- Preface
-
- Configuring Authentication
- RADIUS Change of Authorization
- Message Banners for AAA Authentication
- AAA-Domain Stripping at Server Group Level
- AAA Double Authentication Secured by Absolute Timeout
- Throttling of AAA RADIUS Records
- RADIUS Packet of Disconnect
- AAA Authorization and Authentication Cache
- Configuring Authorization
- Configuring Accounting
- AAA-SERVER-MIB Set Operation
- Per VRF AAA
- AAA Support for IPv6
- TACACS+ over IPv6
- AAA Dead-Server Detection
- Login Password Retry Lockout
- MSCHAP Version 2
- AAA Broadcast Accounting-Mandatory Response Support
- Password Strength and Management for Common Criteria
- Secure Reversible Passwords for AAA
-
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Configuring an FQDN ACL
- Refining an IP Access List
- IP Named Access Control Lists
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- ACL IP Options Selective Drop
- Displaying and Clearing IP Access List Data Using ACL Manageability
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 ACL Undetermined-Transport Support
- Configuring Template ACLs
- IPv6 Template ACL
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
- Security (ACL) Enhancements
- IPv6 Object Groups for ACLs
-
- Configuring RADIUS
- RADIUS for Multiple UDP Ports
- AAA DNIS Map for Authorization
- AAA Server Groups
- Framed-Route in RADIUS Accounting
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Logical Line ID
- RADIUS Route Download
- RADIUS Server Load Balancing
- RADIUS Server Reorder on Failure
- RADIUS Separate Retransmit Counter for Accounting
- RADIUS VC Logging
- RADIUS Centralized Filter Management
- RADIUS EAP Support
- RADIUS Interim Update at Call Connect
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor-Specific Attributes
- RADIUS Attribute 8 Framed-IP-Address in Access Requests
- RADIUS Attribute 82 Tunnel Assignment ID
- RADIUS Tunnel Attribute Extensions
- RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
- RADIUS Attribute Value Screening
- RADIUS Attribute 55 Event-Timestamp
- RADIUS Attribute 104
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
-
- Overview of Cisco TrustSec
- Cisco TrustSec SGT Exchange Protocol IPv4
- TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Prerequisites for Cisco TrustSec SGT Exchange Protocol IPv4
- Enabling Bidirectional SXP Support
- Cisco TrustSec Interface-to-SGT Mapping
- Cisco TrustSec Subnet to SGT Mapping
- Flexible NetFlow Export of Cisco TrustSec Fields
- Cisco TrustSec SGT Caching
- CTS SGACL Support
- Accessing TrustSec Operational Data Externally
-
- Cisco IOS XE PKI Overview
- Deploying RSA Keys Within a PKI
- Configuring Authorization and Revocation of Certificates in a PKI
- Configuring Certificate Enrollment for a PKI
- Setting Up Secure Device Provisioning for Enrollment in a PKI
- PKI Credentials Expiry Alerts
- Configuring and Managing a Certificate Server for PKI Deployment
- Storing PKI Credentials
- Source Interface Selection for Outgoing Traffic with Certificate Authority
- PKI Trustpool Management
- PKI Split VRF in Trustpoint
- EST Client Support
- Configuring Route Processor Redundancy for PKI
-
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Firewall Stateful Inspection of ICMP
- LISP and Zone-Based Firewalls Integration and Interoperability
- Application Aware Firewall
- Firewall Support of Skinny Client Control Protocol
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Configuring the VRF-Aware Software Infrastructure
- FTP66 ALG Support for IPv6 Firewalls
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
-
- IPsec Anti-Replay Window Expanding and Disabling
- Pre-Fragmentation for IPsec VPNs
- Invalid Security Parameter Index Recovery
- IPsec Dead Peer Detection Periodic Message Option
- IPsec NAT Transparency
- IPsec Extended Sequence Number
- DF Bit Override Functionality with IPsec Tunnels
- IPsec Security Association Idle Timers
- IPv6 IPsec Quality of Service
- IPv6 Virtual Tunnel Interface
-
