10.6 Configuration Lock-and-Key Security (Dynamic Access Lists)
10.6.4 Lock-and-Key configuration examples
Lab Activity
  In this lab, you will learn the usage of Lock-and-Key security (dynamic access lists).

There are two examples in this section:

  • Example of Lock and Key with Local Authentication
  • Example of Lock and Key with TACACS+ Authentication

Cisco recommends that you use a TACACS+ server for authentication, as shown in the second example.

Example of Lock and Key with Local Authentication

This example shows how to configure Lock-and-Key access, with authentication occurring locally at the router. Lock and Key is configured on the Ethernet 0 interface.

interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in

access-list 101 permit tcp any host 172.18.21.2 eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any

line VTY 0
login local
autocommand access-enable timeout 5

The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until Lock and Key is triggered.

After a user Telnets into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand command creates a temporary inbound access-list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout.

Example of Lock-and-Key With TACACS+ Authentication

The following example shows how to configure Lock-and-Key access, with authentication on a TACACS+ server. Lock-and-Key access is configured on the BRI0 interface. Four VTY ports are defined with the password "cisco."

aaa authentication login default tacacs+ enable
aaa accounting exec stop-only tacacs+
aaa accounting network stop-only tacacs+
enable password ciscotac
!
isdn switch-type basic-dms100
!
interface ethernet0
ip address 172.18.23.9 255.255.255.0
!!
interface BRI0
ip address 172.18.21.1 255.255.255.0
encapsulation ppp
dialer idle-timeout 3600
dialer wait-for-carrier-time 100
dialer map ip 172.18.21.2 name diana
dialer-group 1
isdn spid1 2036333715291
isdn spid2 2036339371566
ppp authentication chap
ip access-group 102 in
!
access-list 102 permit tcp any host 172.18.21.2 eq telnet
access-list 102 dynamic testlist timeout 5 permit ip any any
!
!
ip route 172.18.250.0 255.255.255.0 172.18.21.2
priority-list 1 interface BRI0 high
tacacs-server host 172.18.23.21
tacacs-server host 172.18.23.14
tacacs-server key test1
tftp-server rom alias all
!
dialer-list 1 protocol ip permit
!
line con 0
password cisco
line aux 0
line VTY 0 4
autocommand access-enable timeout 5
password cisco
!