RE: aaa with dynamic access-list

From: wing_lam@jossynergy.com
Date: Fri Jun 13 2003 - 09:37:30 GMT-3

• Next message: ZaferP@koc.net: "RE: aaa with dynamic access-list"
• Previous message: Paul Jin: "RE: R&S MPLS"
• Maybe in reply to: wing_lam@jossynergy.com: "aaa with dynamic access-list"
• Next in thread: ZaferP@koc.net: "RE: aaa with dynamic access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Zafer,

You are bingo, I tested it works now with aaa authorization, thanks!

But can I reference different login to different dynamic access-list?

Thanks a lot!,
BBD (Big Black Dog)

                                                                                                                                       
                      <ZaferP@koc.net>
                                               To: <wing_lam@jossynergy.com>, <kasturi_cisco@hotmail.com>
                      06/13/2003 07:34 cc: <ccielab@groupstudy.com>
                      PM Subject: RE: aaa with dynamic access-list
                                                                                                                                       
                                                                                                                                       

Hi,

I think you shoul also enable aaa authorization exec default local.....
Give it a try.

Zafer

-----Original Message-----
From: wing_lam@jossynergy.com [mailto:wing_lam@jossynergy.com]
Sent: Tuesday, June 10, 2003 8:00 AM
To: kasturi cisco
Cc: ccielab@groupstudy.com
Subject: Re: aaa with dynamic access-list

Thx Kasturi,

How come after you activated aaa (aaa new model and aaa authentication),
the config under line vrty 0 4 is "login default"? shouldn't it be "login
authentication default" rather than "login default"? In your case, the
autocommand are under line vty 0 4, I think I will try this out. Here I
attached my case, for your reference, I config autocommand under username,
and it doesn't works.

1) Here is my config for aaa activated, it doesn't work

aaa new-model
aaa authentication login test local
username abc password 0 abc
username abc autocommand access-enable timeout 5

interface FastEthernet0/0
 ip address 192.168.2.8 255.255.255.0
 ip access-group 129 in
 ip irdp
 ip router isis DOG
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 duplex half
 ntp broadcast client

access-list 129 permit tcp any any eq telnet
access-list 129 permit ospf any any
access-list 129 dynamic cisco permit ip any any

line vty 0 4
 exec-timeout 0 0
 password cisco
 login authentication test
 transport input telnet ssh

<<<< Result after I telnet to R8

R8#sh access-l 129
Extended IP access list 129
    permit tcp any any eq telnet (4855 matches)
    permit ospf any any (265 matches)
    Dynamic cisco permit ip any any

<<<< This is the telnet capture from the source, you can see that I really
got telnetted into R8!

R3#192.168.2.8
Trying 192.168.2.8 ... Open

User Access Verification

Username: abc
Password:

R8>

2) Here is my config for aaa not activated, it works

username abc password 0 abc
username abc autocommand access-enable timeout 5

interface FastEthernet0/0
 ip address 192.168.2.8 255.255.255.0
 ip access-group 129 in
 ip irdp
 ip router isis DOG
 ip nbar protocol-discovery
 ip pim sparse-dense-mode
 duplex half
 ntp broadcast client

access-list 129 permit tcp any any eq telnet
access-list 129 permit ospf any any
access-list 129 dynamic cisco permit ip any any

line vty 0 4
 exec-timeout 0 0
 password cisco
 login local
 transport input telnet ssh

<<<< Result after I telnet to R8 from R3

R8#sh access-l 129
Extended IP access list 129
    permit tcp any any eq telnet (4012 matches)
    permit ospf any any (196 matches)
    Dynamic cisco permit ip any any
      permit ip any any (75 matches) (time left 298)

<<<< This is the telnet capture from the source:

R3#192.168.2.8
Trying 192.168.2.8 ... Open

User Access Verification

Username: abc
Password:
[Connection to 192.168.2.8 closed by foreign host]
R3#

                      "kasturi cisco"

                      <kasturi_cisco@ho To:
wing_lam@jossynergy.com

                      tmail.com> cc:

                                               Subject: Re: aaa with
dynamic access-list
                      06/10/2003 12:05

                      AM

Yes i have used AAA with dynamic ACL and it seems to work fine. Can u post
ur config ? Here is the config which i had used. Also can u confirm that
AAA is working with normal login and authentocation works as expected.
Sometimes if AAA is not working with normal login mechanism then it wont
work for dy ACL.

