Re: dynamic access-list don't work with aaa new-model

From: Gery Pang (pang_gery@yahoo.com.hk)
Date: Sat Mar 01 2003 - 23:20:06 GMT-3

• Next message: Daniel Cisco Group Study: "RE: ISIS Redistributr Connected Problem"
• Previous message: Peter van Oene: "Re: ISIS: outgoing-metric"
• Maybe in reply to: Gery Pang: "dynamic access-list don't work with aaa new-model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Fabrice,

Thank you.
I have just tried your config and it works very nice

Gery

----- Original Message -----
From: "Fabrice Bobes" <study@6colabs.com>
To: "'Gery Pang'" <pang_gery@yahoo.com.hk>
Cc: <ccielab@groupstudy.com>
Sent: Sunday, March 02, 2003 1:46 AM
Subject: RE: dynamic access-list don't work with aaa new-model

> HI Gery,
>
> You forgot to "authorized" the user to start an exec shell.
> Why? Access-enable is an exec command
>
> Try this:
> aaa new-model
> aaa authentication login default local
> aaa authorization exec default local
>
> For security reason, you should also use:
> username auto autocommand access-enable host timeout 5
> instead of:
> username auto autocommand access-enable timeout 5
>
> Let's say your access-list is:
> access-list 101 permit tcp host 10.10.1.1 any eq telnet
> access-list 101 dynamic dyn permit ip any any
> access-list 101 deny ip any any
>
> Once the host 10.10.1.1 telnets to the router, the "telnetted" router
> will open the following hole if you use "access-enable host":
> permit ip host 10.10.1.1 any (incoming traffic is restricted, the only
> traffic allowed is coming from the host who originated the Telnet
> session)
> but if you use "access-enable" without the keyword host:
> permit ip any any (well, this is not in general what you want)
>
> Thanks,
>
> Fabrice CCIE#8609
> http://www.6colabs.com
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Gery Pang
> Sent: Saturday, March 01, 2003 1:27 AM
> To: ccielab@groupstudy.com
> Subject: dynamic access-list don't work with aaa new-model
>
> Hi Group,
>
> Just tested the dynamic access list and found it may not work with aaa
> new-model.
>
> Here is the config that does not works:
>
> aaa new-model
> aaa authentication login default local
> aaa authentication login testlogin enable local
>
> username auto password 0 auto
> username auto autocommand access-enable timeout 5
>
> interface FastEthernet0/1
> ip address 192.168.0.138 255.255.255.0
> ip access-group 150 in
> duplex auto
> speed auto
>
> access-list 150 dynamic allowtest timeout 5 permit ip any any
> access-list 150 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.138 eq
> telnet
> access-list 150 permit tcp host 203.78.86.230 host 192.168.0.138 eq
> telnet
>
> line vty 0 4
> password password
>
> The following will work:
>
>
> username auto password 0 auto
> username auto autocommand access-enable timeout 5
>
> interface FastEthernet0/1
> ip address 192.168.0.138 255.255.255.0
> ip access-group 150 in
> duplex auto
> speed auto
>
> access-list 150 dynamic allowtest timeout 5 permit ip any any
> access-list 150 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.138 eq
> telnet
> access-list 150 permit tcp host 203.78.86.230 host 192.168.0.138 eq
> telnet
>
> line vty 0 4
> login local
>
> Why?
>
> Thank you.
>
> Gery

• Next message: Daniel Cisco Group Study: "RE: ISIS Redistributr Connected Problem"
• Previous message: Peter van Oene: "Re: ISIS: outgoing-metric"
• Maybe in reply to: Gery Pang: "dynamic access-list don't work with aaa new-model"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:30 GMT-3