2.9. Security command reference

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string.

The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command puts an entity into the administratively enabled state.

Commands in this context configure security settings.

Security commands manage user profiles and user membership. Security commands also manage user login registrations.

This command enables FTP servers running on the system.

FTP servers are disabled by default. At system startup, only SSH servers are enabled.

The no form of this command disables FTP servers running on the system.

If the user executes a save or info command, the system will encrypt all passwords, for example, MD5 keys, for security reasons. At present, two algorithms exist.

The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password. However, because it is the same password and the hash key is limited to the password/key, even the casual observer will notice that it is the same key.

The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version will be different.

This command specifies the source address that should be used in all unsolicited packets sent by the application.

This feature only applies on in-band interfaces and does not apply on the out-band management interface. Packets going out the management interface will keep using that as the source IP address. That is, when the RADIUS server is reachable through both the management interface and a network interface, the management interface is used despite what is configured under the source-address statement.

This command specifies the application to use the source IP address specified by the source-address command.

This command enables Telnet servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in networks limit Telnet clients to three attempts to login. The Telnet server disconnects the Telnet client session after three attempts.

The no form of this command disables Telnet servers running on the system.

This command enables the exponential backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.

The no form of this command disables exponential backoff.

Commands in this context configure FTP login control parameters.

This command configures the idle timeout for FTP, console, or Telnet sessions before the session is terminated by the system.

By default, an idle FTP, console, SSH, or Telnet session times out after 30 minutes of inactivity. This timer can be set per session.

The no form of this command reverts to the default value.

This command configures the maximum number of concurrent inbound FTP sessions.

This value is the combined total of inbound and outbound sessions.

The no form of this command reverts to the default value.

This command limits the number of inbound Telnet and SSH sessions. A maximum of 15 Telnet and SSH connections can be established to the router. The local serial port cannot be disabled.

The no form of this command reverts to the default value.

This command enables or disables the display of a login banner. The login banner contains the 7210 SAS copyright and build date information for a console login attempt.

The no form of this command causes only the configured pre-login message and a generic login prompt to display.

Commands in this context configure the session control for the console, Telnet, and FTP.

This command configures the message of the day displayed after a successful console login. Only one message can be configured.

The no form of this command removes the message.

This command limits the number of outbound Telnet and SSH sessions. A maximum of 15 telnet and ssh connections can be established from the router. The local serial port cannot be disabled.

The no form of this command reverts to the default value.

This command configures a message displayed prior to console login attempts on the console using Telnet.

Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.

It is possible to add the name parameter to an existing message without affecting the current pre-login-message.

The no form of this command removes the message.

Commands in this context configure SSH parameters.

This command enables graceful shutdown of SSH sessions.

The no form of this command disables graceful shutdown of SSH sessions.

This command enables the configuration of a list of allowed ciphers by the SSH client.

This command enables the configuration of a cipher. Client-ciphers are used when the 7210 SAS is acting as an SSH client. Server ciphers are used when the 7210 SAS is acting as an SSH server.

The no form of this command removes the index and cipher name from the configuration.

Commands in this context configure SSH MAC algorithms for the 7210 SAS acting as a client.

This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server or an SSH client.

The no form of this command removes the specified mac index.

Commands in this context configure SSH KEX algorithms for the 7210 SAS in the client role.

By default, the SSH advertises a KEX list that contains the following algorithms:

This command configures phase 1 SSHv2 KEX algorithms for the 7210 SAS in the SSH server or an SSH client role.

The no form of this command removes the specified KEX index. If all KEX indexes are removed, the default list is used.

After enabling this command, private keys, public keys, and host key files will be saved by the server. It is restored following a system reboot or restart of the SSH server.

The no form of this command specifies that the keys will be held in memory by the SSH server and is not restored following a system reboot.

This command enables the configuration of the list of allowed ciphers by the SSH server.

Commands in this context configure SSH KEX algorithms for the 7210 SAS in the SSH server role.

By default, the SSH advertises a KEX list that contains the following algorithms:

This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server.

This command enables the SSH servers running on the system. By default, only the SSH server is enabled at startup.

This command specifies the SSH protocol version that will be supported by the SSH server.

Commands in this context configure the Telnet login control parameters.

This command enables graceful shutdown of Telnet sessions.

The no form of this command disables graceful shutdown of telnet sessions.

Commands in this context edit management access filters and to reset match criteria.

Management access filters control all traffic in and out. They can be used to restrict management of the router by other nodes outside either specific subnetworks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of this command removes management access filters from the configuration.

Commands in this context configure management access IP filter parameters.

Commands in this context configure management access IPv6 filter parameters.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

Note: The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.

