 |
 |
Lab
Activity |
| |
In
this lab, you will learn the usage of
Lock-and-Key security (dynamic access
lists). |
|
|
|
There are two examples in this section:
- Example of Lock and Key with Local
Authentication
- Example of Lock and Key with
TACACS+ Authentication
Cisco recommends that you use a TACACS+ server for
authentication, as shown in the second example.
Example of Lock and Key with Local Authentication
This example shows how to configure Lock-and-Key access, with
authentication occurring locally at the router. Lock and Key is
configured on the Ethernet 0 interface.
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host 172.18.21.2 eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line VTY 0
login local
autocommand access-enable timeout 5
The first access-list entry allows only Telnet into the router.
The second access-list entry is always ignored until Lock and Key is
triggered.
After a user Telnets into the router, the router will attempt to
authenticate the user. If authentication is successful, the
autocommand
executes and the Telnet session terminates. The
autocommand
command creates a temporary inbound access-list entry at the
Ethernet 0 interface, based on the second access-list entry (mytestlist).
This temporary entry will expire after 5 minutes, as specified by
the timeout.
Example of Lock-and-Key With TACACS+ Authentication
The following example shows how to configure Lock-and-Key access,
with authentication on a TACACS+ server. Lock-and-Key access is
configured on the BRI0 interface. Four VTY ports are defined with
the password "cisco."
aaa authentication login default tacacs+ enable
aaa accounting exec stop-only tacacs+
aaa accounting network stop-only tacacs+
enable password ciscotac
!
isdn switch-type basic-dms100
!
interface ethernet0
ip address 172.18.23.9 255.255.255.0
!!
interface BRI0
ip address 172.18.21.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 3600
dialer wait-for-carrier-time 100
dialer map ip 172.18.21.2 name diana
dialer-group 1
isdn spid1 2036333715291
isdn spid2 2036339371566
ppp authentication chap
ip access-group 102 in
!
access-list 102 permit tcp any host 172.18.21.2 eq telnet
access-list 102 dynamic testlist timeout 5 permit ip any any
!
!
ip route 172.18.250.0 255.255.255.0 172.18.21.2
priority-list 1 interface BRI0 high
tacacs-server host 172.18.23.21
tacacs-server host 172.18.23.14
tacacs-server key test1
tftp-server rom alias all
!
dialer-list 1 protocol ip permit
!
line con 0
password cisco
line aux 0
line VTY 0 4
autocommand access-enable timeout 5
password cisco
!
|