- Dynamic Multipoint VPN
- IPv6 over DMVPN
- DMVPN Configuration Using FQDN
- DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
- DMVPN Tunnel Health Monitoring and Recovery
- DMVPN Event Tracing
- NHRP MIB
- DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
- Sharing IPsec with Tunnel Protection
- Per-Tunnel QoS for DMVPN
- Configuring TrustSec DMVPN Inline Tagging Support
- Spoke-to-Spoke NHRP Summary Maps
- BFD Support on DMVPN
- DMVPN Support for IWAN
- Configuring MPLS over DMVPN
- DHCP Tunnels Support
- Per-Tunnel QoS Support for Multiple Policy Maps (MPOL)
-
- Introduction to FlexVPN
- Configuring Internet Key Exchange Version 2
- Configuring Quantum-Safe Encryption Using Postquantum Preshared Keys
- Configuring the FlexVPN Server
- Configuring the FlexVPN Client
- Configuring FlexVPN Spoke to Spoke
- Configuring IKEv2 Load Balancer
- Configuring IKEv2 Fragmentation
- Configuring IKEv2 Reconnect
- Configuring MPLS over FlexVPN
- Configuring IKEv2 Packet of Disconnect
- Configuring IKEv2 Change of Authorization Support
- Configuring Aggregate Authentication
- Appendix: FlexVPN RADIUS Attributes
- Appendix: IKEv2 and Legacy VPNs
-
- Cisco Group Encrypted Transport VPN
- GET VPN GM Removal and Policy Trigger
- GDOI MIB Support for GET VPN
- GET VPN Resiliency
- GETVPN Resiliency GM - Error Detection
- GETVPN CRL Checking
- GET VPN Support with Suite B
- GET VPN Support of IPsec Inline Tagging for Cisco TrustSec
- GETVPN GDOI Bypass
- GETVPN G-IKEv2
- 8K GM Scale Improvement
- GET VPN Interoperability
- Perfect Forward Secrecy for GETVPN
- Index
Contents
* - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V
Index
*
A
AAA (authentication, authorization, and accounting)accountingAV pairs 1broadcasting 1command type 1configuring (example) 1connection type 1enabling 1EXEC type 1interim records 1method lists (example) 1methods (table) 1monitoring 1network configuration (figure) 1network type 1resource type 1system type 1verifying 1ARAP authenticationauthorized guest logins 1guest logins 1line password 1local password 1methods (table) 1TACACS+ 1authenticationconfiguringdefault, enable 1methods 1network configuration (figure) 1server groups 1authorization 1AV pairs 1configuring 1network configuration (figure) 1prerequisites 1RADIUS 1reverse telnet 1server groups 1TACACS+ 1types 1broadcast accounting 1DNIS 1enable default authentication, methods (table) 1login authenticationenable password 1Kerberos 1line password 1local password 1methods (table) 1message bannersfailed-login banner, configuring 1login banner, configuring 1method lists 1accounting 1NASI authenticationenable password 1line password 1local password 1methods 1TACACS+ 1POD (packet of disconnect) 1configuration 1example 1preauthentication 1RADIUSaccounting 1authentication 1authorization 1resource accounting 1configuring 1resource failure stop accounting 1configuring 1server groupsauthentication 1authorization 1broadcast accounting 1TACACS+, configuring 1session MIB 1configuration 1example 1SNMP 1aaa accounting resource start-stop group command 1aaa accounting resource stop-failure group command 1AAA attributesprerequisites 1aaa authentication ppp command\undefined list-name(caution) 1AAA double authentication secured by absolute timeoutexamples 1how to apply 1information about 1prerequisites 1restrictions 1aaa preauth command 1access class filtering in IPv6 1access listsdynamic entries, deleting 1See also IKE\ 1access requestsRADIUS attribute 44configuring 1RADIUS attribute 8 1RADIUS attributesdescription 1examples 1access-enable command 1access-list (encryption) command 1access-list (IP extended) command 1access-list command 1additional references 1AH (authentication header) 1authenticationSee also IKE, extended authentication\ 1Authentication Policy for GM Registration 1B
broadcast accounting 1C
