Page 1
Cisco IOS XR System Security Configuration Guide Cisco IOS XR Software Release 3.5 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-12287-01...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.;...
SC-16 Standards SC-16 MIBs SC-17 RFCs SC-17 Technical Assistance SC-17 Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software SC-19 Contents SC-20 Prerequisites SC-20 Information About Implementing IKE Security Protocol Configurations for IPSec Networks SC-20 Supported Standards SC-21...
Page 4
Call Admission Control SC-30 Information About IP Security VPN Monitoring SC-31 Information About IKE for the Cisco IPSec VPN SPA on Cisco IOS XR Software SC-32 IPSec Dead Peer Detection Periodic Message Option SC-32 How to Implement IKE Security Protocol Configurations for IPSec Networks...
Standards SC-88 MIBs SC-89 RFCs SC-89 Technical Assistance SC-89 Implementing IPSec Network Security on Cisco IOS XR Software SC-91 Contents SC-92 Prerequisites for Implementing IPSec Network Security SC-92 Restrictions for Implementing IPSec Network Security SC-93 Restrictions for Implementing IPSec Network with a...
Page 6
Prefragmentation for Cisco IPSec VPN SPAs SC-99 Reverse-Route Injection SC-100 IPSec—SNMP Support SC-101 Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software SC-101 Cisco IPSec VPN SPA Overview SC-101 Displaying the SPA Hardware Type SC-101...
Page 7
SC-156 Standards SC-157 MIBs SC-157 RFCs SC-157 Technical Assistance SC-158 Implementing Secure Socket Layer on Cisco IOS XR Software SC-159 Contents SC-160 Prerequisites for Implementing Secure Socket Layer SC-160 Information About Implementing Secure Socket Layer SC-160 Purpose of Certification Authorities...
Page 8
Related Documents SC-164 Standards SC-165 MIBs SC-165 RFCs SC-165 Technical Assistance SC-165 Configuring AAA Services on Cisco IOS XR Software SC-167 Contents SC-168 Prerequisites for Configuring AAA Services SC-169 Restrictions for Configuring AAA Services SC-169 Information About Configuring AAA Services SC-169...
Page 9
Contents Configuring Software Authentication Manager on Cisco IOS XR Software SC-225 Implementing Management Plane Protection on Cisco IOS XR Software SC-227 Contents SC-227 Restrictions for Implementing Management Plane Protection SC-228 Information About Implementing Management Plane Protection SC-228 Inband Management Interface...
Page 10
Contents Cisco IOS XR System Security Configuration Guide...
Page 11
For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 12
Preface Obtaining Documentation, Obtaining Support, and Security Guidelines Cisco IOS XR System Security Configuration Guide...
Page 13
Socket Layer (SSL), and Secure Shell (SSH) protocols. CA interoperability permits Cisco IOS XR devices and CAs to communicate so that your Cisco IOS XR device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
• security commands. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide. You must install and activate the Package Installation Envelope (PIE) for the security software.
Implementing Certification Authority Interoperability on Cisco IOS XR Software Information About Implementing Certification Authority Public-Key Cryptography Standard #10 (PKCS #10)—A standard syntax from RSA Data Security • Inc. for certificate requests. RSA keys—RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and •...
Page 16
IPSec Without CAs Without a CA, if you want to enable IPSec services (such as encryption) between two Cisco routers, you must first ensure that each router has the key of the other router (such as an RSA public key or a shared key).
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability During IKE phase one signature verification, the initiator will send the responder a list of its CA certificates. The responder should send the certificate issued by one of the CAs in the list. If the certificate is verified, the router saves the public key contained in the certificate on its public key ring.
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability Configuring a Router Hostname and IP Domain Name This task configures a router hostname and IP domain name. You must configure the hostname and IP domain name of the router if they have not already been configured.
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability Command or Action Purpose Step 3 Configures the IP domain name of the router. domain name domain-name Example: RP/0/RP0/CPU0:router(config)# domain name mydomain.com Step 4 Saves configuration changes.
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Generates RSA key pairs. crypto key generate rsa [usage keys | general-keys] [ keypair-label ] Use the usage keys keyword to specify special usage •...
Page 21
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Declares a CA. crypto ca trustpoint ca-name Configures a trusted point with a selected name so that •...
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability Command or Action Purpose Step 7 (Optional) Specifies a named RSA key pair generated using rsakeypair keypair-label the crypto key generate rsa command for this trustpoint.
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Authenticates the CA to your router by obtaining a CA crypto ca authenticate ca-name certificate, which contains the public key for the CA.
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Requests certificates for all of your RSA key pairs. crypto ca enroll ca-name This command causes your router to request as many •...
Page 25
Implementing Certification Authority Interoperability on Cisco IOS XR Software How to Implement CA Interoperability DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Declares the CA that your router should use and crypto ca trustpoint ca-name enters trustpoint configuration mode.
Implementing Certification Authority Interoperability on Cisco IOS XR Software Configuration Examples for Implementing Certification Authority Interoperability Command or Action Purpose Step 6 Obtains the certificates for your router from the CA. crypto ca enroll ca-name Use the ca-name argument to specify the name •...
Page 27
Implementing Certification Authority Interoperability on Cisco IOS XR Software Configuration Examples for Implementing Certification Authority Interoperability Done w/ crypto generate keypair [OK] show crypto key mypubkey rsa Key label:mykey Type :RSA General purpose Size :1024 Created :17:33:23 UTC Thu Sep 18 2003...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software module, IPSec in the Implementing IPSec Network Security on Cisco IOS XR Software module, and SSL in the Implementing Secure Socket Layer on Cisco IOS XR Software module.
Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs...
IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. This module describes the tasks that you need to implement IKE on your Cisco IOS XR network. Note...
Information About Implementing IKE Security Protocol Configurations for IPSec Networks, • page SC-20 Information About IKE for the Cisco IPSec VPN SPA on Cisco IOS XR Software, page SC-32 • How to Implement IKE Security Protocol Configurations for IPSec Networks, page SC-32 •...
IPSec is used to protect one or more data flows between a pair of hosts, a pair of security gateways, or a security gateway and a host. For more information on IPSec, see the Implementing IPSec Network Security on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Concessions for Not Enabling IKE IKE is disabled by default in Cisco IOS XR software. If you do not enable IKE, you must make these concessions at the peers: You must manually specify all IPSec security associations in the crypto profiles at all peers.
Page 35
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks IKE Policy Creation IKE negotiations must be protected, so each IKE negotiation begins by agreement of both peers on a common (shared) IKE policy.
Page 36
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks A match is made when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values, and when the remote peer’s policy specifies a lifetime that is less than or equal to the lifetime in the policy being compared.
Page 37
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks If your local peer has previously used RSA signatures with certificates during a successful IKE – negotiation with a remote peer, your local peer already possesses the remote peer’s public key.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks Unlike RSA signatures, the RSA encrypted nonces method cannot use certificates to exchange public keys. Instead, you ensure that each peer has the others’ public keys by one of the following...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks criteria imposes the granularity of applying the specified parameters. The ISAKMP profile applies parameters specific to each profile, such as trust points, peer identities, and XAUTH authentication, authorization, and accounting (AAA) list, and so forth.
• the username to query AAA if no local key can be found on the Cisco IOS XR router to which the user is trying to connect. Aggressive mode provides the ID in the first part of the IKE exchange;...
After a Cisco Easy VPN connection is up, use the crypto ipsec server send-update command in EXEC mode to send auto-update notifications at anytime. Pushing a Configuration URL Through a Mode-Configuration Exchange...
The Call Admission Control (CAC) for Internet Key Exchange (IKE) feature describes the application of CAC to the IKE protocol in Cisco IOS XR software. CAC limits the number of simultaneous IKE security associations (SAs) (that is, calls to CAC) that a router can establish. In addition, there is an option to limit the maximum number of active IKE SAs allowed in the system and the CPU usage that is consumed by the IKE process or global CPU.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About Implementing IKE Security Protocol Configurations for IPSec Networks Information About IP Security VPN Monitoring The IP Security (IPSec) VPN Monitoring feature provides VPN session monitoring enhancements that allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Information About IKE for the Cisco IPSec VPN SPA on Cisco IOS XR Software In addition, you can use the show crypto session command with the detail keyword to obtain more detailed information about the sessions.
Page 45
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring a Browser Proxy, page SC-41 (optional) • Configuring a Browser-Proxy Map to a Group, page SC-42 (optional) •...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 (Optional) Disables IKE at the peer router. no crypto isakmp Example: RP/0/RP0/CPU0:router(config)# no crypto isakmp Step 4 Saves configuration changes.
Page 47
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Identifies the policy to create.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 8 Saves configuration changes. When you issue the end command, the system prompts •...
Page 49
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks max-logins number-of-logins max-users number-of-users netmask mask pool name save-password split-dns domain-name wins primary-server [secondary-server] commit DETAILED STEPS Command or Action...
Page 50
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 6 Specifies the primary and secondary Domain Name Service dns primary-server [ secondary-server ] (DNS) addresses.
Page 51
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 15 Defines the name of an address-pool in which an address is pool name allocated if required.
Cisco IOS XR System Security Command Reference. Configuring a Browser Proxy This task describes how to configure browser-proxy parameters for a Cisco Easy VPN remote device. SUMMARY STEPS configure crypto isakmp client configuration browser-proxy {browser-proxy-name}...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Configures browser-proxy parameters for a...
RP/0/RP0/CPU0:router(config-group)# browser-proxy EZVPN Configuring the Pushing of a Configuration URL Through a Mode-Configuration Exchange This task configures a Cisco Easy VPN server to push a configuration URL through a Mode-Configuration Exchange. SUMMARY STEPS configure crypto isakmp client configuration group group-name...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Specifies which group's policy profile is defined and crypto isakmp client configuration group group-name enters ISAKMP group configuration mode.
Page 57
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks SUMMARY STEPS configure crypto isakmp identity {address | hostname} host hostname address1 [address2...address8] commit DETAILED STEPS Command or Action...
Page 58
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring RSA Public Keys of All the Other Peers This task configures the RSA public keys of all the other peers.
Page 59
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 Defines the Rivest, Shamir, and Adelman (RSA) manual rsa-pubkey {address address | name fqdn }...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 7 Saves configuration changes. When you issue the end command, the system prompts •...
Page 61
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks SUMMARY STEPS configure crypto keyring keyring-name [vrf fvrf-name] pre-shared-key {address address [mask] | hostname hostname} key key commit DETAILED STEPS...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 Defines a preshared key for IKE authentication. pre-shared-key {address address [ mask ] |...
Page 63
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks commit show crypto isakmp call admission statistics DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
Page 64
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 3 Saves configuration changes. When you issue the end command, the system • commit...
Page 65
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Specifies the maximum number of IKE SAs that the...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring Crypto Keyrings A crypto keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The router can have zero or more keyrings.
Page 67
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Defines a crypto keyring to be used during IKE crypto keyring keyring-name [vrf fvrf-name ] authentication.