This command enables the default action for management access in the absence of a specific management access filter match.

The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

Note: The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.

This command creates or edits a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7210 SAS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the specified entry from the management access filter.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command enables the context associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

If the packet does not meet any of the match criteria, the configured default action is applied.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command configures a source TCP or UDP port number or port range for a management access filter match criterion.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the source port match criterion.

This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.

An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the Layer 4 information.

The no form of this command removes the match criterion.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command configures a source TCP or UDP port number for an IP filter match criterion. An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the L4 information.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the source port match criterion.

This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non default quality of service or real-time service.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command enables match logging. When enabled, matches on this entry cause the Security event mafEntryMatch to be raised.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

This command specifies the next header to match. The protocol type, such as TCP, UDP, OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17).

This command configures an IP protocol type to be used as a management access filter match criterion.

The protocol type, such as TCP, UDP, and OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).

The no form of this command removes the protocol from the match criteria.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

The command configures a router name or service ID to be used as a management access filter match criterion.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the router name or service ID from the match criteria.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command renumbers existing management access filter entries to resequence filter entries.

The system exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command restricts ingress management traffic to either the CPM Ethernet port or any other logical port (LAG or port) on the device.

When the source interface is configured, only management traffic arriving on those ports satisfies the match criteria.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of the command reverts to the default value.

Note: The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command configures a source IP address range to be used as a management access filter match criterion.

To match on the source IP address, specify the address and the associated mask (that is, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of the command removes the source IP address match criterion.

This command enables the context (with admin permissions) to configure a password that enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.

This functionality can be enabled in two contexts:

Note: See the description for enable-admin. If the admin-password is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.

The enable-admin command is in the default profile. By default, all users are given access to this command.

After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is given unrestricted access to all commands.

The minimum password length is determined by the minimum-length command. The complexity requirements for the password is determined by the configuration in the complexity-rules context.

The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.

The usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-file-url dest-file-url command is executed.

For example:

file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile

In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with '****'.

Note: The configure system security password hashing command affects the maximum number of characters that can be used to configure the password parameter.

The no form of this command removes the admin password from the configuration.

Commands in this context enter the administrative mode.

Note: See the description for admin-password. If admin-password is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.

The enable-admin command is in the default profile. By default, all users are given access to this command.

After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is given unrestricted access to all the commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for hte password is determined by the configuration in the complexity-rules context.

There are two ways to verify that a user is in the enable-admin mode:

The following output is an example of user information.

This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.

The no form of this command reverts to the default value.

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

The threshold for the number of login attempts can be configured by using the CLI parameter count in the command. An SNMP trap is generated by the device when the number of login attempts exceeds the configured threshold. Generation of the trap can be suppressed using the config>log>event-control command. By default, the device generates a trap when the login attempts exceed the configured threshold. The trap carries information about the user ID used for the login attempt. An SNMP trap is not sent for every failed attempt. If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no form of this command resets all values to default.

This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.

The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.

If all (operational) methods are attempted and no authentication for a particular login has been granted, an entry in the security log registers the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.

The preferred order for password authentication is:

The no form of this command reverts to the default authentication sequence.

This command defines a list of rules for configurable password options.

This command enables the username to be used as part of the password.

The no form of this command does not allow the username to be used as part of the password.

This command configures the maximum credits given for usage of the different character classes in the local passwords.

The no form of this command reverts to the default value.

This command forces the use of at least as many different character classes as specified.

The no form of this command resets to default.

This command configures the minimum number of characters required for locally administered passwords and keys used with SNMPv3 user authentication and encryption. See the configure system security user snmp authentication command for more information about the use of keys with SNMPv3-based authentication and encryption algorithms.

If multiple minimum-length commands are entered, each new command overwrites the previously configured password length.

The no form of this command reverts to the default value.

This command configures the number of times a characters can be repeated consecutively.

The no form of this command resets to default.

This command configures the minimum number of different character classes required.

The no form of this command reverts to the default value.

This command configures the password hashing algorithm.

This command specifies that RADIUS and TACACS+ servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, based on the type of the server, a trap will be sent.

The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server will be up if the last access was successful.

Commands in this context configure password management parameters.

Commands in this context configure public keys for SSH.

Commands in this context configure ECDSA public keys.

This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

The no form of this command removes the configured ECDSA public keys.

This command configures a value for the ECDSA public key. The public key must be enclosed in quotation marks. The key is between 1 and 1024 bits.

The no form of this command removes the configured ECDSA public key value.

Commands in this context configure RSA public keys.

This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

The no form of this command removes the configured RSA public keys.

This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. The key is between 768 and 4096 bits.

The no form of this command removes the configured public key value.

