RE: Lock-and-key with tacacs+ authentication

From: Brian Dennis (brian@labforge.com)
Date: Wed Mar 12 2003 - 03:21:49 GMT-3

• Next message: CCIE FUN: "RE: ACL Tips and Tricks"
• Previous message: Brian Dennis: "RE: Lock-and-key with tacacs+ authentication"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Peng Zheng: "RE: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

You might want to add that one advantage of using the AAA server for the
autocommand rather than having the autocommand configured under the vty
lines is that with the AAA server option the autocommand can be setup
for just certain users. If the autocommand is configured under the vty
lines on the router it means that everyone will have the autocommand
activated after a successfully login. One way around this is to setup
particular vty lines that do not have the autocommand configured.
Example:

line vty 0 4
 login
 password xxxxx
 autocommand access-enable
line vty 5 9
 login
 password xxxxx
 rotary 1
 access-class 100 in
!
access-list 100 permit tcp any any eq 3001
access-list 100 permit tcp any any eq 7001

To reach these vty lines (5-9) you need to telnet to TCP port 3001 or
7001 as opposed to port 23.

Of course another option would be to have the authentication and
authorization done locally on the router. This way the autocommand could
be based on the username locally without the need for a AAA server.

Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
brian@labforge.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Fabrice Bobes
Sent: Tuesday, March 11, 2003 7:02 PM
To: 'Brian Dennis'; 'Peng Zheng'; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication

OK, I stand corrected and I'll try to give a better explanation :-)

1) Lock-and-key with tacacs+ authentication
Like Brian said, your access-list is not complete.
It should be something like:
access-list 100 permit tcp host 192.168.1.2 host
192.168.1.6 eq telnet
access-list 100 permit tcp host 192.168.1.2 eq 49 host
192.168.1.6
access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet

2) Lock-and-key with tacacs+ authentication and authorization
Since you are using TACACS, you can remove
Line vty 0 4
autocommand access-enable

and put this information on the TACACS server
autocommand = access-enable
under the section Shell (exec)).

In this situation, you use TACACS to let your user start an exec shell
command.
You need to enable shell (exec) for your Tacacs user and add:
authorization exec default group tacacs+
or
aaa authorization exec TEST group tacacs+
line vty 0 4
authorization exec TEST

3) And yes, you should specify a backup authentication method if Tacacs
fails

Thanks,

Fabrice
http://www.6colabs.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Brian Dennis
Sent: Tuesday, March 11, 2003 5:23 PM
To: 'Peng Zheng'; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication

You are not allowing TACACS+ through your ACL. The AAA server can't
reply to the authentication request sent by the router. Add an entry to
the ACL that allows the AAA server to reply.

Also as a side note your router is not setup for a secondary
authentication method. As a general rule you should at least have a
secondary authentication method (i.e. local) in case the primary is
unavailable.

Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
brian@labforge.com

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Peng Zheng
Sent: Tuesday, March 11, 2003 4:34 PM
To: Fabrice Bobes; ccielab@groupstudy.com
Subject: RE: Lock-and-key with tacacs+ authentication

Here is my config:

------------------

aaa new-model
aaa authentication login default group tacacs+
aaa authentication login TEST group tacacs+
aaa authentication enable default group tacacs+

...

interface Loopback0
 ip address 131.108.3.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.1.6 255.255.255.0
 ip access-group 100 in

 ....

access-list 100 permit tcp host 192.168.1.2 host
192.168.1.6 eq telnet
access-list 100 dynamic fredlist permit tcp host
192.168.1.2 any eq telnet

...

tacacs-server host 192.168.1.2
tacacs-server key cisco

......

line vty 0 4
 login authentication TEST
 autocommand access-enable

----------------------------

If there is no ip access-group 100 in under int e 0
, the authentication part is OK.

After I added it, when I tried to telnet 192.168.1.6,
even there is no prompt.

What's the problem?

--- Fabrice Bobes <study@6colabs.com> wrote:
> Peng,
>
> Yes, it's possible.
> Just post your config and I'll check what you are
> missing.
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com] On Behalf Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 2:07 PM
> To: ccielab@groupstudy.com
> Subject: Lock-and-key with tacacs+ authentication
>
> Is it possible to use tacacs+ to authenticate
> lock-and-key? I tried but failed.
>
> Thanks for help.
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
>

• Next message: CCIE FUN: "RE: ACL Tips and Tricks"
• Previous message: Brian Dennis: "RE: Lock-and-key with tacacs+ authentication"
• Maybe in reply to: Peng Zheng: "Lock-and-key with tacacs+ authentication"
• Next in thread: Peng Zheng: "RE: Lock-and-key with tacacs+ authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:37 GMT-3