 468
clear eap 469
clear eou 470
C H A P T E R 5 clear ip access-list counters through crl-cache none 473
clear ip access-list counters 475
clear ip access-template 476
clear ip admission cache 478
clear ip audit configuration 479
clear ip audit statistics 480
clear ip auth-proxy cache 481
clear ip auth-proxy watch-list 482
clear ip inspect ha 484
clear ip inspect session 485
clear ip ips configuration 486
clear ip ips statistics 487
clear ip sdee 488
clear ip trigger-authentication 489
clear ip urlfilter cache 490
clear ipv6 access-list 491
clear ipv6 inspect 493
clear ipv6 snooping counters 494
clear kerberos creds 495
clear ldap server 496
clear logging ip access-list cache 497
clear parameter-map type protocol-info 498
clear policy-firewall 499
Cisco IOS Security Command Reference: Commands A to C
xi
Contents
clear policy-firewall stats global 500
clear policy-firewall stats vrf 501
clear policy-firewall stats vrf global 502
clear policy-firewall stats zone 503
clear port-security 504
clear radius 506
clear radius local-server 507
clear webvpn nbns 509
clear webvpn session 510
clear webvpn stats 511
clear xsm 512
clear zone-pair 514
clid 515
client 517
client authentication list 519
client configuration address 521
client configuration group 522
client inside 523
client pki authorization list 524
client recovery-check interval 525
client connect 526
client rekey encryption 527
client rekey hash 529
client transform-sets 530
commands (view) 531
configuration url 535
configuration version 537
config-exchange 538
config-mode set 539
connect 540
content-length 541
content-scan out 543
content-scan whitelisting 544
content-type-verification 545
Cisco IOS Security Command Reference: Commands A to C
xii
Contents
control 549
copy (consent-parameter-map) 551
copy idconf 553
copy ips-sdf 555
consent email 558
crl 559
crl (cs-server) 562
crl query 565
crl best-effort 567
crl optional 569
crl-cache delete-after 571
crl-cache none 573
C H A P T E R 6 crypto aaa attribute list through crypto ipsec transform-set 575
crypto aaa attribute list 577
crypto ca authenticate 580
crypto ca cert validate 582
crypto ca certificate chain 583
crypto ca certificate map 585
crypto ca certificate query (ca-trustpoint) 588
crypto ca certificate query (global) 590
crypto ca crl request 591
crypto ca enroll 593
crypto ca export pem 596
crypto ca export pkcs12 599
crypto ca identity 601
crypto ca import 602
crypto ca import pem 603
crypto ca import pkcs12 605
crypto ca profile enrollment 607
crypto ca trusted-root 609
crypto ca trustpoint 610
crypto call admission limit 612
crypto connect vlan 614
Cisco IOS Security Command Reference: Commands A to C
xiii
Contents
crypto ctcp 616
crypto dynamic-map 618
crypto-engine 621
crypto engine accelerator 622
crypto engine aim 625
crypto engine em 626
crypto engine mode vrf 627
crypto engine nm 629
crypto engine onboard 630
crypto engine slot 631
crypto engine slot (interface) 632
crypto gdoi ks 635
crypto gdoi gm 637
crypto gdoi group 639
crypto identity 640
crypto ikev2 authorization policy 642
crypto ikev2 certificate-cache 644
crypto ikev2 cluster 645
crypto ikev2 cookie-challenge 647
crypto ikev2 cts 648
crypto ikev2 diagnose 653
crypto ikev2 dpd 654
crypto ikev2 fragmentation 656
crypto ikev2 http-url 657
crypto ikev2 keyring 658
crypto ikev2 limit 661
crypto ikev2 name mangler 663
crypto ikev2 nat 665
crypto ikev2 policy 666
crypto ikev2 profile 669
crypto ikev2 proposal 673
crypto ikev2 redirect 676
crypto ikev2 window 677
crypto ipsec client ezvpn (global) 678
Cisco IOS Security Command Reference: Commands A to C
xiv
Contents
crypto ipsec client ezvpn (interface) 683
crypto ipsec client ezvpn connect 686
crypto ipsec client ezvpn xauth 687
crypto ipsec transform-set default 689
crypto ipsec df-bit (global) 691
crypto ipsec df-bit (interface) 692
crypto ipsec fragmentation (global) 694
crypto ipsec fragmentation (interface) 695
crypto ipsec ipv4-deny 697
crypto ipsec nat-transparency 699
crypto ipsec optional 701
crypto ipsec optional retry 702
crypto ipsec profile 703
crypto ipsec security-association dummy 705
crypto ipsec security-association idle-time 706
crypto ipsec security-association lifetime 708
crypto ipsec security-association multi-sn 711
crypto ipsec security-association replay disable 712
