RE: dynamic access-list don't work with aaa new-model

From: Fabrice Bobes (study@6colabs.com)
Date: Sat Mar 01 2003 - 14:46:05 GMT-3

• Next message: Kurt Kruegel: "off-topic "safe" labs"
• Previous message: Wright, Jeremy: "CCIE#11168...longish"
• Maybe in reply to: Gery Pang: "dynamic access-list don't work with aaa new-model"
• Next in thread: Gery Pang: "Re: dynamic access-list don't work with aaa new-model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

HI Gery,

You forgot to "authorized" the user to start an exec shell.
Why? Access-enable is an exec command

Try this:
aaa new-model
aaa authentication login default local
aaa authorization exec default local

For security reason, you should also use:
username auto autocommand access-enable host timeout 5
instead of:
username auto autocommand access-enable timeout 5

Let's say your access-list is:
access-list 101 permit tcp host 10.10.1.1 any eq telnet
access-list 101 dynamic dyn permit ip any any
access-list 101 deny ip any any

Once the host 10.10.1.1 telnets to the router, the "telnetted" router
will open the following hole if you use "access-enable host":
permit ip host 10.10.1.1 any (incoming traffic is restricted, the only
traffic allowed is coming from the host who originated the Telnet
session)
but if you use "access-enable" without the keyword host:
permit ip any any (well, this is not in general what you want)

Thanks,

Fabrice CCIE#8609
http://www.6colabs.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gery Pang
Sent: Saturday, March 01, 2003 1:27 AM
To: ccielab@groupstudy.com
Subject: dynamic access-list don't work with aaa new-model

Hi Group,

Just tested the dynamic access list and found it may not work with aaa
new-model.

Here is the config that does not works:

aaa new-model
aaa authentication login default local
aaa authentication login testlogin enable local

username auto password 0 auto
username auto autocommand access-enable timeout 5

interface FastEthernet0/1
 ip address 192.168.0.138 255.255.255.0
 ip access-group 150 in
 duplex auto
 speed auto

access-list 150 dynamic allowtest timeout 5 permit ip any any
access-list 150 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.138 eq
telnet
access-list 150 permit tcp host 203.78.86.230 host 192.168.0.138 eq
telnet

line vty 0 4
 password password

The following will work:

username auto password 0 auto
username auto autocommand access-enable timeout 5

interface FastEthernet0/1
 ip address 192.168.0.138 255.255.255.0
 ip access-group 150 in
 duplex auto
 speed auto

access-list 150 dynamic allowtest timeout 5 permit ip any any
access-list 150 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.138 eq
telnet
access-list 150 permit tcp host 203.78.86.230 host 192.168.0.138 eq
telnet

line vty 0 4
login local

Why?

Thank you.

Gery

• Next message: Kurt Kruegel: "off-topic "safe" labs"
• Previous message: Wright, Jeremy: "CCIE#11168...longish"
• Maybe in reply to: Gery Pang: "dynamic access-list don't work with aaa new-model"
• Next in thread: Gery Pang: "Re: dynamic access-list don't work with aaa new-model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:30 GMT-3