10.6 Configuration Lock-and-Key Security (Dynamic Access Lists)
10.6.2 Lock-and-Key configuration tips
You should understand the tips in this section before you configure Lock and Key.

Tips for Configuring Dynamic Access Lists

These tips correspond to "Step 1" in the previous configuration task table.

  • Do not create more than one dynamic access list for any one access list. The software refers to only the first dynamic access list defined.
  • Do not assign the same dynamic-name to another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique within the configuration.
  • Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.
  • Configure Telnet as the protocol, so that users must Telnet into the router to be authenticated, before they can gain access through the router.
  • Either define an idle timeout now with the timeout keyword in the access-enable command in the autocommand command, or define an absolute timeout value later with the access-list command. You must define either an idle timeout or an absolution timeout --- otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after users have terminated their session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
  • If you configure an idle timeout, the idle timeout value should be equal to the WAN idle timeout value.
  • If you configure both idle and absolute timeouts, the idle timeout value must be less than the absolute timeout value.
  • The only values replaced in the temporary entry are the source or destination address, depending on whether the access list was in the input access list or output access list. All other attributes such as port are inherited from the main dynamic access list.
  • Each addition to the dynamic list is always put at the beginning of the dynamic list. You cannot specify the order of temporary access list entries.
  • Temporary access-list entries are never written to NVRAM.
  • To manually clear or to display dynamic access lists, refer to the section "Lock-and-Key Maintenance" later in this chapter.

Tips for Configuring Lock-and-Key Authentication

These tips correspond to "Step 5" in the previous configuration task table.
There are three possible methods to configure an authentication query process. These three methods are described in this section.

Note: Cisco recommends that you use the TACACS+ server for your authentication query process. TACACS+ provides AAA services, as well as protocol support, protocol specification, and a centralized security database.

Method 1 --- Configure a Security Server

Use a network access security server such as TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities.

config-line# login tacacs

Method 2 --- Configure the username Command

Use the username command. This method is more effective because authentication is determined on a user basis.

config# username name password password

Method 3 --- Configure the password and login Commands

Use the password and login commands. This method is less effective because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully.

config-line# password password

config-line# login local

Tips for Configuring the autocommand Command

These tips correspond to "Step 6" in the previous configuration task table.

  • If you use a TACACS+ server to authenticate the user, you should configure the autocommand command on the TACACS+ server as a per-user autocommand. If you use local authentication, use the autocommand on the line.
  • Configure all VTY ports with the same autocommand command. Omitting an autocommand command on a VTY port allows a random host to gain EXEC mode access to the router and does not create a temporary access-list entry in the dynamic access list.
  • If you did not previously define an idle timeout with the autocommand access-enable command, you must define an absolute timeout now with the access-list command. You must define either an idle timeout or an absolute timeout --- otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated his or her session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
  • If you configure both idle and absolute timeouts, the absolute timeout value must be greater than the idle timeout value.