crypto ipsec security-association replay window-size 713
crypto ipsec server send-update 714
crypto ipsec transform-set 715
C H A P T E R 7 cryptoisakmp aggressive-mode disable through crypto mib topn 721
crypto isakmp aggressive-mode disable 723
crypto isakmp client configuration address-pool local 724
crypto isakmp client configuration browser-proxy 725
crypto isakmp client configuration group 726
crypto isakmp client firewall 731
crypto isakmp default policy 733
crypto isakmp enable 736
crypto isakmp fragmentation 738
crypto isakmp identity 739
crypto isakmp invalid-spi-recovery 741
crypto isakmp keepalive 742
Cisco IOS Security Command Reference: Commands A to C
xv
Contents
crypto isakmp key 745
crypto isakmp nat keepalive 748
crypto isakmp peer 750
crypto isakmp policy 752
crypto isakmp profile 755
crypto key decrypt rsa 758
crypto key encrypt rsa 759
crypto key export ec 761
crypto key export rsa pem 763
crypto key generate ec keysize 766
crypto key generate rsa 768
crypto key import ec 774
crypto key import rsa pem 776
crypto key lock rsa 780
crypto key move rsa 782
crypto key pubkey-chain rsa 784
crypto key storage 786
crypto key unlock rsa 788
crypto key zeroize ec 790
crypto key zeroize pubkey-chain 792
crypto key zeroize rsa 793
crypto keyring 795
crypto logging ezvpn 796
crypto logging ikev2 797
crypto logging session 798
crypto map (global IPsec) 799
crypto map (interface IPsec) 806
crypto map (Xauth) 809
crypto map client configuration address 811
crypto map gdoi fail-close 812
crypto map (isakmp) 814
crypto map isakmp-profile 816
crypto map local-address 817
crypto map redundancy replay-interval 819
Cisco IOS Security Command Reference: Commands A to C
xvi
Contents
crypto mib ipsec flowmib history failure size 821
crypto mib ipsec flowmib history tunnel size 822
crypto mib topn 823
C H A P T E R 8 crypto pki authenticate through cws whitelisting 825
crypto pki authenticate 828
crypto pki benchmark 830
crypto pki cert validate 832
crypto pki certificate chain 833
crypto pki certificate map 835
crypto pki certificate query (ca-trustpoint) 838
crypto pki certificate storage 840
crypto pki crl cache 842
crypto pki crl request 844
crypto pki enroll 845
crypto pki export pem 848
crypto pki export pkcs12 password 852
crypto pki import 855
crypto pki import pem 856
crypto pki import pkcs12 password 859
crypto pki profile enrollment 862
crypto pki server 864
crypto pki server grant 868
crypto pki server info crl 869
crypto pki server info requests 870
crypto pki server password generate 872
crypto pki server reject 873
crypto pki server remove 874
crypto pki server request pkcs10 875
crypto pki server revoke 879
crypto pki server start 881
crypto pki server stop 882
crypto pki server trim 883
crypto pki server trim generate expired-list 886
Cisco IOS Security Command Reference: Commands A to C
xvii
Contents
crypto pki server unrevoke 888
crypto pki token change-pin 889
crypto pki token encrypted-user-pin 890
crypto pki token label 892
crypto pki token lock 894
crypto pki token login 896
crypto pki token logout 897
crypto pki token max-retries 898
crypto pki token removal timeout 899
crypto pki token secondary config 901
crypto pki token secondary unconfig 903
crypto pki token unlock 905
crypto pki token user-pin 907
crypto pki trustpoint 908
crypto pki trustpool import 911
crypto pki trustpool policy 915
crypto provisioning petitioner 917
crypto provisioning registrar 919
crypto vpn 922
crypto wui tti petitioner 924
crypto wui tti registrar 926
crypto xauth 929
csd enable 931
ctcp port 932
ctype 933
cts authorization list network 935
cts credentials 936
cts dot1x 938
cts manual 939
cts role-based enforcement 940
cts role-based sgt-cache 941
cts role-based sgt-caching 943
cts role-based sgt-map (config) 944
cts role-based sgt-map interface 947
Cisco IOS Security Command Reference: Commands A to C
xviii
Contents
cts role-based sgt-map sgt 949
cts sxp connection peer 950
cts sxp default password 953
cts sxp default source-ip 955
cts sxp enable 957
cts sxp filter-enable 959
cts sxp filter-group 960
cts sxp filter-list 962
cts sxp listener hold-time 964
cts sxp log binding-changes 966
cts sxp mapping network-map 967
cts sxp node-id 968
cts sxp reconciliation period 970
cts sxp retry period 972
cts sxp speaker hold-time 973
custom-page 975
cws out 977