From: Brian Dennis (brian@labforge.com)
Date: Wed Mar 12 2003 - 19:57:57 GMT-3
And you could also do it manually (see below). This actually isn't a bad
first step to try out with lock-and-key because you can verify that your
dynamic ACL works properly before going further.
Rack4R2>ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/2)
Rack4R2> 10.1.1.1
Trying 10.1.1.1 ... Open
User Access Verification
Password:
Rack4R1>access-enable
Rack4R1>exit
[Connection to 10.1.1.1 closed by foreign host]
Rack4R2>ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms
Rack4R2>
Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
brian@labforge.com
-----Original Message-----
From: Cristian Henry H [mailto:chenry@reuna.cl]
Sent: Wednesday, March 12, 2003 8:17 AM
To: Brian Dennis
Cc: 'Fabrice Bobes'; 'Peng Zheng'; ccielab@groupstudy.com
Subject: Re: Lock-and-key with tacacs+ authentication
or config it in this way:
username xxxx password yyyy
username xxxx autocommand access-enable time-out nnn
line vty 0 4
login local
Brian Dennis wrote:
>
> You might want to add that one advantage of using the AAA server for
the
> autocommand rather than having the autocommand configured under the
vty
> lines is that with the AAA server option the autocommand can be setup
> for just certain users. If the autocommand is configured under the vty
> lines on the router it means that everyone will have the autocommand
> activated after a successfully login. One way around this is to setup
> particular vty lines that do not have the autocommand configured.
> Example:
>
> line vty 0 4
> login
> password xxxxx
> autocommand access-enable
> line vty 5 9
> login
> password xxxxx
> rotary 1
> access-class 100 in
> !
> access-list 100 permit tcp any any eq 3001
> access-list 100 permit tcp any any eq 7001
>
> To reach these vty lines (5-9) you need to telnet to TCP port 3001 or
> 7001 as opposed to port 23.
>
> Of course another option would be to have the authentication and
> authorization done locally on the router. This way the autocommand
could
> be based on the username locally without the need for a AAA server.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
> brian@labforge.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Fabrice Bobes
> Sent: Tuesday, March 11, 2003 7:02 PM
> To: 'Brian Dennis'; 'Peng Zheng'; ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+ authentication
>
> OK, I stand corrected and I'll try to give a better explanation :-)
>
> 1) Lock-and-key with tacacs+ authentication
> Like Brian said, your access-list is not complete.
> It should be something like:
> access-list 100 permit tcp host 192.168.1.2 host
> 192.168.1.6 eq telnet
> access-list 100 permit tcp host 192.168.1.2 eq 49 host
> 192.168.1.6
> access-list 100 dynamic fredlist permit tcp host
> 192.168.1.2 any eq telnet
>
> 2) Lock-and-key with tacacs+ authentication and authorization
> Since you are using TACACS, you can remove
> Line vty 0 4
> autocommand access-enable
>
> and put this information on the TACACS server
> autocommand = access-enable
> under the section Shell (exec)).
>
> In this situation, you use TACACS to let your user start an exec shell
> command.
> You need to enable shell (exec) for your Tacacs user and add:
> authorization exec default group tacacs+
> or
> aaa authorization exec TEST group tacacs+
> line vty 0 4
> authorization exec TEST
>
> 3) And yes, you should specify a backup authentication method if
Tacacs
> fails
>
> Thanks,
>
> Fabrice
> http://www.6colabs.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Brian Dennis
> Sent: Tuesday, March 11, 2003 5:23 PM
> To: 'Peng Zheng'; ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+ authentication
>
> You are not allowing TACACS+ through your ACL. The AAA server can't
> reply to the authentication request sent by the router. Add an entry
to
> the ACL that allows the AAA server to reply.
>
> Also as a side note your router is not setup for a secondary
> authentication method. As a general rule you should at least have a
> secondary authentication method (i.e. local) in case the primary is
> unavailable.
>
> Brian Dennis, CCIE #2210 (R&S/ISP Dial/Security) CCSI# 98640
> brian@labforge.com
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Peng Zheng
> Sent: Tuesday, March 11, 2003 4:34 PM
> To: Fabrice Bobes; ccielab@groupstudy.com
> Subject: RE: Lock-and-key with tacacs+ authentication
>
> Here is my config:
>
> ------------------
>
> aaa new-model
> aaa authentication login default group tacacs+
> aaa authentication login TEST group tacacs+
> aaa authentication enable default group tacacs+
>
> ...
>
> interface Loopback0
> ip address 131.108.3.1 255.255.255.0
> !
> interface Ethernet0
> ip address 192.168.1.6 255.255.255.0
> ip access-group 100 in
>
> ....
>
> access-list 100 permit tcp host 192.168.1.2 host
> 192.168.1.6 eq telnet
> access-list 100 dynamic fredlist permit tcp host
> 192.168.1.2 any eq telnet
>
> ...
>
> tacacs-server host 192.168.1.2
> tacacs-server key cisco
>
> ......
>
> line vty 0 4
> login authentication TEST
> autocommand access-enable
>
> ----------------------------
>
> If there is no ip access-group 100 in under int e 0
> , the authentication part is OK.
>
> After I added it, when I tried to telnet 192.168.1.6,
> even there is no prompt.
>
> What's the problem?
>
> --- Fabrice Bobes <study@6colabs.com> wrote:
> > Peng,
> >
> > Yes, it's possible.
> > Just post your config and I'll check what you are
> > missing.
> >
> > Thanks,
> >
> > Fabrice
> > http://www.6colabs.com
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com
> > [mailto:nobody@groupstudy.com] On Behalf Of
> > Peng Zheng
> > Sent: Tuesday, March 11, 2003 2:07 PM
> > To: ccielab@groupstudy.com
> > Subject: Lock-and-key with tacacs+ authentication
> >
> > Is it possible to use tacacs+ to authenticate
> > lock-and-key? I tried but failed.
> >
> > Thanks for help.
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Web Hosting - establish your business online
> > http://webhosting.yahoo.com
> >
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online
> http://webhosting.yahoo.com
-- Cristian E. Henry REUNAE-mail: chenry@reuna.cl Fono: 56-2-3370336
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:38 GMT-3