From: Huan Pham (pnhuan@yahoo.com)
Date: Fri Nov 14 2008 - 23:10:37 ARST
Christopher, Atlanta,
I came accross a similar scenario, and found out that you can limit what an
user can access during certain time. This timebased ACL tied to an user only
applies on the outbound direction. He will be successfully authenticated, and
may do all the changes (based on his access right) on the local router, but
wont be able to access from this "comm server" to other devices.
It is a great feature for a communication server for a shared lab
environement, where you may want to allow your study peers to use your lab
during certain time slots.
However, it can not be used directly to a router where you want to give
limited access based on username and time of day.
username user1 access-class ACL_number
"Specifies an outgoing access list that overrides the access list specified in
the access-class line configuration command. It is used for the duration of
the user's session. "
CommServer#
time-range WORKHOURS
periodic weekdays 9:00 to 17:00
access-list 199 permit ip any any time-range WORKHOURS
username user1 access-class 199 password 0 cisco
Testing telnet from outsite to the lab....
Username: user1
Password: cisco
CommServer>sh clock
10:38:00.548 AEST Sat Nov 15 2008
CommServer>show access-list
Extended IP access list 199
permit ip any any time-range WORKHOURS (inactive)
CommServer>who
Line User Host(s) Idle Location
...
* 29 vty 11 user1 idle 00:00:00 192.168.0.11
CommServer>telnet 192.168.0.1
Trying 192.168.0.1 ...
% Connections to that host not permitted from this terminal
CommServer>R1
Translating "R1"
Trying R1 (10.10.10.10, 2001)...
% Connections to that host not permitted from this terminal
--- On Fri, 11/7/08, Atlanta CCIE <atlantaccie@gmail.com> wrote:
From: Atlanta CCIE <atlantaccie@gmail.com>
Subject: Re: restricting a user from login at times in the day
To: "Christopher Copley" <copley.chris@gmail.com>
Cc: ccielab@groupstudy.com
Date: Friday, November 7, 2008, 7:37 AM
I have not played with this scenario on my lab but I can assure you I did
something similar during my prep :) This SHOULD work with time-range.
I will let the gurus reply
On Thu, Nov 6, 2008 at 3:32 PM, Christopher Copley
<copley.chris@gmail.com>wrote:
> Group,
>
> I am not sure if this is a feature or not, I have been searching the
DocCD,
> Internet, and my books all day and cant find an answer. I have a
situation
> where I need to give access to a specific user for a certain time during
> the
> day, and only during those hours. I don't have TACACS, LDAP, Radius,
etc.
> I have to do it local on the router. I have played with AAA functions,
> Time based ACL's, and it isnt working. Is there a way to create a
login id
> and limit the when that ID can login to the router, and do it all in IOS?
>
> Any thoughts?
> Chris
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Dec 01 2008 - 08:18:30 ARST