This command configures the action associated with the profile entry.

This command configures a command or command subtree.

Because the 7210 SAS exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition.

This command copies a profile or user from a source profile to a destination profile.

This command specifies the default action to be applied when no match conditions are met.

This command configures a text description stored in the configuration file for a configuration context.

The description command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string from the context.

This command creates a user profile entry.

More than one entry can be created with unique entry-id numbers. The 7210 SAS exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.

The no form of this command removes the specified entry from the user profile.

This command creates user profiles for CLI command tree permissions.

Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.

After the profiles are created, the users command assigns users to one or more profiles. You can define up to 16 user profiles, but a maximum of 8 profiles can be assigned to a user. The user-profile-name can consist of up to 32 alphanumeric characters.

The no form of this command deletes a user profile.

This command renumbers profile entries to re-sequence the entries.

Because the 7210 SAS exits when the first match is found and executes the actions according to accompanying action command, re-numbering is useful to rearrange the entries from most explicit to least explicit.

This command grants a user permission for FTP, SNMP, console, or lawful intercept (LI) access.

If a user requires access to more than one application, multiple applications can be specified in a single command. Multiple commands are treated additively.

The no form of this command removes access for a specific application.

The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied, for example, no access FTP denies FTP access.

This command configures the authentication and encryption method for the user to be validated by the device. SNMP authentication allows the device to validate the managing node that issued the SNMP message and detect message tampering.

The user password is encrypted first by the MD5/SHA/DES algorithm. The output of the algorithm is always a fixed length string (key). Copy the password key and paste the output in the appropriate authentication command key parameter.

The no form of this command reverts to the default value.

This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user>snmp>group command. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions.

This command disables the user’s privilege to change their password for both FTP and console login.

The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.

The no form of this command enables the user privilege to change their password.

Commands in this context configure user profile membership for the console (either Telnet or serial port user).

This command copies specific user configuration parameters to another (destination) user.

The password is set to a carriage return and a new password at login must be selected.

This command configures the local home directory for the user for both console and FTP access.

If the URL or the specified URL/directory structure is not present, a warning message is issued and the default is assumed.

Note: If restrict-to-home has been configured, no file access is granted and no home-directory is created. If restrict-to-home is not applied, the root becomes the user’s home-directory.

The no form of this command removes the configured home directory.

This command configures the profile for the user based on the specified template.

This command configures a user’s login exec file, which executes whenever the user successfully logs in to a console session.

Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.

The no form of this command disables the login exec file for the user.

This command allows the user access to a profile.

A user can participate in up to eight profiles.

The no form of this command deletes user access to a profile.

This command forces the user to change a password at the next console login. The new password applies to FTP but the change can be enforced only by the console, SSH, or Telnet login.

The no form of this command does not force the user to change passwords.

This command configures the user password for console and FTP access.

The use of the hash keyword sets the initial password when the user is created or modifies the password of an existing user and specifies that the specific password was hashed using hashing algorithm version 1.

The password is stored in an encrypted format in the configuration file when specified. Passwords should be encased in double quotes (" ") at the time of the password creation. The double quote character (") is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.

The use of the hash2 keyword specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.

The following output is an example of user syntax.

This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.

If a home-directory is not configured or the home directory is not available, the user has no file access.

The no form of this command allows the user access to navigate to directories above their home directory.

Commands in this context configure SNMP group membership for a specific user and defines encryption and authentication parameters.

All SNMPv3 users must be configured with the commands available in this CLI node.

The 7210 SAS always uses the configured SNMPv3 username as the security username.

This command configures default security user template parameters.

This command creates a local user and a context to edit the user configuration.

When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, there will be no password required. The user can log in to the system and <ENTER> at the password prompt. The user will be logged in.

Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.

This command enables a local user and a context to edit the user configuration.

If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.

When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, there will be no password required. The user can log in to the system and <ENTER> at the password prompt; the user will be logged in.

Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.

The no form of this command deletes the user and all configuration data. Users cannot delete themselves.

This command enables RADIUS accounting.

The no form of this command disables RADIUS accounting.

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

This command configures RADIUS authorization parameters for the system.

This command configures the TCP port number to contact the RADIUS server.

The no form of this command reverts to the default value.

Commands in this context configure RADIUS authentication on the 7210 SAS router.

Implement redundancy by configuring multiple server addresses for each 7210 SAS series router.

The no form of this command removes the RADIUS configuration.

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of this command reverts to the default value.

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The 7210 SAS-K 2F1C2T does not support IPv6 addresses for RADIUS servers.

The no form of the command removes the server from the configuration.

This command administratively disables the RADIUS protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol.

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of this command reverts to the default value.

This command specifies whether the RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server. When enabled, the RADIUS user template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server.

The no form of this command disables the command.

Commands in this context configure TACACS+ authentication on the router.

Configure multiple server addresses for each router for redundancy.

The no form of this command removes the TACACS+ configuration.

This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

This command configures TACACS+ authorization parameters for the system.

This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.

Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.

The 7210 SAS-K 2F1C2T does not support IPv6 addresses for TACACS+ servers.

The no form of the command removes the server from the configuration.

This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol.

This command configures the number of seconds the router waits for a response from a TACACS+ server.

The no form of the command reverts to the default value.

This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol which is the default state.

This command specifies whether or not the user template defined by this entry is to be actively applied to the TACACS+ user.

Commands in this context configure 802.1x network access control on the 7210 SAS router.

The no form of this command removes the 802.1x configuration.

This command configures RADIUS server parameters for 802.1x network access control on the 7210 SAS router.

Note: The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the 7210 SAS as opposed to the RADIUS server configured under the config>system>radius context which authenticates CLI login users who get access to the management plane of the 7210 SAS.

The no form of this command removes the RADIUS server configuration for 802.1x.

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of this command reverts to the default value.

This command adds a dot1x server and configures the dot1x server IP address, index, and key values.

Up to five dot1x servers can be configured at any one time. Dot1x servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other dot1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The 7210 SAS-K 2F1C2T does not support IPv6 addresses for dot1x servers.

The no form of the command removes the server from the configuration.

This command configures the NAS IP address to be sent in the RADIUS packet.

By default the System IP address is used in the NAS field.

The no form of the command reverts to the default value.

This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within.

The no form of the command administratively enables the protocol which is the default state.

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

Commands in this context configure keychain parameters. A keychain must be configured on the system before it can be applied to a session.

The no form of this command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command will not be accepted and an error indicating that the keychain is in use will be printed.

This command specifies the data type that indicates the TCP stream direction to apply the keychain.

This command configures keys for both send and receive stream directions.

This command configures keys for send or receive stream directions.

This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router.

This command specifies the send nodal context to sign TCP segments that are being sent by the router to another device.

This command defines a particular key in the keychain. Entries are defined by an entry-id. A keychain must have valid entries for the TCP enhanced authentication mechanism to work.

The no form of this command removes the entry from the keychain. If the entry is the active entry for sending, this will cause a new active key to be selected (if one is available using the youngest key rule). If it is the only possible send key, the system will reject the command with an error indicating that the configured key is the only available send key.

If the key is one of the eligible keys for receiving, it will be removed. If the key is the only possible eligible key, the command will not be accepted, and an error message indicating that this is the only eligible key will be displayed.

This command specifies the calendar date and time after which the key specified by the keychain authentication key is used to sign and authenticate the protocol stream.

If no date and time is set, the begin-time is represented by a date and time string with all nulls and the key is not valid by default.

This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign and authenticate the protocol stream.

This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire.

Commands in this context configure the TCP option number to be placed in the TCP packet header.

This command configures the TCP option number accepted in TCP packets received.

This command configures the TCP option number accepted in TCP packets sent.

This command specifies the TCP/UDP port to match the destination port of the packet. An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the L4 information.

The no form of this command removes the destination port match criterion.

This command clears any lockouts for a specific user.

Commands in this context configure Internet Protocol security (IPsec) parameters. IPsec is a structure of open standards that uses cryptographic security services to ensure private, secure communications over IP networks.

This command configures an IPsec static security association (SA).

The no form of this command removes the configuration.

This command configures the authentication algorithm to use for an IPsec manual SA.

The no form of this command removes the configuration.

This command creates a text description, which is stored in the configuration file, to help identify the content of the entity.The no form of this command removes the string from the configuration.

This command configures the direction for an IPsec manual SA.

The no form of this command reverts to the default value.

This command configures the security protocol to use for an IPsec manual SA.

The no form of this command reverts to the default value.

This command configures the security parameter index (SPI) key value for an IPsec manual SA.

The no form of this command removes the configured SPI key value.

This command displays SNMP access group information.

This command displays system login authentication configuration and statistics.

This command displays keychain information.

This command displays management access filter information for IP filters.

This command displays management-access IP filters.

This command displays management-access IPv6 filters.

This command displays configured password options.

This command displays user profile information.

If the profile-name is not specified, then information for all profiles are displayed.

This command displays the source address configured for applications.

The 7210 SAS-K 2F1C2T does not support IPv6 source addresses.

This command displays all SSH sessions as well as the SSH status and fingerprint.

This command displays user registration information.

By default, if no command line options are specified, summary information for all users displays.

This command displays the SNMP MIB views.