RE: user access-class

From: Scott Morris (swm@emanon.com)
Date: Fri Jul 15 2005 - 10:42:12 GMT-3

Yup, just got the FedEx package this morning...

The lab says: "Configure R8 so R7 can telnet into R8 using the IP address
of the serial 0/0/0 interface on R8 using the username favre and the
password ipexpert. No other routers or hosts should be able to telnet to R8
using the same username and password."

The solution given as you noted showed an access class on the username
command line. Right idea, wrong placement.

According to the DocCD for "username" and "access-class": "(Optional)
Specifies an outgoing access list that overrides the access list specified
in the access-class line configuration command. It is used for the duration
of the user's session."

So just like you said it's outgoing only. Putting the same ACL as an
access-class on line vty 0 4 would work perfectly fine. The drawback is
that any username you have added could log in then. With this lab, I
believe that was the only username added, so it wouldn't be any huge deal.

But in the end, yes, the PG and solution is unfortunately wrong. I have
made a note and we'll get it fixed though for the next revision.

HTH,

Scott

-----Original Message-----
From: De Witt, Duane [mailto:duane.dewitt@siemens.com]
Sent: Friday, July 15, 2005 9:30 AM
To: Scott Morris; Gustavo Novais; Ed Lui; George Red
Cc: Brian Lee; Peppe Monterosso (peppemon); ccielab@groupstudy.com
Subject: RE: user access-class

Hi Scott

Have you been able to check this out yet? I am very interested to know what
the solution is.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Scott Morris
Sent: 12 July 2005 06:37 PM
To: 'Gustavo Novais'; De Witt, Duane; 'Ed Lui'; 'George Red'
Cc: 'Brian Lee'; 'Peppe Monterosso (peppemon)'; ccielab@groupstudy.com
Subject: RE: user access-class

I feel that I should jump in on this, but I don't have a good answer for you
yet... Labs 1-18 weren't under my control, so I don't have the docs for
those with me. I will try to get a hold of them though so that I can at
least look at what all is being asked for and described as the answer.

The guy who did the initial labs for Ipexpert, I don't think that he
frequents this place!

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gustavo Novais
Sent: Tuesday, July 12, 2005 5:47 AM
To: De Witt, Duane; Ed Lui; George Red
Cc: Brian Lee; Peppe Monterosso (peppemon); ccielab@groupstudy.com
Subject: RE: user access-class

I'd like to know that also...
IpExpert proctor guide sometimes has its solutions a bit messed up... :(

If you have ACS, you can do that through NAR (Network Access
Restrictions)
on the server, but I havent found any doc on doing that on the router
itself. Besides what George said, no more info regarding any kind of user
access-class.

IpExpert people, could you clarify on this, please? Router Security Lab
(15), question 4 IPExpert WB 7.0

TIA

Gustavo

-----Original Message-----
From: De Witt, Duane [mailto:duane.dewitt@siemens.com]
Sent: terga-feira, 12 de Julho de 2005 10:32
To: Ed Lui; George Red
Cc: Brian Lee; Gustavo Novais; Peppe Monterosso (peppemon);
ccielab@groupstudy.com
Subject: RE: user access-class

Hi

So what is the end result of this?

I mean according to IpExpert proctor guide the access-class associated with
the username is the way to go, but clearly it doesn't work.

What is the proctor solution to this?

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Ed
Lui
Sent: 11 July 2005 06:08 PM
To: George Red
Cc: Brian Lee; Gustavo Novais; Peppe Monterosso (peppemon);
ccielab@groupstudy.com
Subject: Re: user access-class

George,
 That is exactly what I just found from the DocCD.
 Thanks,
Ed

 On 7/11/05, George Red <cisc0day@yahoo.it> wrote:
>
> The access-class on the username command is only in output.
> The access-class in line vty configuration is in input and output.
> HTH,
> George
>
> *Brian Lee <ipgirl@gmail.com>* ha scritto:
>
> Hi Ed,
>
> You can say it that way, but i still don't understand the meaning of
the
> acl
> in user cmd ???
>
> B.L
>
> ----- Original Message -----
> From: "Ed Lui"
> To: "Gustavo Novais"
> Cc: "Peppe Monterosso (peppemon)" ;
>
> Sent: Saturday, July 09, 2005 3:42 AM
> Subject: Re: user access-class
>
>
> >I look at it a different way. Just not sure if it is exactly the task
> > ask(worded) you to do. The task says
> > "R7 can telnet into R8 to its s0/0 interface"
> > So I would create an access-list to allow only R7 telnet to R8,
apply
> the
> > access-list on int s0/0. Then create the username and password,
apply
> > login
> > local under vty 0 XXX.
> > HTH,
> > Ed Lui
> >
> > On 7/8/05, Gustavo Novais wrote:
> >>
> >> I understand... At the end that's what I did, but I think the
essence
> of
> >> the question was to limit inbound connections by username and
router.
> >> This username can only log to R8 if he comes from R7, not somewhere

> >> else.
> >>
> >> I checked the command and its purpose is to limit OUTBOUND
connections
> >> from that user when he is logged on to the router R8.
> >>
> >> I think there's no way, without using tacacs to do this... Or is
there?
> >>
> >> Thanks
> >>
> >> Gustavo
> >>
> >>
> >> -----Original Message-----
> >> From: Peppe Monterosso (peppemon) [mailto:peppemon@cisco.com]
> >> Sent: sexta-feira, 8 de Julho de 2005 20:27
> >> To: Gustavo Novais; ccielab@groupstudy.com
> >> Subject: RE: user access-class
> >>
> >> Gustavo,
> >> What I did was an access list applied to the vty 0 4. This is to
allow
> >> just R7 to telnet, and then a normal username XXX password YYYY on
R8
> >>
> >> Peppe
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
Behalf Of
> >> Gustavo Novais
> >> Sent: Friday, July 08, 2005 11:55 AM
> >> To: ccielab@groupstudy.com
> >> Subject: user access-class
> >>
> >> Hi group
> >>
> >> I'm having a doubt here....
> >>
> >> Task says to configure R8 so that R7 can telnet into R8 to its s0/0

> >> interface using username XXXX and password YYYY. No other routers
or
> >> hosts should be able to telnet to R8 using the same username and
> >> password.
> >>
> >> To me it seems like configuring user XXXX access-class 100 password
> YYYY
> >> with access-list 100 allowing only source IP R7 and destination R8
> s0/0.
> >> I configured line vty 0 4 with login local.
> >>
> >> The thing is that it is not working!
> >>
> >> I go to other routers... and they also can login with that specific

> >> username\password, meaning the access-class is not working...
(hum...
> >> should try logging.)
> >> am I missing something?
> >>
> >>
> >> config:
> >>
> >>
> >> username XXXX access-class 100 password YYYY
> >>
> >> access-list 100 permit ip host 200.0.0.7 <http://200.0.0.7/> host
> >> 150.50.5.2 <http://150.50.5.2/> access-list 100 permit ip host
> >> 150.50.5.1 <http://150.50.5.1/> host
> > 150.50.5.2 <http://150.50.5.2/>
> >>
> >> line vty 0 4
> >> login local
> >> !
> >>
> >>
> >> TIA
> >>
> >> Gustavo
> >>
> >>

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:30 GMT-3