Page 68
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Command or Action Purpose Step 6 Defines a Rivest, Shamir, and Adelman (RSA) rsa-pubkey {address address | name fqdn } [encryption | signature] public key by address or hostname.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE Security Protocol Configurations for IPSec Networks Configuring IP Security VPN Monitoring The following sections describe how to configure IP Security (IPSec) VPN monitoring: Adding the Description of an IKE Peer, page SC-57 (optional) •...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic Command or Action Purpose Step 4 Saves configuration changes. When you issue the end command, the system • commit...
Page 71
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic SUMMARY STEPS configure crypto isakmp profile [local] profile-name description string keepalive disable self-identity {address | fqdn | user-fqdn user-fqdn}...
Page 72
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic Command or Action Purpose Step 5 Defines the identity that the local IKE uses to self-identity {address | fqdn | user-fqdn user-fqdn } identify itself to the remote peer.
Page 73
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Locally Sourced and Destined Traffic Command or Action Purpose Step 7 Matches the identity from a peer in an ISAKMP match identity {group group-name | address address [ mask ] vrf [ fvrf ] | host hostname | host domain profile.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 9 Predefines the IPSec profile instance when IKE set ipsec-profile profile-name...
Page 75
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Configuring a Periodic Dead Peer Detection Message This task configures a periodic dead peer detection (DPD) message.
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 2 Uses the IKE security association (SA) feature to crypto isakmp keepalive seconds retry-seconds...
Page 77
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software description string keepalive disable self-identity {address | fqdn | user-fqdn user-fqdn} keyring keyring-name match identity {group group-name | address address [mask] vrf [fvrf] | host hostname | host...
Page 78
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 5 Defines the identity that the local IKE uses to self-identity {address | fqdn | user-fqdn user-fqdn } identify itself to the remote peer.
Page 79
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software How to Implement IKE for Cisco IPSec VPN SPAs on Cisco IOS XR Software Command or Action Purpose Step 7 Matches the identity from a peer in an ISAKMP...
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Configuration Examples for Implementing IKE Security Protocol Command or Action Purpose Step 8 Predefines the virtual interface when IKE negotiates set interface {service-ipsec | service-gre} intf-index for IPSec SAs and the local endpoint is the IKE responder.
Page 81
Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software Configuration Examples for Implementing IKE Security Protocol Creating IKE Policies: Example This example shows how to create two IKE policies with policy 15 as the highest priority, policy 20 as the next priority, and the existing default priority as the lowest priority.
Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs...
Keychain management is a common method of authentication to configure shared secrets on all the entities, which exchange secrets such as keys before establishing trust with each other. Routing protocols and network management applications on Cisco IOS XR software often use authentication to enhance security while communicating with peers.
Shortest Path First (OSPF), and Intermediate System-to-Intermediate System (IS-IS) use the keychain to implement a hitless key rollover for authentication. For information about BGP, OSPF, and IS-IS keychain configurations, see Cisco IOS XR Routing Configuration Guide. BGP uses TCP authentication, which enables the authentication option and sends the Message Authentication Code (MAC) based on the cryptographic algorithm configured for the keychain.
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Determining the Valid Keys, page SC-82 (optional) • Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic, • page SC-84 (required) Configuring the Cryptographic Algorithm, page SC-85 (required) •...
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Command or Action Purpose Step 3 Saves configuration changes. When you issue the end command, the system prompts • commit you to commit changes: Uncommitted changes found, commit them before...
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for the keychain. key chain key-chain-name...
Page 92
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management SUMMARY STEPS configure key chain key-chain-name key key-id commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for the keychain.
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management What to Do Next After configuring a key identifier for the keychain, see the Configuring the Text for the Key String section. Configuring the Text for the Key String This task configures the text for the key string.
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Command or Action Purpose Step 4 Specifies the text string for the key. key-string [clear | password] key-string-text Use the clear keyword to specify the key string in clear •...
Page 95
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a a name for the keychain. key chain key-chain-name...
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic This task configures the keys to generate authentication digest for the outbound application traffic. SUMMARY STEPS...
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management Command or Action Purpose Step 4 (Optional) Specifies the set time period during which an send-lifetime start-time [duration durationvalue | infinite | end-time ] authentication key on a keychain is valid to be sent. You can specify the validity of the key lifetime in terms of clock time.
Page 98
Implementing Keychain Management on Cisco IOS XR Software How to Implement Keychain Management cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1] commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure...
Implementing Keychain Management on Cisco IOS XR Software Configuration Examples for Implementing Keychain Management Command or Action Purpose Step 4 Specifies the choice of the cryptographic algorithm. cryptographic-algorithm [HMAC-MD5 | HMAC-SHA1-12 | HMAC-SHA1-20 | MD5 | SHA-1] You can choose from the following list of...
Additional References MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs RFCs...
Page 102
Implementing Keychain Management on Cisco IOS XR Software Additional References Cisco IOS XR System Security Configuration Guide SC-90...
Cisco CRS-1 and Cisco XR 12000 Series Router. Either tunnel-ipsec interfaces or a transport entity are used. This type is also called software-based IPSec. IPSec for transit traffic is supported on the Cisco XR 12000 Series Router IPSec VPN SPA. This •...
Restrictions for Implementing IPSec Network with a Cisco IPSec VPN SPA, page SC-93 • Information About Implementing IPSec Networks, page SC-94 • Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software, page SC-101 • How to Implement General IPSec Configurations for IPSec Networks, page SC-104 •...
Restrictions for Implementing IPSec Network with a Cisco IPSec VPN SPA The following restrictions are known to implement IPSec network with a Cisco XR 12000 Series Router IPSec VPN SPA: Clear GRE is not supported. Only secure generic routing encapsulation (GRE) is supported by the •...
