12-21-2015 12:57 PM - edited 03-10-2019 11:20 PM
Hi,
I have set up an SSL VPN (anyconnect) on a 2811 IOS router! as I'm using aaa authentication and authorization based on my local DB on the SSL context to authenticate and force policies to the users I've faced some problems.
I need to create some users to:
- have one time access (or certain number on times)
- get removed or disabled at a certain time (set a life time for the user, i.e. give a user a set of credentials that work only for 2 days)
unfortunately when I use one-time username along with the aaa authorization in the webvpn context somehow it gets double authentications and the user fails to login cause the user gets deleted in the first authentication!!! (huge bug in even the latest IOS)
I tried to set kron to delete the username in a certain time but kron can't do no username in the configuration terminal!
I tried to add an auto command to the username so it delete it self after login but I have to give extra exec priviledges to the user (huge sec risk so I didn't even tried it)
Please help me find a solution...
do you know anything in the aaa attribute list that does something like that! or maybe some authomation mechanism to remove the username or even change the user's attribute list to my No-Access attribute list!!!
FYI, I cant use TACACS or RADIUS due to some technical problems.
Solved! Go to Solution.
12-21-2015 04:15 PM
First, what you are trying to do is well beyond the capabilities of doing this on box.
Now lets move onto clever solutions. Using cron was close, but you need to use an event action script instead that is time triggered. This is not a working example, just a lot of good hints (time trigger, and executing a "conf t" command).
event manager applet remove-user
event timer watchdog time 1800
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no username xxx"
action 9.0 end
12-21-2015 04:15 PM
First, what you are trying to do is well beyond the capabilities of doing this on box.
Now lets move onto clever solutions. Using cron was close, but you need to use an event action script instead that is time triggered. This is not a working example, just a lot of good hints (time trigger, and executing a "conf t" command).
event manager applet remove-user
event timer watchdog time 1800
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no username xxx"
action 9.0 end
12-22-2015 09:00 PM
Thanks a million times!!! it worked... I mixed some event triggers like cron, watchdog and countdown to build perfect mechanisms for this system...
I know that branch routers like 2811 are not built for this but first of all I love challenges :-) and besides that as I'm working in a small company with limited resources I have to make it work :-) the whole configuration (without detailed ACLs which must be added later on) is about 250 lines!!! but it works and it works fine...
Thanks for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide