Lock & Key ACL

Rupesh Kashyap · ‎06-09-2009

Hi, I have resource on router R4. I have to implement a policy stating that before using any resource on R4, you have to authenticate on R1 with username CISCO. My question is, I have two option for autocommand e.g.Vty line & Username. Which one I have to follow--

Router(config-line)# autocommand access-enable [host] [timeout minutes]

or

Router(config)# Username CISCO autocommand access-enable [host] [timeout minutes]

Giuseppe Larosa · ‎06-09-2009

Hello Rupesh,

when I tested this on C3725 with 12.3T the command effective was the first under line vty.

I didn't like my test results: I had the impression there were troubles with AAA new model on the device.

I was not able to get access to the router after the lock and key triggered.

It was a lab and I could easily recover with a power cycle.

About the options documentation of 12.3 says:

The autocommand Command

Use the following guidelines for configuring the autocommand command:

â€¢ If you use a TACACS+ server to authenticate the user, you should configure the autocommand

command on the TACACS+ server as a per-user autocommand. If you use local authentication, use

the autocommand command on the line.

â€¢ Configure all virtual terminal (VTY) ports with the same autocommand command. Omitting an

autocommand command on a VTY port allows a random host to gain EXEC mode access to the

router and does not create a temporary access list entry in the dynamic access list

I tried local authentication with authentication on the line but using aaa new-model.

Hope to help

Giuseppe

Rupesh Kashyap · ‎06-09-2009

Where we have to give Autocommand access-enable---On vty or on Username if using local authenticatio.

Giuseppe Larosa · ‎06-10-2009

Hello Rupesh,

>> If you use local authentication, use

the autocommand command on the line.

I did so

Hope to help

Giuseppe