RE: Lock-and-Key Confusion

From: Rik Guyler (rik@guyler.net)
Date: Tue Feb 10 2004 - 20:24:20 GMT-3

• Next message: Carlton L. Frye, Jr.: "HSSI cards back to back"
• Previous message: Packet Man: "RE: SNMP trap-source"
• Maybe in reply to: Yasser Aly: "Lock-and-Key Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Yasser, the "autocommand access-enable" is used specifically for
lock-and-key as its purpose is to immediately logout the user once
authentication has been successful. You would not/should not use any
other parameters in this particular case as you want this process to
happen this way.

If you wish to accomplish something other than lock-and-key with the
"autocommand" command then of course you can specifiy alternate
parameters. In this case, you are simply specifying a command to
automatically run when the user successfully authenticates.

One thing I noted in Packet Man's reply to you earlier. The passage he
quoted seemed to indicate that if no timeouts are specified, either idle
or absolute then the dynamic ACL gets removed after 120 minutes. The
Doc CD indicates that it will remain indefinitely if no timeout values
of either type exist.

See the included URL:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
fsecur_c/ftrafwl/scflock.htm#25218

Anybody ever wait to see what really happens?

Rik

-----Original Message-----
From: Yasser Aly [mailto:blackyeyes00@hotmail.com]
Sent: Tuesday, February 10, 2004 12:36 PM
To: ccielab@groupstudy.com
Subject: RE: Lock-and-Key Confusion

Hi Packet Man,

  Thanks for your explanation it made things much clearer.

Another question about the autocommand command. When this command is
used
with the lock-and-key ACL, is it normally used in this syntax
"autocommand
access-enable timeout 5" or there are cases where other exec commands
are
configured after the autocommand.

Regards,
Yasser

>From: "Packet Man" <ccie2b@hotmail.com>
>To: blackyeyes00@hotmail.com, ccielab@groupstudy.com
>Subject: RE: Lock-and-Key Confusion
>Date: Tue, 10 Feb 2004 07:58:27 -0500
>
>Hi Yasser,
>
>See comments in-line.
>
>
>>From: "Yasser Aly" <blackyeyes00@hotmail.com>
>>Reply-To: "Yasser Aly" <blackyeyes00@hotmail.com>
>>To: ccielab@groupstudy.com
>>Subject: Lock-and-Key Confusion
>>Date: Mon, 09 Feb 2004 20:51:10 -0500
>>
>>Hello,
>>
>>I need your help in understanding Lock-and-Key ACL as I am confused in
>>understanding some of its terms.
>>
>>Considering the following example:
>>
>>-----------------
>>username name password password
>>interface ethernet0
>>ip address 172.18.23.9 255.255.255.0
>>ip access-group 101 in
>>access-list 101 permit tcp any host 172.18.23.2 eq telnet
>
>The ip address 172.18.23.2 is the address the user telnets to so user
>can
>be authenticated. It should be the ip address of the interface
connected
>to the external (untrusted) network. You use "any host" as the source
>address b/c you might know in advance what (source) ip address the user

>will use to telnet to your outside interface.
>
>
>>access-list 101 dynamic mytestlist timeout 120 permit ip any any
>
>Once authenticated, the above line allows the user to access any device

>on
>the inside. You might want to make the above entry more restrictive by
>specifying a single host address or subnet for the destination. The
timeout
>is absolute and 120 = 2 hours.
>
>
>>line vty 0
>>login local
>>autocommand access-enable timeout 5
>>----------------
>>
>>
>>I have the following questions:
>>
>>1- The permitted destination to telnet at is: 172.18.23.2, shouldn't
>>this
>>IP be the IP defined on the
>>ethernet interface ? If not, then kindly explain.
>
>Only if the Ethernet interface is connected to the outside, untrusted
>network and is the ip address external users need to telnet to to be
>authenticated
>>
>>2- If the user will be logged off automatically once logged
>>successfully
>>to the router and the dynamic ACL entry was created, what does the
timeout
>>5 represent in the autocommand ?
>
>It's an idle timeout and should always be smaller than the absolute
>timeout
>configured in the dynamic entry.
>>
>>3- What are the units of timeout defined in the autocommand and
>>access-list commands? Is it seconds or minutes ?
>
>Minutes
>>
>>4- Will the dynamic entry expire after a pre-defined time ( 5 or 120
>>??? )
>>whether or not the user is doing an activity. Like allowing the user
to
>>access the resources for 5 minutes and then remove the ACL entry, or
this
>>idletimeout will be counted as a real idle-timeout of non-activity
from
>>the user.
>
>The dynamic entry goes away after 120 miutes no matter what. After 2
>hours, the user will need to telnet in and re-authenticte. But, if the

>user takes longer than 5 minutes to get coffee, he will logged out.
>>
>>Thanks for your help.
>>
>>Regards,
>>Yasser
>>
>>_________________________________________________________________
>>The new MSN 8: smart spam protection and 2 months FREE*
>>http://join.msn.com/?page=features/junkmail
>>http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fjo
in.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
>>
>>______________________________________________________________________
>>_
>>Please help support GroupStudy by purchasing your study materials
from:
>>http://shop.groupstudy.com
>>
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>

• Next message: Carlton L. Frye, Jr.: "HSSI cards back to back"
• Previous message: Packet Man: "RE: SNMP trap-source"
• Maybe in reply to: Yasser Aly: "Lock-and-Key Confusion"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:48 GMT-3