Re: ACS and Terminal Server

From: Jay Young - Taylor (jyoungtaylor@gmail.com)
Date: Mon Sep 12 2005 - 00:50:51 GMT-3

• Next message: Private Ryan: "RE: multiple default-router in DHCP"
• Previous message: Helena Qiu: "pix 500 or ASA 5500"
• Maybe in reply to: Chris: "ACS and Terminal Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Another solution is to have your users telnet into the router itself and
authenticate them here. Obviously you would set them up as
unpriviledged users and have them reverse telnet to loopback interface
that is not advertised in your routed network. You put an access group
on the async lines only allowing connections from the loopback. So in
summary the lines are only accessible from the router itself and you
have your users log into the router.

Hope this helps

_JYT

Chris wrote:

> I think you are referring to the "lock and key" access-list using dynamic
>acl and autocommand. This will not work for me either. Thanks again though.
>I appreciate the help.
>
>Chris
>
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Godswill Oletu
>Sent: Friday, September 09, 2005 12:58 AM
>To: chris@supertechnetworks.com; ccielab@groupstudy.com
>Subject: Re: ACS and Terminal Server
>
>But you still can simulate a very similar situation that will achieve the
>same purpose, which I believe is:
>
>
>
>>single authentication, then access to all lines will be given without
>>the need to re-authenticate each time.
>>
>>
>
>You can configure your dynamic access list such that tcp access to ports
>2001 - 2016 will be denied until a successful authentication. Once an
>individual has successfully authenticated, they can then have the access to
>initiate telnet to any device attached to lines 1 to 16.
>
>HTH
>Godswill Oletu
>
>----- Original Message -----
>From: "Chris" <chris@supertechnetworks.com>
>To: "'Godswill Oletu'" <oletu@inbox.lv>; <ccielab@groupstudy.com>
>Sent: Thursday, September 08, 2005 10:15 PM
>Subject: RE: ACS and Terminal Server
>
>
>
>
>>That is what I figured. I do not want to selectively do authentication. I
>>want a person to authenticate once to one line and then have access to the
>>others without re-authenticating for each line. I did not think it could
>>be
>>done. Thanks anyway.
>>
>>Chris
>>
>>
>>
>>
>>
>>-----Original Message-----
>>From: Godswill Oletu [mailto:oletu@inbox.lv]
>>Sent: Thursday, September 08, 2005 9:45 PM
>>To: Chris; ccielab@groupstudy.com
>>Subject: Re: ACS and Terminal Server
>>
>>Chris,
>>
>>By default you are not required to authenticate before gaining access to
>>devices attached to the lines via reverse telnet:
>>
>>#line 1 16
>>#transport input all
>>
>>Is really all that is needed to reverse telnet to each of the 16 devices
>>connected to the lines above. You can further tweak this by adding things
>>like (no exec, exec-timeout, etc...)
>>
>>However, if you choose to, you can selectively turn ON authentication for
>>any or all of the lines:
>>
>>#line 1 2
>>#transport input all
>>#login
>>#password cisco
>>!
>>#line 3 16
>>#transport input all
>>
>>You will be challanged for a password on lines 1 and 2 but not on lines 3
>>to
>>16.
>>
>>If you have to telnet from your PC straight into any of the lines and
>>donot
>>want to be challanged for password eg:
>>
>>C:/>Telnet 1.1.1.1 2001 <1.1.1.1 is ethernet interface ip address of the
>>terminal server & 2001 is accessing line 1>
>>
>>You can turn OFF telnet authentication on the terminal server by:
>>
>>#line vty 0 4
>>#no login
>>
>>With this and the vanilla configuration of 'line 1 16' above, users can
>>access any of the terminal server lines from their PC without password
>>requirements.
>>
>>HTH
>>Godswill Oletu
>>
>>----- Original Message -----
>>From: "Chris" <chris@supertechnetworks.com>
>>To: <ccielab@groupstudy.com>
>>Sent: Thursday, September 08, 2005 8:17 PM
>>Subject: ACS and Terminal Server
>>
>>
>>
>>
>>>If I am using a 2511 as terminal server with a device on each line, can I
>>>configure it so that a user only has to authenticate on one line to
>>>access
>>>the other 15?
>>>
>>>In other words, I want them to be able to telnet to x.x.x.x 2001
>>>x.x.x.x
>>>2002 x.x.x.x 2003
>>>
>>>and access each line, but not have to authenticate at each line. I do not
>>>think it is possible, but I thought I should ask.
>>>
>>>Chris
>>>
>>>_______________________________________________________________________
>>>Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Private Ryan: "RE: multiple default-router in DHCP"
• Previous message: Helena Qiu: "pix 500 or ASA 5500"
• Maybe in reply to: Chris: "ACS and Terminal Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:14 GMT-3