From: wing_lam@jossynergy.com
Date: Tue Jun 10 2003 - 02:00:12 GMT-3
Thx Kasturi,
How come after you activated aaa (aaa new model and aaa authentication),
the config under line vrty 0 4 is "login default"? shouldn't it be "login
authentication default" rather than "login default"? In your case, the
autocommand are under line vty 0 4, I think I will try this out. Here I
attached my case, for your reference, I config autocommand under username,
and it doesn't works.
1) Here is my config for aaa activated, it doesn't work
aaa new-model
aaa authentication login test local
username abc password 0 abc
username abc autocommand access-enable timeout 5
interface FastEthernet0/0
ip address 192.168.2.8 255.255.255.0
ip access-group 129 in
ip irdp
ip router isis DOG
ip nbar protocol-discovery
ip pim sparse-dense-mode
duplex half
ntp broadcast client
access-list 129 permit tcp any any eq telnet
access-list 129 permit ospf any any
access-list 129 dynamic cisco permit ip any any
line vty 0 4
exec-timeout 0 0
password cisco
login authentication test
transport input telnet ssh
<<<< Result after I telnet to R8
R8#sh access-l 129
Extended IP access list 129
permit tcp any any eq telnet (4855 matches)
permit ospf any any (265 matches)
Dynamic cisco permit ip any any
<<<< This is the telnet capture from the source, you can see that I really
got telnetted into R8!
R3#192.168.2.8
Trying 192.168.2.8 ... Open
User Access Verification
Username: abc
Password:
R8>
2) Here is my config for aaa not activated, it works
username abc password 0 abc
username abc autocommand access-enable timeout 5
interface FastEthernet0/0
ip address 192.168.2.8 255.255.255.0
ip access-group 129 in
ip irdp
ip router isis DOG
ip nbar protocol-discovery
ip pim sparse-dense-mode
duplex half
ntp broadcast client
access-list 129 permit tcp any any eq telnet
access-list 129 permit ospf any any
access-list 129 dynamic cisco permit ip any any
line vty 0 4
exec-timeout 0 0
password cisco
login local
transport input telnet ssh
<<<< Result after I telnet to R8 from R3
R8#sh access-l 129
Extended IP access list 129
permit tcp any any eq telnet (4012 matches)
permit ospf any any (196 matches)
Dynamic cisco permit ip any any
permit ip any any (75 matches) (time left 298)
<<<< This is the telnet capture from the source:
R3#192.168.2.8
Trying 192.168.2.8 ... Open
User Access Verification
Username: abc
Password:
[Connection to 192.168.2.8 closed by foreign host]
R3#
"kasturi cisco"
<kasturi_cisco@ho To: wing_lam@jossynergy.com
tmail.com> cc:
Subject: Re: aaa with dynamic access-list
06/10/2003 12:05
AM
Yes i have used AAA with dynamic ACL and it seems to work fine. Can u post
ur config ? Here is the config which i had used. Also can u confirm that
AAA is working with normal login and authentocation works as expected.
Sometimes if AAA is not working with normal login mechanism then it wont
work for dy ACL.
My config:
aaa new-model
aaa authentication login default tacacs+ local
usename test password cisco
!
access-list 102 permit tcp any host 10.1.1.1 eq telnet
access-list 102 dynamic test permit tcp any any
tacacs-server host 19.88.146.51
line vty 0 2
autocommand access-enable timeout 5
login default
Good Luck,
Kasturi.
>From: wing_lam@jossynergy.com
>To: "kasturi cisco"
>CC: ccielab@groupstudy.com
>Subject: Re: aaa with dynamic access-list
>Date: Mon, 9 Jun 2003 22:49:30 +0800
>
>
>Thanks Kasturi,
>
>Have you got experience in use aaa for authentication telnet login compare
>to just "login local" in "line vty 0 4"? I have tested that the later one
>can work with dynamic access-list but not aaa one, which I still can
login,
>but the dynamic entries cannot be waked.
>
>
>
>
>
>
> "kasturi cisco"
> > tmail.com> cc:
> Subject: Re: aaa with dynamic access-list
> 06/09/2003 12:00
> AM
>
>
>
>
>
>
>When u use dynamic ACL u want only certain devices to open temp-holes in
>the dy ACL. At the same time u want other devices/admin to coninue with
>normal router administration.Hence u use rotary but lont under same vyt
>ports but like below (at least this is what i have used)
>
>line vty 0 2
>login local
>autocommand access-enable host
>!
>line vty 3 4
>login
>password xxxx
>rotary 1
>
>
>by doing this for normal admin u telnet using port 3001 so specify "telnet
> 3001" such that it allows u to telnet and not create dynamic acl
>entry.Remember to allow telnet access in ur ACL with "permit tcp any >ip>"
so that telnet is permitted for authentication and also for
>administration. Hope that helps.
>
>Good Luck,
>Kasturi.
>
>
> >From: wing_lam@jossynergy.com
> >Reply-To: wing_lam@jossynergy.com
> >To: ccielab@groupstudy.com
> >Subject: aaa with dynamic access-list
> >Date: Sun, 8 Jun 2003 20:08:42 +0800
> >
> >Hi group,
> >
> >I have tested the dynamic access-list function without using aaa (i.e.
use
> >"login local" under "line vty 0 4") and it works, after I add "aaa
> >authentication" and change the login local to login authentication
> >under line vty 0 4, the dynamic access-list not works, I can see that
the
> >dynamic entries cannot be waked by telnet login. Just want to ask
whether
> >this is normal or I am doing wrong?
> >
> >Also, what's the use of the command "rotary 1" under line vty 0 4? can I
> >use it so that I won't lock my self from telnet if auto command is
>enabled?
> >
> >Thx,
> >BBD (Big Black Dog)
> >DISCLAIMER:- This email is confidential and intended only for the use of
> >the individual or entity named above and may contain information that is
> >privileged. If you are not the intended recipient, you are notified that
> >any dissemination, distribution or copying of this email is strictly
> >prohibited. If you have received this email in error, please notify us
> >immediately by return email or telephone and destroy the original
message.
> >Thank you.
>
>Looking for love? Yearning for friendship? You're in the right place.
>
>
>
>
Watch Hallmark. Enjoy cool movies. Win hot prizes!
This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:55 GMT-3