|
You
should understand the tips in this section before you configure Lock
and Key.
Tips for Configuring Dynamic Access Lists
These tips correspond to "Step 1" in the previous
configuration task table.
- Do not create more than one dynamic access list for any
one access list. The software refers to only the first dynamic
access list defined.
- Do not assign the same dynamic-name to another
access list. Doing so instructs the software to reuse the
existing list. All named entries must be globally unique within
the configuration.
- Assign attributes to the dynamic access list in the same way
you assign attributes for a static access list. The temporary
access list entries inherit the attributes assigned to this
list.
- Configure Telnet as the protocol, so that users must Telnet
into the router to be authenticated, before they can gain access
through the router.
- Either define an idle timeout now with the
timeout
keyword in the
access-enable
command in the
autocommand
command, or define an absolute timeout value later with the
access-list
command. You must define either an idle timeout or an absolution
timeout --- otherwise, the temporary access list entry will
remain configured indefinitely on the interface (even after
users have terminated their session) until the entry is removed
manually by an administrator. (You could configure both idle and
absolute timeouts if you wish.)
-
If you configure an idle timeout, the idle timeout value
should be equal to the WAN idle timeout value.
-
If you configure both idle and absolute timeouts, the idle
timeout value must be less than the absolute timeout value.
-
The only values replaced in the temporary entry are the source
or destination address, depending on whether the access list was
in the input access list or output access list. All other
attributes such as port are inherited from the main dynamic
access list.
-
Each addition to the dynamic list is always put at the
beginning of the dynamic list. You cannot specify the order of
temporary access list entries.
-
Temporary access-list entries are never written to NVRAM.
-
To manually clear or to display dynamic access lists, refer to
the section "Lock-and-Key Maintenance" later in this
chapter.
Tips for Configuring Lock-and-Key Authentication
These tips correspond to "Step 5" in the previous
configuration task table.
There are three possible methods to configure an authentication
query process. These three methods are described in this section.
Note: Cisco recommends that you use the TACACS+ server
for your authentication query process. TACACS+ provides AAA
services, as well as protocol support, protocol specification, and a
centralized security database.
Method 1 --- Configure a Security Server
Use a network access security server such as TACACS+ server. This
method requires additional configuration steps on the TACACS+ server
but allows for stricter authentication queries and more
sophisticated tracking capabilities.
config-line# login tacacs
Method 2 --- Configure the username Command
Use the
username
command. This method is more effective
because authentication is determined on a user basis.
config# username name password password
Method 3 --- Configure the password and login Commands
Use the
password
and
login
commands. This method is
less effective because the password is configured for the port, not
for the user. Therefore, any user who knows the password can
authenticate successfully.
config-line# password password
config-line# login local
Tips for Configuring the autocommand Command
These tips correspond to "Step 6" in the previous
configuration task table.
-
If you use a TACACS+ server to authenticate the user, you
should configure the
autocommand
command on the TACACS+
server as a per-user autocommand. If you use local
authentication, use the autocommand on the line.
- Configure all VTY ports with the same
autocommand
command. Omitting an
autocommand
command on a VTY port
allows a random host to gain EXEC mode access to the router and
does not create a temporary access-list entry in the dynamic
access list.
- If you did not previously define an idle timeout with the
autocommand
access-enable
command, you must define an absolute timeout
now with the
access-list
command. You must define either
an idle timeout or an absolute timeout --- otherwise, the
temporary access list entry will remain configured indefinitely
on the interface (even after the user has terminated his or her
session) until the entry is removed manually by an
administrator. (You could configure both idle and absolute
timeouts if you wish.)
- If you configure both idle and absolute timeouts, the absolute
timeout value must be greater than the idle timeout value.
|