My config:
aaa new-model
aaa authentication login default tacacs+ local

usename test password cisco
!
access-list 102 permit tcp any host 10.1.1.1 eq telnet access-list 102
dynamic test permit tcp any any

tacacs-server host 19.88.146.51
line vty 0 2
autocommand access-enable timeout 5
login default

Good Luck,
Kasturi.
>From: wing_lam@jossynergy.com
>To: "kasturi cisco"
>CC: ccielab@groupstudy.com
>Subject: Re: aaa with dynamic access-list
>Date: Mon, 9 Jun 2003 22:49:30 +0800
>
>
>Thanks Kasturi,
>
>Have you got experience in use aaa for authentication telnet login
>compare to just "login local" in "line vty 0 4"? I have tested that the
>later one can work with dynamic access-list but not aaa one, which I
>still can
login,
>but the dynamic entries cannot be waked.
>
>
>
>
>
>
> "kasturi cisco"
> > tmail.com> cc:
> Subject: Re: aaa with dynamic access-list
> 06/09/2003 12:00
> AM
>
>
>
>
>
>
>When u use dynamic ACL u want only certain devices to open temp-holes
>in the dy ACL. At the same time u want other devices/admin to coninue
>with normal router administration.Hence u use rotary but lont under
>same vyt ports but like below (at least this is what i have used)
>
>line vty 0 2
>login local
>autocommand access-enable host
>!
>line vty 3 4
>login
>password xxxx
>rotary 1
>
>
>by doing this for normal admin u telnet using port 3001 so specify
>"telnet 3001" such that it allows u to telnet and not create dynamic
>acl entry.Remember to allow telnet access in ur ACL with "permit tcp
>any >ip>"
so that telnet is permitted for authentication and also for
>administration. Hope that helps.
>
>Good Luck,
>Kasturi.
>
>
> >From: wing_lam@jossynergy.com
> >Reply-To: wing_lam@jossynergy.com
> >To: ccielab@groupstudy.com
> >Subject: aaa with dynamic access-list
> >Date: Sun, 8 Jun 2003 20:08:42 +0800
> >
> >Hi group,
> >
> >I have tested the dynamic access-list function without using aaa
> >(i.e.
use
> >"login local" under "line vty 0 4") and it works, after I add "aaa
> >authentication" and change the login local to login authentication
> >under line vty 0 4, the dynamic access-list not works, I can see that
the
> >dynamic entries cannot be waked by telnet login. Just want to ask
whether
> >this is normal or I am doing wrong?
> >
> >Also, what's the use of the command "rotary 1" under line vty 0 4?
> >can I use it so that I won't lock my self from telnet if auto command
> >is
>enabled?
> >
> >Thx,
> >BBD (Big Black Dog)
> >DISCLAIMER:- This email is confidential and intended only for the use
> >of the individual or entity named above and may contain information
> >that is privileged. If you are not the intended recipient, you are
> >notified that any dissemination, distribution or copying of this
> >email is strictly prohibited. If you have received this email in
> >error, please notify us immediately by return email or telephone and
> >destroy the original
message.
> >Thank you.
>
>Looking for love? Yearning for friendship? You're in the right place.
>
>
>
>

Watch Hallmark. Enjoy cool movies. Win hot prizes!

• Next message: ZaferP@koc.net: "RE: aaa with dynamic access-list"
• Previous message: Paul Jin: "RE: R&S MPLS"
• Maybe in reply to: wing_lam@jossynergy.com: "aaa with dynamic access-list"
• Next in thread: ZaferP@koc.net: "RE: aaa with dynamic access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jul 04 2003 - 11:10:57 GMT-3