cautionsaccess lists 1lock-and-key 1ppp, disabling with undefined list-name 1certificate to ISAKMP profile mapping 1how to configure 1certificates 1CHAP (Challenge Handshake Authentication Protocol)common password 1delay authentication 1description 1enable authentication 1refuse authentication requests 1Cisco Group Encrypted Transport VPNprerequisites 1restrictions 1system messages (Appendix I) 1Cisco IOS Firewalldynamic access lists 1CISCO-NHRP-MIB 1clear access-template command 1CoA messages 1Configuring a RADIUS server to reorder on failure 1Configuring GET VPN GM Authorization 1Configuring GM Authorization Using PKI 1Configuring GM Authorization Using Preshared keys 1Configuring Per VRF on a TACACS+ Server 1Configuring the IKE Security Association Limit 1crypto dynamic-map command 1crypto ipsec transform-set command 1crypto map command 1D
Delegated-IPv6-Prefix-Pool 1DES (Data Encryption Standard) 1DF Bit Override Functionality with IPsec TunnelsAdditional references 1Prerequisites 1Restrictions 1DH (Diffie-Hellman)See IKE, DH (Diffie-Hellman) 1DNIS (Dialed Number Identification Service)DNIS number 1DNS-Server-IPv6-Address 1double authenticationaccess user profile 1operation 1E
enabling 1encapsulations, IPSec-supported 1encrypted noncesSee RSA encrypted nonces 1ESP (encapsulating security payload) 1ExampleGroup Member 1 1Group Member 4 1Group Member 5 1Key Server 1 1Key Server 2 1Key Server and Group Member Case Study 1Passive SA 1F
Framed-Interface-Id attribute 1Framed-IPv6-Prefix attribute 1Framed-IPv6-Route attribute 1G
GET VPN GM Authorization 1GM Authorization Using PKI 1GM Authorization Using Preshared keys 1H
how to configure 1HTTP - source interface selectionsource interface for outgoing TCP connections 1I
ICMPHost Unreachable message 1IKE (Internet Key Exchange) security protocolauthenticationmethods 1DH (Diffie-Hellman) 1negotiations 1policiespurpose 1requirements 1protocol 1requirementspolicies 1RSA encrypted nonces method 1RSA signatures method 1supported standards 1Information About Cisco Group Encrypted Transport VPN 1interceptsVPN traffic 1interface command 1invalid security parameter index recoveryadditional references 1prerequisites 1restrictions 1verifying 1IPaccess listsdynamic, deleting 1securitySee also lock-and-key\ 1ip access-group command 1IP multicast routingMDSpacket statistics, displaying 1IPoE sessionslawful intercept support 1IPSec 1IPSec (IP Security) VPN monitoringadditional references 1command reference 1restrictions 1IPSec (IPSec network security protocol)access lists 1encapsulations supported 1how it works 1NAT, configuring 1network services 1protocol 1restrictions 1SAsclearing 1manual negotiations 1supported standards 1traffic protected, defining 1transform sets 1IPsec and IKE MIB Support for Cisco VRF-Aware IPsecconfiguration examples 1IPSec and quality of service 1additional references 1prerequisites 1restrictions 1IPsec Anti-Replay WindowExpanding and Disabling 1IPSec Anti-Replay WindowExpanding and Disablingconfiguration examples 1IPSec dead peer detection periodic message optionadditional references 1prerequisites 1restrictions 1IPSec, access lists\ 1IPSec, crypto access lists[access listszzz] 1IPv6Access Control Lists 1IPv6 access list 1IPv6 pool attribute 1IPv6 prefix# attribute 1IPv6 route attribute 1IPv6-Pool attribute 1ISAKMP 1K
Kerberosauthentication 1login 1PPP 1configuringcredential forwarding 1instance mapping 1KDC (key distribution center) 1mandatory authentication 1network access server communication 1realms 1SRVTABs files, copying 1SRVTABs, creating 1SRVTABs, extracting 1Encrypted Kerberized Telnet 1maintaining 1monitoring 1Telnet to router 1terms (table) 1L
lawful interceptVPN-based (per-VRF) 1lawful intercept support for IPoE sessions 1restrictions 1line vty command 1Lock Out of a Local AAA User Account 1lock-and-key 1benefits 1configuring 1(examples) 1prerequisites 1verification 1maintenance tasks 1performance impacts 1process 1spoofing, risk of 1when to use 1lock-and-key[authenticationzzz] 1login local command 1additional references 1configuration examples 1how to configure 1information about 1prerequisites 1restrictions 1login tacacs command 1Login-IPv6-Host attribute 1M