Reverse-Route Injection, page SC-100 • IPSec—SNMP Support, page SC-101 • For information about IPSec Quality of Service (QoS), refer to the Cisco IOS XR Quality of Service Note Configuration Guide. Crypto Profiles Crypto profile entries created for IPSec combine the various parts used to set up IPSec security...
Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks For IPSec to succeed between two IPSec peers, both peers’ crypto profile entries must contain compatible configuration statements. When two peers try to establish an SA, each must have at least one crypto profile entry that is compatible with one of the other peer’s crypto profile entries.
Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks Crypto access lists associated with IPSec crypto profile entries have four primary functions: Select outbound traffic to be protected by IPSec (permit = protect). • Indicate the data flow to be protected by the new SAs (specified by a single permit entry) when •...
Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks Assuming that the particular crypto profile entry does not have lifetime values configured, when the router requests new SAs it specifies its global lifetime values in the request to the peer; it uses this value as the lifetime of the new SAs.
X-N is discarded. Currently, N is set at 64, so only 64 packets can be kept in the memory of the decryptor. At times, however, the 64-packet window size is not sufficient. For example, Cisco quality of service (QoS) gives priority to high-priority packets, which could cause some low-priority packets to be discarded even though they could be one of the last 64 packets received by the decryptor.
This IPSec feature is supported only on the Cisco IPSec VPN SPA. When a router running Cisco IOS XR software creates an IPSec SA for a peer, resources must be allocated to maintain the SA. The SA requires both memory and several managed timers. For idle peers, these resources are wasted.
Implementing IPSec Network Security on Cisco IOS XR Software Information About Implementing IPSec Networks Table 4 Pre-Fragmentation for Cisco IPSec VPN SPA Dependencies Pre-Fragmentation for IPSec VPN Service IPSec Interface SPAs Feature State (Enabled or “crypto ipsec df-bit” Incoming Packet...
VPNs. Using the Cisco IPSec VPN SPA enables you to send all VPN traffic coming from or going to the Internet through the SPA hardware. The SPA supports all IPSec-related processing. Packets coming from the trusted LAN are encrypted and sent through the Internet.
Page 114
Implementing IPSec Network Security on Cisco IOS XR Software Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software Table 5 SPA Hardware Description in show diag Command Description in show diag Command SPA-IPSEC-2G...
Page 115
Implementing IPSec Network Security on Cisco IOS XR Software Information About an IPSec Network with a Cisco IPSec VPN SPA on Cisco IOS XR Software Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link to routers at remote points over an IP network.
Page 116
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks VRF-aware IPSec Each IPSec tunnel is associated with two VRF domains. The outer encapsulated domain belongs to one VRF domain, which is called the front door VRF (FVRF), while the inner, protected IP packet belongs to another domain called inside VRF (IVRF).
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Setting Global Lifetimes for IPSec Security Associations This task sets global lifetimes for IPSec security associations. SUMMARY STEPS configure crypto ipsec security-association lifetime {seconds seconds | kilobytes kilobytes}...
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 3 Saves configuration changes. When you issue the end command, the system prompts • commit you to commit changes:...
Page 119
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Specifies conditions to determine which IP packets are ipv4 access-list name protected.
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 2 Defines a transform set. crypto ipsec transform-set name transform-set submode transform protocol Complex rules define which entries you can use for the •...
Page 122
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks set session-key inbound ah spi hex-key-data set session-key inbound esp spi {cipher hex-key-data authentication hex-key-data} set session-key outbound ah spi hex-key-data set session-key outbound esp spi {cipher hex-key-data authentication hex-key-data}...
Page 123
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 6 Specifies a list of transform sets in priority order. The set set transform-set transform-set-name transform-set command is used in profiles that are attached to service-gre interfaces.
Page 124
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 11 (Optional) Manually specifies the IP Security session keys set session-key inbound ah spi hex-key-data to set the inbound IPSec session key for the Authentication Header (AH) protocol.
Page 125
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 14 (Optional) Manually specifies the IP Security session key to set session-key outbound esp spi {cipher hex-key-data authentication hex-key-data } set the outbound IPSec session key for ESP.
This task configures the DF bit for the encapsulating header in IPSec tunnels. The DF bit configuration is also specified for both service-ipsec and service-gre interfaces. This IPSec feature is supported only on the Cisco IPSec VPN SPA. Note SUMMARY STEPS...
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Example: Use the crypto ipsec df-bit command in global RP/0/0/CPU0:router(config)# interface service-ipsec configuration mode and service-ipsec interface configuration mode.
Page 128
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks This IPSec feature is supported only on the Cisco IPSec VPN SPA. Note Configuring the IPSec Antireplay Window: Expanding and Disabling Globally This task configures the IPSec Antireplay Window: Expanding and Disabling globally.
Page 129
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 3 Disables checking globally. crypto ipsec security-association replay disable Configure this command or the crypto ipsec Note...
Configuring IPSec NAT Transparency Network Address Translator (NAT) is automatically detected by the Cisco IPSec VPN SPA. If both VPN devices are NAT-T capable, NAT Transparency is automatically detected and automatically negotiated. No configuration steps are needed to enable IPSec NAT transparency.
Page 131
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks This IPSec feature is supported only on the Cisco IPSec VPN SPA. Note Disabling IPSec NAT Transparency This task disables NAT transparency if you already know that your network uses IPSec-awareness NAT (spi-matching scheme).
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Disables the NAT transparency capability.
Page 133
Note Lifetimes for IPSec Security Associations Cisco IOS XR software currently allows the configuration of lifetimes for IPSec SAs. Lifetimes can be configured globally or for each crypto profile. Two lifetimes exist: a “timed” lifetime and a “traffic-volume” lifetime. A security association expires after the first of these lifetimes is reached.
Page 134
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 2 Configures the IPSec SA idle timer globally. crypto ipsec security-association idle-time seconds Use the seconds argument to specify the time, in •...
Page 135
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Creates or modifies a crypto profile entry and enters crypto ipsec profile name profile configuration mode.
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Disabling Prefragmentation for Cisco IPSec VPN SPAs This section provides the following procedures to disable prefragmentation for Cisco IPSec VPN SPAs: Disabling Prefragmentation for service-ipsec Interfaces, page SC-124 •...
Page 137
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Command or Action Purpose Step 2 Specifies the handling of fragmentation for the crypto ipsec pre-fragmentation disable near-MTU-sized packets. Use the disable keyword to disable the Example: •...
Page 138
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Specifies the handling of fragmentation for the crypto ipsec pre-fragmentation disable near-MTU-sized packets.
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement General IPSec Configurations for IPSec Networks Configuring Reverse-Route Injection in a Crypto Profile This tasks shows how to configure reverse-route injection in a crypto profile. SUMMARY STEPS configure...
Configuring IPSec Failure History Table Size This task changes the size of the failure history table. Note This IPSec feature is supported only on the Cisco IPSec VPN SPA. SUMMARY STEPS configure crypto mib ipsec flowmib history failure size number...
Page 141
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for Locally Sourced and Destined Traffic DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/0/CPU0:router# configure Step 2 Sets the size of the failure history table.
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for Locally Sourced and Destined Traffic Be sure to define which packets to protect. If you must use the any keyword in a permit statement, you must preface that statement with a series of deny statements to filter any traffic (that would otherwise fall within that permit statement) that you do not want to be protected.
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for Locally Sourced and Destined Traffic Command or Action Purpose Step 5 Specifies the tunnel destination IP address. tunnel destination ip-address This command is not required if the profile is dynamic.
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Configuring IPSec Virtual Interfaces These tasks configure IPSec virtual interfaces: Configuring Static IPSec Virtual Interfaces, page SC-133 • Configuring IPSec-Protected GRE Virtual Interfaces, page SC-136 •...
Page 146
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 4 Specifies the source address for a tunnel-ipsec tunnel source { ip-address } interface. Use the ip-address argument to set the IP Example: •...
Page 147
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 9 Specifies both active and standby locations for the service-location preferred-active location [preferred-standby location [auto-revert]] interface. Use the preferred-active keyword to specify •...
Page 148
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Configuring IPSec-Protected GRE Virtual Interfaces This task configures IPSec-protected GRE service virtual interfaces. SUMMARY STEPS configure interface service-gre number profile profile-name tunnel source {ip-address}...
Page 149
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 5 Identifies the IP address of the tunnel destination. tunnel destination ip-address Use the ip-address argument to set the IP •...
Page 150
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Command or Action Purpose Step 9 Specifies both active and standby locations for the service-location preferred-active location [preferred-standby location [auto-revert] interface. Use the preferred-active keyword to specify •...
Implementing IPSec Network Security on Cisco IOS XR Software How to Implement IPSec Network Security for VPNs Configuring the Default Path Maximum Transmission Unit for the SA This task configures the default path maximum transmission unit (MTU) for the SA.
Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for Implementing IPSec Network Security for Locally Sourced Traffic and Destined Traffic Command or Action Purpose Step 3 Specifies the default path MTU for the SAs that are crypto ipsec pmtu pmtu created under the interface.
Page 153
Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for Implementing IPSec Network Security for Locally Sourced Traffic and Destined Traffic A transform set defines how the traffic is protected. In this example, transform set myset1 uses Data...
Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA Configuring a Static Profile and Attaching to Transport: Example The following example shows a minimal IPSec configuration in which a static profile is created and attached to a transport.
Page 155
Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA import route-target 100:1000 export route-target 100:1000 Configuring ACL That Is Used by the IPSec Profile ipv4 access-list acl1 10 permit ipv4 100.0.1.0 0.0.0.255 30.0.1.0 0.0.0.255...
Page 156
Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA The following example shows that the IPSec SA is created from the show crypto ipsec summary command and show crypto ipsec sa command:...
Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA ia - IS-IS inter area, su - IS-IS summary null, * - candidate default U - per-user static route, o - ODR, L - local Gateway of last resort is not set 30.0.1.0/24 is directly connected, 00:02:09, service-ipsec1...
Page 158
Implementing IPSec Network Security on Cisco IOS XR Software Configuration Examples for an IPSec Network with a Cisco IPSec VPN SPA # Active IPSec Sessions: 2 Local Peer Remote Peer FVRF Profile Transform Lifetime ------------------------------------------------------------------------------- 50.50.50.2 40.40.40.2 default esp-3des esp 120/4194303...
Page 159
Internet Key Exchange (IKE) security protocol Internet Key Exchange Security Protocol Commands on commands: complete command syntax, command Cisco IOS XR Software module in Cisco IOS XR System Security modes, command history, defaults, usage guidelines, Command Reference, Release 3.5 and examples...
Page 160
Implementing IPSec Network Security on Cisco IOS XR Software Additional References RFCs RFCs Title RFC 2401 Security Architecture for the Internet Protocol RFC 2402 IP Authentication Header RFC 2403 The Use of HMAC-MD5-96 within ESP and AH RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH...
