RE: user access-class

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Tue Jul 12 2005 - 06:46:44 GMT-3

• Next message: Gustavo Novais: "ISIS interpretation question."
• Previous message: De Witt, Duane: "RE: user access-class"
• Maybe in reply to: Gustavo Novais: "user access-class"
• Next in thread: Scott Morris: "RE: user access-class"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'd like to know that also...
IpExpert proctor guide sometimes has its solutions a bit messed up... :(

If you have ACS, you can do that through NAR (Network Access Restrictions) on the server, but I havent found any doc on doing that on the router itself. Besides what George said, no more info regarding any kind of user access-class.

IpExpert people, could you clarify on this, please? Router Security Lab (15), question 4 IPExpert WB 7.0

TIA

Gustavo

-----Original Message-----
From: De Witt, Duane [mailto:duane.dewitt@siemens.com]
Sent: terga-feira, 12 de Julho de 2005 10:32
To: Ed Lui; George Red
Cc: Brian Lee; Gustavo Novais; Peppe Monterosso (peppemon); ccielab@groupstudy.com
Subject: RE: user access-class

Hi

So what is the end result of this?

I mean according to IpExpert proctor guide the access-class associated with the username is the way to go, but clearly it doesn't work.

What is the proctor solution to this?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ed Lui
Sent: 11 July 2005 06:08 PM
To: George Red
Cc: Brian Lee; Gustavo Novais; Peppe Monterosso (peppemon); ccielab@groupstudy.com
Subject: Re: user access-class

George,
 That is exactly what I just found from the DocCD.
 Thanks,
Ed

 On 7/11/05, George Red <cisc0day@yahoo.it> wrote:
>
> The access-class on the username command is only in output.
> The access-class in line vty configuration is in input and output.
> HTH,
> George
>
> *Brian Lee <ipgirl@gmail.com>* ha scritto:
>
> Hi Ed,
>
> You can say it that way, but i still don't understand the meaning of
the
> acl
> in user cmd ???
>
> B.L
>
> ----- Original Message -----
> From: "Ed Lui"
> To: "Gustavo Novais"
> Cc: "Peppe Monterosso (peppemon)" ;
>
> Sent: Saturday, July 09, 2005 3:42 AM
> Subject: Re: user access-class
>
>
> >I look at it a different way. Just not sure if it is exactly the task
> > ask(worded) you to do. The task says
> > "R7 can telnet into R8 to its s0/0 interface"
> > So I would create an access-list to allow only R7 telnet to R8,
apply
> the
> > access-list on int s0/0. Then create the username and password,
apply
> > login
> > local under vty 0 XXX.
> > HTH,
> > Ed Lui
> >
> > On 7/8/05, Gustavo Novais wrote:
> >>
> >> I understand... At the end that's what I did, but I think the
essence
> of
> >> the question was to limit inbound connections by username and
router.
> >> This username can only log to R8 if he comes from R7, not somewhere
> >> else.
> >>
> >> I checked the command and its purpose is to limit OUTBOUND
connections
> >> from that user when he is logged on to the router R8.
> >>
> >> I think there's no way, without using tacacs to do this... Or is
there?
> >>
> >> Thanks
> >>
> >> Gustavo
> >>
> >>
> >> -----Original Message-----
> >> From: Peppe Monterosso (peppemon) [mailto:peppemon@cisco.com]
> >> Sent: sexta-feira, 8 de Julho de 2005 20:27
> >> To: Gustavo Novais; ccielab@groupstudy.com
> >> Subject: RE: user access-class
> >>
> >> Gustavo,
> >> What I did was an access list applied to the vty 0 4. This is to
allow
> >> just R7 to telnet, and then a normal username XXX password YYYY on
R8
> >>
> >> Peppe
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
> >> Gustavo Novais
> >> Sent: Friday, July 08, 2005 11:55 AM
> >> To: ccielab@groupstudy.com
> >> Subject: user access-class
> >>
> >> Hi group
> >>
> >> I'm having a doubt here....
> >>
> >> Task says to configure R8 so that R7 can telnet into R8 to its s0/0
> >> interface using username XXXX and password YYYY. No other routers
or
> >> hosts should be able to telnet to R8 using the same username and
> >> password.
> >>
> >> To me it seems like configuring user XXXX access-class 100 password
> YYYY
> >> with access-list 100 allowing only source IP R7 and destination R8
> s0/0.
> >> I configured line vty 0 4 with login local.
> >>
> >> The thing is that it is not working!
> >>
> >> I go to other routers... and they also can login with that specific
> >> username\password, meaning the access-class is not working...
(hum...
> >> should try logging.)
> >> am I missing something?
> >>
> >>
> >> config:
> >>
> >>
> >> username XXXX access-class 100 password YYYY
> >>
> >> access-list 100 permit ip host 200.0.0.7 <http://200.0.0.7/> host
> >> 150.50.5.2 <http://150.50.5.2/> access-list 100 permit ip host
> >> 150.50.5.1 <http://150.50.5.1/> host
> > 150.50.5.2 <http://150.50.5.2/>
> >>
> >> line vty 0 4
> >> login local
> >> !
> >>
> >>
> >> TIA
> >>
> >> Gustavo
> >>
> >>

• Next message: Gustavo Novais: "ISIS interpretation question."
• Previous message: De Witt, Duane: "RE: user access-class"
• Maybe in reply to: Gustavo Novais: "user access-class"
• Next in thread: Scott Morris: "RE: user access-class"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:29 GMT-3