From: Brian Dennis (brian@5g.net)
Date: Wed Apr 02 2003 - 22:26:11 GMT-3
In the example from the Doc CD you won't be able to telnet to the router
and administer it.
Look into using the autocommand option with either local authentication
or TACACS+ (i.e. username User1 autocommand access-enable host timeout
5). Another option would be to use a rotary group under specific vty
lines. With the "rotary" command the vty line/lines will answer to TCP
port 3001 and 7001 along with the default port of 23.
In the example below only users telneting to port 3001 will be allowed
to connect to vty lines 5 through 9. These users will not have the
autocommand executed.
line vty 0 4
password cisco
login
autocommand access-enable host timeout 5
line vty 5 9
access-class 100 in
password admin
login
rotary 1
access-list 100 permit tcp any any eq 3001 (or 7001)
You could also use the autocommand option of nohangup. By default after
the IOS executes the autocommand it logs the user off the router. If you
want to still remain on the router you can use the nohangup option.
Lastly an alternative to lock-and-key is authentication proxy.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
Director of CCIE Training and Development - IPexpert, Inc.
Mailto: brian@ipexpert.net
Toll Free: 866.225.8064
Outside U.S. & Canada: 312.321.6924
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Richard Davidson
Sent: Wednesday, April 02, 2003 3:47 PM
To: groupstudy
Subject: lock and key
When you configure lock and key, can you no longer
telnet into the device to administer it?
Rich
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/
secur_c/scprt3/scdlock.htm
This archive was generated by hypermail 2.1.4 : Thu May 01 2003 - 13:35:45 GMT-3