Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
0
Helpful
4
Replies

Lock-and-Key Access

alain.desnoyers
Level 1
Level 1

‎10-24-2001 11:42 AM - edited ‎03-08-2019 08:56 PM

I tried configuring Lock-and-Key access on the RSM of a Catalyst switch with the following commands

username alain password alain

access-list 120 dynamic test timeout 5 permit ip any any

access-list 120 permit tcp any host 172.20.52.33 eq telnet

interface vlan20

ip access-group 120 in

The access-list looks fine just like the example I referred to

When I telnet into the router, instead of getting a username and password prompt, I still get the normal prompt before I started this (password prompt).

I only when I issue the login command do I get the username /password prompt.

What am I missing?

And also, I am not sure how I can have users use different dynamic access-lists based on individual user profiles.

Labels:
0 Helpful
4 Replies 4

fujin.huang
Level 1
Level 1

‎11-07-2001 06:17 PM

You need to define the user alain to use the dynamic access-list:

username alain autocommand access-enable timeout 5

For the second question, I'm also trying that, but seems not able to do that, Anyone got any idea on this?

0 Helpful

mbellears
Level 1
Level 1

‎11-07-2001 07:33 PM

The following will give you the login prompt:

line vty 0 4

login local

autocommand access-enable host timeout 2

Then you can have as many:

username user password pass

As you need.

R.E Your second question - Try this: have loopback interfaces with unique live IP's and then assign the different ACL's to them....Entirely up to you who you give each IP to - Not a very elegant method (May not work as it is untested!)

Other than the above - I'm not sure it can be done (Maybe with a radius/tacacs server it could be achieved?)

HTH,

MB

0 Helpful

pmoulay
Level 1
Level 1

‎11-26-2001 03:12 PM

you are missing the following command:

under line vty 0 4

login local ; you are using the local database

;you can also specify tacacs+ for

;authentication

also, as a precaution or it will not work

add in your access-list the following statement:

access-l 101 permit tcp any any established

0 Helpful
Customers Also Viewed These Support Documents