RE: user access-class

From: Gustavo Novais (gustavo.novais@novabase.pt)
Date: Thu Jul 14 2005 - 16:43:36 GMT-3

I agree...

"a hair pulling exercise" ???

Do no get bald over this! Ehehehe

Thanks

-----Original Message-----
From: Godswill Oletu [mailto:oletu@inbox.lv]
Sent: quinta-feira, 14 de Julho de 2005 10:12
To: Gustavo Novais; De Witt, Duane; Ed Lui; George Red
Cc: Brian Lee; Peppe Monterosso (peppemon); ccielab@groupstudy.com
Subject: Re: user access-class

Gustavo,

Yes, I saw that.....

I have read almost everything Cisco have on CCO about the usefulness of
the 'access-class' option on the username statement, but I seem to get
the same
answer:

".....Specifies an outgoing access list that overrides the access list
specified in the access-class line configuration command; used for the
duration of that session. "

The only line configuration that comes to mind as far as telnet is
concern is the VTY lines.

Getting it to work as desired has been a hair pulling exercise. I am
beginning to think that, the solution might just be using access-list to
restrict telnet access to the router and using the username command.

However, the ipexpert proctor might have the magic solution by using the
'username name access-class' command, so lets continue to wait on him.

Thanks.
Godswill Oletu

----- Original Message -----
From: "Gustavo Novais" <gustavo.novais@novabase.pt>
To: "Godswill Oletu" <oletu@inbox.lv>; "De Witt, Duane"
<duane.dewitt@siemens.com>; "Ed Lui" <edwlui@gmail.com>; "George Red"
<cisc0day@yahoo.it>
Cc: "Brian Lee" <ipgirl@gmail.com>; "Peppe Monterosso (peppemon)"
<peppemon@cisco.com>; <ccielab@groupstudy.com>
Sent: Tuesday, July 12, 2005 12:28 PM
Subject: RE: user access-class

> According to your config, any user defined on R8, from 1.1.1.2 would
be
> able to telnet in to R8.
> User De-Witt, being logged on R8, would only be able to do telnet
outbound
> TO 1.1.1.2, (back from where he first came, if telnet was used,
because of
> the access-class on line vty).
> Not particularly what I had in mind.
>
> Imagine that you have a whole range of users defined locally. Lets say

> Adam and Eve :)
>
> I think that the purpose is that, while for example Adam can telnet in
R8
> FROM any location, Eve can only telnet from a specific location into
R8.
>
> How to do that, without Tacacs server?
>
> Thank you
>
> Gustavo
>
> -----Original Message-----
> From: Godswill Oletu [mailto:oletu@inbox.lv]
> Sent: terga-feira, 12 de Julho de 2005 17:17
> To: De Witt, Duane; Ed Lui; George Red
> Cc: Brian Lee; Gustavo Novais; Peppe Monterosso (peppemon);
> ccielab@groupstudy.com
> Subject: Re: user access-class
>
> This should work fine for you...
>
> R8#
> interfacace serial 0/0
> ip address 1.1.1.1 255.255.255.252
> !
> username De-Witt access-class 1 password 0 some-sleep-might-help !
> access-list 1 permit 1.1.1.2
> !
> line vty 0 4
> login local
> access-class 1 in
> !
>
> -----
> Godswill Oletu
>
>
> ----- Original Message -----
> From: "De Witt, Duane" <duane.dewitt@siemens.com>
> To: "Ed Lui" <edwlui@gmail.com>; "George Red" <cisc0day@yahoo.it>
> Cc: "Brian Lee" <ipgirl@gmail.com>; "Gustavo Novais"
> <gustavo.novais@novabase.pt>; "Peppe Monterosso (peppemon)"
> <peppemon@cisco.com>; <ccielab@groupstudy.com>
> Sent: Tuesday, July 12, 2005 5:32 AM
> Subject: RE: user access-class
>
>
>> Hi
>>
>> So what is the end result of this?
>>
>> I mean according to IpExpert proctor guide the access-class
associated
>> with the username is the way to go, but clearly it doesn't work.
>>
>> What is the proctor solution to this?
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
>> Ed Lui
>> Sent: 11 July 2005 06:08 PM
>> To: George Red
>> Cc: Brian Lee; Gustavo Novais; Peppe Monterosso (peppemon);
>> ccielab@groupstudy.com
>> Subject: Re: user access-class
>>
>> George,
>> That is exactly what I just found from the DocCD.
>> Thanks,
>> Ed
>>
>> On 7/11/05, George Red <cisc0day@yahoo.it> wrote:
>>>
>>> The access-class on the username command is only in output.
>>> The access-class in line vty configuration is in input and output.
>>> HTH,
>>> George
>>>
>>> *Brian Lee <ipgirl@gmail.com>* ha scritto:
>>>
>>> Hi Ed,
>>>
>>> You can say it that way, but i still don't understand the meaning of
>> the
>>> acl
>>> in user cmd ???
>>>
>>> B.L
>>>
>>> ----- Original Message -----
>>> From: "Ed Lui"
>>> To: "Gustavo Novais"
>>> Cc: "Peppe Monterosso (peppemon)" ;
>>>
>>> Sent: Saturday, July 09, 2005 3:42 AM
>>> Subject: Re: user access-class
>>>
>>>
>>> >I look at it a different way. Just not sure if it is exactly the
task
>>> > ask(worded) you to do. The task says
>>> > "R7 can telnet into R8 to its s0/0 interface"
>>> > So I would create an access-list to allow only R7 telnet to R8,
>> apply
>>> the
>>> > access-list on int s0/0. Then create the username and password,
>> apply
>>> > login
>>> > local under vty 0 XXX.
>>> > HTH,
>>> > Ed Lui
>>> >
>>> > On 7/8/05, Gustavo Novais wrote:
>>> >>
>>> >> I understand... At the end that's what I did, but I think the
>> essence
>>> of
>>> >> the question was to limit inbound connections by username and
>> router.
>>> >> This username can only log to R8 if he comes from R7, not
somewhere
>>> >> else.
>>> >>
>>> >> I checked the command and its purpose is to limit OUTBOUND
>> connections
>>> >> from that user when he is logged on to the router R8.
>>> >>
>>> >> I think there's no way, without using tacacs to do this... Or is
>> there?
>>> >>
>>> >> Thanks
>>> >>
>>> >> Gustavo
>>> >>
>>> >>
>>> >> -----Original Message-----
>>> >> From: Peppe Monterosso (peppemon) [mailto:peppemon@cisco.com]
>>> >> Sent: sexta-feira, 8 de Julho de 2005 20:27
>>> >> To: Gustavo Novais; ccielab@groupstudy.com
>>> >> Subject: RE: user access-class
>>> >>
>>> >> Gustavo,
>>> >> What I did was an access list applied to the vty 0 4. This is to
>> allow
>>> >> just R7 to telnet, and then a normal username XXX password YYYY
on
>> R8
>>> >>
>>> >> Peppe
>>> >>
>>> >>
>>> >>
>>> >> -----Original Message-----
>>> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
>> Behalf Of
>>> >> Gustavo Novais
>>> >> Sent: Friday, July 08, 2005 11:55 AM
>>> >> To: ccielab@groupstudy.com
>>> >> Subject: user access-class
>>> >>
>>> >> Hi group
>>> >>
>>> >> I'm having a doubt here....
>>> >>
>>> >> Task says to configure R8 so that R7 can telnet into R8 to its
s0/0
>>> >> interface using username XXXX and password YYYY. No other routers
>> or
>>> >> hosts should be able to telnet to R8 using the same username and
>>> >> password.
>>> >>
>>> >> To me it seems like configuring user XXXX access-class 100
password
>>> YYYY
>>> >> with access-list 100 allowing only source IP R7 and destination
R8
>>> s0/0.
>>> >> I configured line vty 0 4 with login local.
>>> >>
>>> >> The thing is that it is not working!
>>> >>
>>> >> I go to other routers... and they also can login with that
specific
>>> >> username\password, meaning the access-class is not working...
>> (hum...
>>> >> should try logging.)
>>> >> am I missing something?
>>> >>
>>> >>
>>> >> config:
>>> >>
>>> >>
>>> >> username XXXX access-class 100 password YYYY
>>> >>
>>> >> access-list 100 permit ip host 200.0.0.7 <http://200.0.0.7/> host
>>> >> 150.50.5.2 <http://150.50.5.2/> access-list 100
>>> >> permit ip host 150.50.5.1 <http://150.50.5.1/> host
>>> > 150.50.5.2 <http://150.50.5.2/>
>>> >>
>>> >> line vty 0 4
>>> >> login local
>>> >> !
>>> >>
>>> >>
>>> >> TIA
>>> >>
>>> >> Gustavo
>>> >>
>>> >>
>>

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3