message URL http//tools.ietf.org/id/draft-wadhwa-gsmp-l2control-configuration-02.txt 1method listsAAAaccounting 1authentication 1modesrate adaptive 1MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)feature summary 1N
NAT, configuring IPSec for 1noncesSee RSA encrypted nonces 1O
Oakley key exchange protocol 1P
PAP (Password Authentication Protocol)description 1enable authentication 1outbound authentication 1refuse authentication request 1parameterized QoS 1password command 1per-VRF lawful intercept 1PKI integration with AAA serverconfiguring 1POD (packet of disconnect)See AAA, POD 1port mapping 1PPPenable encapsulation 1inbound authentication 1outbound authentication 1preauthentication, configuring 1R
RADIUSaccounting 1attribute-value pairs 1attributes 1access requests 1access requests examples 1IETF 1authentication 1authorization 1authorization of 1configuringattributes, vendor-proprietary 1attributes, vendor-specific 1DNIS server group selection 1NAS port types, displaying 1queries for IP addresses 1queries for static routes 1RADIUS prompt 1server communication 1server groups, deadtime for 1server groups, DNIS selection of 1Login-IP-Host 1operation 1preauthentication profilescallback 1modem management 1two-way authentication 1username 1server groupsdeadtime 1DNIS selection of 1RADIUS attribute 104configuration examples 1how to apply 1information about 1prerequisites 1restrictions 1troubleshooting the RADIUS profile 1RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level 1configuration examples 1how to configure 1information about 1prerequisites 1RADIUS attributesdescribed in RFC 3162 1RADIUS NAS-IP-Address attribute configurabilitycommand reference 1configuration examples 1how to configure 1information about 1RADIUS server on failureexamples 1RADIUS server reorder on failureadditional references 1configuring a RADIUS server to reorder on failure 1how the RADIUS server reorder on Fail Works 1monitoring 1prerequisites 1RADIUS server failure 1when RADIUS servers are dead 1RADIUS server reorder on failurelrestrictions 1radius-server attribute 44 include-in-access-req command 1radius-server attribute 8 include-in-access-req command 1Rekey Functionality in Protocol Independent Multicast-Sparse Mode 1restrictions 1restrictions for lawful intercept support for IPoE sessions 1Reverse Route Injection 1how to configure 1information about 1restrictions 1Reverse SSHadditional references 1configuration examples 1RFC 1334, PPP Authentication Protocols 1RFC 1829, The ESP DES-CBC Transform 1RFC 1994, PPP CHAP 1RFC-2677 1RSA (Rivest, Shamir, and Adelman) encrypted nonces 1requirements 1RSA (Rivest, Shamir, and Adelman) signatures 1requirementsIKE configuration 1S
SAs (security associations)IKE established crypto map entries, creating 1scalability, configuring (example) 1Secure Copyconfiguration examples 1glossary 1how to configure 1information about 1prerequisites 1Secure Shell Version 2 1how to configure 1monitoring and maintaining 1verifying using the show ip ssh command 1server groupsAAA, authentication 1AAA, authorization 1deadtime, configuring 1TACACS+, configuring 1server groups, AAAbroadcast accounting 1set pfs command 1set security-association level per-host command 1SHA (Secure Hash Algorithm) 1show access-lists command 1Skeme key exchange protocol 1source interface selection for outgoing traffic with Certificate Authoritycertificates that identify an entity 1configuring 1example 1troubleshooting 1standardsIKE, supported by 1static 1T
TACACS+accounting 1attribute-value pairsSee AV pairs 1authenticationNASI 1authorization 1accounting 1configuring(examples) 1authentication 1authentication key 1DNIS, server group selection 1server groups 1server host 1login input time, configuring 1operation 1overview 1server groups 1DNIS selection 1TCP Intercept 1tracebacks 1U
username command 1V
Verifying NHRP MIB Status 1Example 1VPN-based lawful intercept 1VRF-Aware NHRP MIB ConfigurationExample 1
Feedback