Page 161
Rivest, Shamir, and Adelman (RSA) keys and SSHv2 uses Digital Signature Algorithm (DSA) keys. Cisco IOS XR software supports both SSHv1 and SSHv2. This module describes the tasks that you need to implement Secure Shell on your Cisco IOS XR network.
• security commands. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide. Download the required image on your router. The SSH server and SSH client require you to have a •...
• SSH Server The SSH server feature enables an SSH client to make a secure, encrypted connection to a Cisco router. This connection provides functionality that is similar to that of an inbound Telnet connection. Before SSH, security was limited to Telnet security. SSH allows a strong encryption to be used with the Cisco IOS XR software authentication.
AAA is a suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server. For more information on AAA, see the Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software module in the Cisco IOS XR System Security Command Reference publication and the Configuring AAA Services on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide publication.
Page 165
Implementing Secure Shell on Cisco IOS XR Software How to Implement Secure Shell DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Configures a hostname for your router. hostname hostname Example:...
Implementing Secure Shell on Cisco IOS XR Software How to Implement Secure Shell Command or Action Purpose Step 9 Brings up an SSH server. ssh server To bring down an SSH server, use the no ssh server • ssh server v2 command.
Page 167
Implementing Secure Shell on Cisco IOS XR Software How to Implement Secure Shell exit ssh {ipv4-address | ipv6-address | hostname} [username user-id | cipher des | source-interface type instance] DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
Document Title AAA commands: complete command syntax, Authentication, Authorization, and Accounting Commands on command modes, command history, defaults, usage Cisco IOS XR Software module in the Cisco IOS XR System Security guidelines, and examples Command Reference, Release 3.5 AAA configuration tasks Configuring AAA Services on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide, Release 3.5...
Page 169
SSH Transport Layer Protocol, July 2003 MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 170
Implementing Secure Shell on Cisco IOS XR Software Additional References Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Data encrypted with the public key can be decrypted only with the private key. This module describes the tasks that you need to implement SSL on your Cisco IOS XR network. For a complete description of the Public Key Infrastructure (PKI) commands used in this chapter, see...
For more information on the commands required to perform these tasks, see the crypto key generate rsa, crypto key generate dsa, crypto ca enroll, and crypto ca authenticate commands in the Public Key Infrastructure Commands on Cisco IOS XR Software module of the Cisco IOS XR System Security Command Reference.
Implementing Secure Socket Layer on Cisco IOS XR Software How to Implement Secure Socket Layer public key indicates that the holder of the private key, the sender, must have created the message. This process relies on the receiver having a copy of the sender’s public key and knowing with a high degree of certainty that it does belong to the sender and not to someone pretending to be the sender.
Page 174
Implementing Secure Socket Layer on Cisco IOS XR Software How to Implement Secure Socket Layer DETAILED STEPS Command or Action Purpose Step 1 Generates RSA key pairs. crypto key generate rsa [usage-keys | general-keys] [ keypair-label ] RSA key pairs are used to sign and encrypt Internet Key •...
Page 175
Implementing Secure Socket Layer on Cisco IOS XR Software How to Implement Secure Socket Layer Command or Action Purpose Step 6 Saves configuration changes. When you issue the end command, the system prompts • commit you to commit changes: Uncommitted changes found, commit them before...
Cisco IOS XR System Security Command Reference, and examples Release 3.5 Certification authority information Implementing Certification Authority Interoperability on Cisco IOS XR Software module in the Cisco IOS XR System Security Configuration Guide, Release 3.5 Cisco IOS XR System Security Configuration Guide SC-164...
Page 177
MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml RFCs...
Page 179
Cisco IOS XR system. The major tasks required to implement task-based authorization involve configuring user groups and task groups. User groups and task groups are configured through the Cisco IOS XR software command set used for authentication and authorization services. Authentication commands are used to verify the identity of a user or principal.
Page 180
• Support was added on Cisco IOS XR to allow you to specify task IDs as an attribute in the external RADIUS or TACACS+ server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional as indicated by the server documentation.
Information About Configuring AAA Services This section lists all the conceptual information that a Cisco IOS XR software user must understand before configuring user groups and task groups through AAA or configuring Remote Authentication Dial-in User Service (RADIUS) or TACACS+ servers. Conceptual information also describes what AAA is and why it is important.
Information About Configuring AAA Services User, User Groups, and Task Groups Cisco IOS XR software user attributes form the basis of the Cisco IOS XR software administrative model. Each router user is associated with the following attributes: User ID (ASCII string) that identifies the user uniquely across an administrative domain •...
User Groups Cisco IOS XR software allows the system administrator to configure groups of users and the job characteristics that are common in groups of users. Groups must be explicitly assigned to users. Users are not assigned to groups by default. A user can be assigned to more than one group.
Page 184
Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Task Groups A task group is defined by a collection of task IDs. Task groups contain task ID lists for each class of action. Each user group is associated with a set of task groups applicable to the users in that group. A user’s task permissions are derived from the task groups associated with the user groups to which that user belongs.
Page 185
The none option for authentication is not supported in Cisco IOS XR software. Cisco IOS XR user access is more secure than Cisco IOS software, and there is no way that a user can access the system without a valid username and password.
Page 186
Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Remote Database AAA data can be stored in an external security server, such as CiscoSecure ACS. Security data stored in the server can be used by any client (such as a network access server [NAS]) provided that the client knows the server IP address and shared secret.
Page 187
Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Rollover Mechanism AAA can be configured to use a prioritized list of database options. If the system is unable to use a database, it automatically rolls over to the next database on the list. If the authentication, authorization, or accounting request is rejected by any database, the rollover does not occur and the request is rejected.
