Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
2
Replies

Username Problem

Go to solution
shahab.66
Level 1
Level 1

‎12-21-2015 12:57 PM - edited ‎03-10-2019 11:20 PM

Hi,

I have set up an SSL VPN (anyconnect) on a 2811 IOS router! as I'm using aaa authentication and authorization based on my local DB on the SSL context to authenticate and force policies to the users I've faced some problems.

I need to create some users to:

- have one time access (or certain number on times)

- get removed or disabled at a certain time (set a life time for the user, i.e. give a user a set of credentials that work only for 2 days)

unfortunately when I use one-time username along with the aaa authorization in the webvpn context somehow it gets double authentications and the user fails to login cause the user gets deleted in the first authentication!!! (huge bug in even the latest IOS)

I tried to set kron to delete the username in a certain time but kron can't do no username in the configuration terminal!

I tried to add an auto command to the username so it delete it self after login but I have to give extra exec priviledges to the user (huge sec risk so I didn't even tried it)

Please help me find a solution...

do you know anything in the aaa attribute list that does something like that! or maybe some authomation mechanism to remove the username or even change the user's attribute list to my No-Access attribute list!!!

FYI, I cant use TACACS or RADIUS due to some technical problems.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎12-21-2015 04:15 PM

First, what you are trying to do is well beyond the capabilities of doing this on box.

Now lets move onto clever solutions.  Using cron was close, but you need to use an event action script instead that is time triggered.  This is not a working example, just a lot of good hints (time trigger, and executing a "conf t" command).

event manager applet remove-user
 event timer watchdog time 1800
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "no username xxx"
 action 9.0 end

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎12-21-2015 04:15 PM

First, what you are trying to do is well beyond the capabilities of doing this on box.

Now lets move onto clever solutions.  Using cron was close, but you need to use an event action script instead that is time triggered.  This is not a working example, just a lot of good hints (time trigger, and executing a "conf t" command).

event manager applet remove-user
 event timer watchdog time 1800
 action 1.0 cli command "enable"
 action 2.0 cli command "conf t"
 action 3.0 cli command "no username xxx"
 action 9.0 end

0 Helpful

Go to solution
shahab.66
Level 1
Level 1
In response to Philip D'Ath

‎12-22-2015 09:00 PM

Thanks a million times!!! it worked... I mixed some event triggers like cron, watchdog and countdown to build perfect mechanisms for this system...

I know that branch routers like 2811 are not built for this but first of all I love challenges :-) and besides that as I'm working in a small company with limited resources I have to make it work :-) the whole configuration (without detailed ACLs which must be added later on) is about 250 lines!!! but it works and it works fine...

Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents