From: Dennis J. Hartmann (dhartma5@optonline.net)
Date: Tue May 03 2005 - 18:00:20 GMT-3
In addition to my last post, have you configured the following in
your router:
line VTY 0 4
autocommand access-enable host timeout 5
password cisco
I believe the username * autocommand * * is giving you some issues
as well. Based on the documentation below, as soon as you send the
access-enable command, the session will be terminated.
Username X autocommand Y
(Optional) Causes the specified command to be issued automatically after the
user logs in. When the command is complete, the session is terminated.
Because the command can be any length and contain embedded spaces, commands
using the autocommand keyword must be the last option on the line.
Check out the Lock-And-Key Example from the Lock-And-Key
Configuration Guide (below):
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
ur_c/ftrafwl/scflock.htm
Lock-and-Key with TACACS+ Authentication Example
The following example shows how to configure lock-and-key access, with
authentication on a TACACS+ server. Lock-and-key access is configured on the
BRI0 interface. Four VTY ports are defined with the password "cisco".
aaa authentication login default group tacacs+ enable
aaa accounting exec stop-only group tacacs+
aaa accounting network stop-only group tacacs+
enable password ciscotac
!
isdn switch-type basic-dms100
!
interface ethernet0
ip address 172.18.23.9 255.255.255.0
!
interface BRI0
ip address 172.18.21.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 3600
dialer wait-for-carrier-time 100
dialer map ip 172.18.21.2 name diana
dialer-group 1
isdn spid1 2036333715291
isdn spid2 2036339371566
ppp authentication chap
ip access-group 102 in
!
access-list 102 permit tcp any host 172.18.21.2 eq telnet
access-list 102 dynamic testlist timeout 5 permit ip any any
!
!
ip route 172.18.250.0 255.255.255.0 172.18.21.2
priority-list 1 interface BRI0 high
tacacs-server host 172.18.23.21
tacacs-server host 172.18.23.14
tacacs-server key test1
tftp-server rom alias all
!
dialer-list 1 protocol ip permit
!
line con 0
password cisco
line aux 0
line VTY 0 4
autocommand access-enable host timeout 5
password cisco
-----Original Message-----
From: Dennis J. Hartmann [mailto:dhartma5@optonline.net]
Sent: Tuesday, May 03, 2005 4:53 PM
To: 'amir cohen'; 'ccielab@groupstudy.com'
Subject: RE: Autocommand for username
I'm new to dynamic (Lock-and-Key) ACLs, but from my studying today
it seems that the first ACE line (access-list 100 dynamic telnet timeout 10
permit ip any any) is forcing the router to use the dynamic ACL where one
doesn't exist yet because the Telnet ACL is your second ACE and ACLs use top
down processing. Remove your ACL and try rebuilding it with the Telnet ACE
as the first ACE in your ACL like this:
access-list 100 permit tcp 140.10.101.96 0.0.0.7 any eq telnet access-list
100 dynamic telnet timeout 10 permit ip any any
I don't have access to a router to test this so please let me know
if this works.
Sincerely,
Dennis Hartmann
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of amir
cohen
Sent: Saturday, April 23, 2005 1:42 AM
To: ccielab@groupstudy.com
Subject: Autocommand for username
Hello,
i need some help in understanding autocommand:
this is my config:
======================================
username test password 0 test
username test autocommand access-enable timeout 5
!
access-list 100 dynamic telnet timeout 10 permit ip any any access-list 100
permit tcp 140.10.101.96 0.0.0.7 any eq telnet !
=================================
wheb i telneting from the above IP's i got:
R6#140.10.101.7
Trying 140.10.101.7 ... Open
User Access Verification
Username: test
Password:
% List#100-telnet already contains this IP address pair [Connection to
140.10.101.7 closed by foreign host]
Any ideas?
Thanx
Amir
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:56 GMT-3