Page 188
Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Authentication of Secure Domain Router User Secure domain router user authentication is similar to owner secure domain router user authentication. If the user is not found to be a member of the designated owner secure domain router user group or root-system user group, the user is authenticated as a secure domain router user.
Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services Ksh authentication cannot be turned off or bypassed after the card is booted. To bypass • authentication, a user needs a reload of the card. (See the “Bypassing ksh...
Task-Based Authorization AAA employs “task permissions” for any control, configure, or monitor operation through CLI or API. The Cisco IOS software concept of privilege levels has been replaced in Cisco IOS XR software by a task-based authorization system. Task IDs The operational tasks that enable users to control, configure, and monitor Cisco IOS XR software are represented by task IDs.
= “<permissions>:<taskid name>, #<usergroup name>, ...” Cisco IOS XR allows you to specify task IDs as an attribute in the external RADIUS or TACACS+ Note server. If the server is also shared by non-Cisco IOS XR systems, these attributes are marked as optional as indicated by the server documentation.
Page 192
Configuring AAA Services on Cisco IOS XR Software Information About Configuring AAA Services For example, to give a user named user1 BGP read, write, and execute permissions and include user1 in a user group named operator, the username entry in the external server’s TACACS+ configuration file...
13. For privilege level 15, the root-system user group is used; privilege level 14 maps to the user group owner-sdr. For example, with the Cisco freeware tac plus server, the configuration file has to specify priv_lvl in its configuration file, as shown in the following example:...
Enigma security cards to validate users and grant access to network resources. • Networks already using RADIUS. You can add a Cisco router with RADIUS to the network. This might be the first step when you make a transition to a Terminal Access Controller Access Control System Plus (TACACS+) server.
Router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be • used to authenticate from one router to a router other than a Cisco router if that router requires RADIUS authentication. Networks using a variety of services. RADIUS generally binds a user to one service model.
Each task group is associated with one or more task IDs selected from the Cisco CRS-1 set of available task IDs. The first configuration task in setting up the Cisco CRS-1 authorization scheme is to configure the task groups, followed by user groups, followed by individual users.
Page 197
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for a particular task group and enters task taskgroup taskgroup-name group configuration submode.
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 6 Repeat Step 5 for each task ID to be associated with the — task group named in Step 2. Step 7 Saves configuration changes.
Page 199
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services description string inherit usergroup usergroup-name taskgroup taskgroup-name Repeat Step 5 for each task group to be associated with the user group named in Step 2. commit DETAILED STEPS...
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 6 Repeat Step 5 for each task group to be associated with — the user group named in Step 2. Step 7 Saves configuration changes.
Page 201
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a name for a new user (or identifies a current user) username user-name and enters username configuration submode.
Configuring Router to RADIUS Server Communication This task configures router to RADIUS server communication. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (CiscoSecure ACS), Livingston, Merit, Microsoft, or another software provider. Configuring router to...
Page 203
(The RADIUS host entries are tried in the order they are configured.) A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the router.
Page 204
Step 3 Specifies the number of times the Cisco IOS XR software radius-server retransmit retries searches the list of RADIUS server hosts before giving up. In the example, the number of retransmission attempts Example: •...
Page 205
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 5 Sets the authentication and encryption key for all RADIUS radius-server key {0 clear-text-key | 7 encrypted-key | clear-text-key } communications between the router and the RADIUS daemon.
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Configuring RADIUS Dead-Server Detection This task configures the RADIUS Dead-Server Detection feature. The RADIUS Dead-Server Detection feature lets you configure and determine the criteria that is used to mark a RADIUS server as dead.
Page 207
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Improves RADIUS response times when some servers radius-server deadtime minutes might be unavailable and causes the unavailable servers to be skipped immediately.
"cisco-avpair." The value is a string of the following format: protocol : attribute sep value * "Protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization. “Attribute” and “value” are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and “sep”...
Page 209
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services server-private {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] vrf vrf-name commit DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 4 Configures the VRF reference of an AAA RADIUS vrf vrf-name server group. Private server IP addresses can overlap with Example: Note...
Page 211
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Repeat Step 2 through Step 5 for each external server to be configured. commit show tacacs DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
Page 212
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 5 Prompts the router to multiplex all TACACS+ requests to tacacs-server host host-name single-connection this server over a single TCP connection. By default, a separate connection is used for each session.
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Configuring RADIUS Server Groups This task configures RADIUS server groups. The user can enter one or more server commands. The server command specifies the hostname or IP address of an external RADIUS server along with port numbers.
Page 214
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 4 Repeat Step 3 for every external server to be added to — the server group named in Step 2. Step 5...
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services What to Do Next After configuring RADIUS server groups, define method lists by configuring authentication, authorization, and accounting. (See the “Configuring AAA Method Lists” section.) Configuring TACACS+ Server Groups This task configures TACACS+ server groups.
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action Purpose Step 4 Repeat Step 3 for every external server to be added to — the server group named in Step 2. Step 5 Saves configuration changes.
Page 217
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Configuring Authentication Method Lists This task configures method lists for authentication. Authentication Configuration Authentication is the process by which a user (or a principal) is verified. Authentication configuration uses method lists to define an order of preference for the source of AAA data, which may be stored in a variety of data sources.
Page 218
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services commit Repeat Step 1 through Step 3 for every authentication method list to be configured. DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode.
Page 219
The Cisco IOS XR software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS XR software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or until all methods defined have been exhausted.
Page 220
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services The Cisco IOS XR software attempts authorization with the next listed method only when there is no Note response or an error response (not a failure) from the previous method. If authorization fails at any point in this cycle—meaning that the security server or local username database responds by denying the user...
Page 221
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a series of authorization methods, or a method list.
Page 222
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) group tacacs+—Uses the list of all configured – TACACS+ servers for authorization. The NAS exchanges authorization information with the TACACS+ security daemon. TACACS+...
Page 223
How to Configure AAA Services Accounting Configuration Currently, Cisco IOS XR software supports both the TACACS+ and RADIUS methods for accounting. The router reports user activity to the TACACS+ or RADIUS security server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the security server.
Page 224
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Creates a series of accounting methods, or a method list.
Page 225
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) The stop-only keyword sends a “stop accounting” • notice at the end of the requested user process The none keyword states that no accounting is •...
Page 226
Generating Interim Accounting Records This task enables periodic interim accounting records to be sent to the accounting server. When the aaa accounting update command is activated, Cisco IOS XR software issues interim accounting records for all users on the system.
Page 227
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) Step 2 Enables periodic interim accounting records to be aaa accounting update {newinfo | periodic minutes } sent to the accounting server.
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Applying Method Lists for Applications After you configure method lists for authorization and accounting services, you can apply those method lists for applications that use those services (console, vty, auxiliary, and so on). Applying method lists is accomplished by enabling AAA authorization and accounting.
Page 229
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services Command or Action (continued) Purpose (continued) Step 3 Enables AAA authorization for a specific line or group of authorization {commands | exec} {default | list-name } lines.
Page 230
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services SUMMARY STEPS configure line {aux | console | default | template template-name} accounting {commands | exec} {default | list-name} commit Cisco IOS XR System Security Configuration Guide...
Page 231
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure Example: RP/0/RP0/CPU0:router# configure Step 2 Enters line template configuration mode. line {aux | console | default | template...
Configuring AAA Services on Cisco IOS XR Software How to Configure AAA Services What to Do Next After applying accounting method lists by enabling AAA accounting services, configure login parameters. (See the “Configuring Login Parameters” section.) Configuring Login Parameters This task sets the interval that the server waits for reply to a login.
Configuring AAA Services on Cisco IOS XR Software Configuration Examples for Configuring AAA Services Command or Action (continued) Purpose (continued) Step 3 Sets the interval that the server waits for reply to a login. timeout login response seconds The seconds argument specifies the timeout interval (in •...
Page 234
Configuring AAA Services on Cisco IOS XR Software Configuration Examples for Configuring AAA Services secret lab group root-system exit username user2 secret lab exit A task group named tga is created, tasks are added to tga, a user group named uga is created, and uga is configured to inherit permissions from task group tga.
Page 235
MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide...
Page 236
Configuring AAA Services on Cisco IOS XR Software Additional References RFCs RFCs Title No new or modified RFCs are supported by this — feature, and support for existing RFCs has not been modified by this feature. Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport...
Page 237
If the system clock is not set correctly, the system does not function properly. For information on setting the system clock, see the clock set command in the Clock Commands on Cisco IOS XR Software module in the Cisco IOS XR System Management Command Reference.
Page 238
Configuring Software Authentication Manager on Cisco IOS XR Software Cisco IOS XR System Security Configuration Guide SC-226...
Page 239
Implementing Management Plane Protection on Cisco IOS XR Software The Management Plane Protection (MPP) feature in Cisco IOS XR software provides the capability to restrict the interfaces on which network management packets are allowed to enter a device. The MPP feature allows a network operator to designate one or more router interfaces as management interfaces.
CoPP allows you to configure a quality of service (QoS) filter that manages the traffic flow of control plane packets. This QoS filter helps to protect the control plane of Cisco IOS XR routers and switches against denial-of-service (DoS) attacks and helps to maintain packet forwarding and protocol states during an attack or during heavy traffic loads.
Implementing Management Plane Protection on Cisco IOS XR Software How to Configure a Device for Management Plane Protection Examples of protocols processed in the management plane are Simple Network Management Protocol (SNMP), Telnet, HTTP, Secure HTTP (HTTPS), and SSH. These management protocols are used for monitoring and for command-line interface (CLI) access.
Implementing Management Plane Protection on Cisco IOS XR Software How to Configure a Device for Management Plane Protection Configuring a Device for Management Plane Protection Perform this task to configure a device that you have just added to your network or a device already operating in your network.
Page 243
Implementing Management Plane Protection on Cisco IOS XR Software How to Configure a Device for Management Plane Protection Command or Action Purpose Step 5 Configures a specific inband interface or all inband interface { type instance | all} interfaces as an inband interface. Use the interface...
Implementing Management Plane Protection on Cisco IOS XR Software Configuration Examples for Implementing Management Plane Protection Command or Action Purpose Step 7 Saves configuration changes. When you issue the end command, the system • commit prompts you to commit changes:...
Page 245
MIBs MIBs MIBs Link — To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco IOS XR System Security Configuration Guide...
Page 246
Implementing Management Plane Protection on Cisco IOS XR Software Additional References RFCs RFCs Title No new or modified RFCs are supported by this — feature. Technical Assistance Description Link The Cisco Technical Support website contains http://www.cisco.com/techsupport thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools.
Page 247
Cisco IOS XR Interface and Hardware Component configuration Configuration Guide SC-184 Cisco IOS XR IP Addresses and Services Configuration Guide user and group attributes SC-170 Cisco IOS XR Multicast Configuration Guide user groups Cisco IOS XR System Monitoring Configuration Guide...
Page 253
SC-154 IPSec-protected GRE SC-136 DES and 3DES support SC-151 static SC-133 description SC-151 service-location command SC-103 server support SC-151 show route command SC-133, SC-136 configuring SC-152 prerequisites, configuring SC-150 Cisco IOS XR System Security Configuration Guide SC-241...