Configuring Lock-and-Key
To configure lock-and-key, use the following commands beginning in global configuration mode. While completing these steps, be sure to follow the guidelines listed in the "Lock-and-Key Configuration Guidelines" section of this chapter.
|
Command |
Purpose | |
|---|---|---|
|
Step 1 |
Router(config)# access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} telnet source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [established] [log] |
Configures a dynamic access list, which serves as a template and placeholder for temporary access list entries. |
|
Step 2 |
Router(config)# access-list dynamic-extend |
(Optional) Extends the absolute timer of the dynamic ACL by six minutes when you open another Telnet session into the router to re-authenticate yourself using lock-and-key. Use this command if your job will run past the ACL's absolute timer. |
|
Step 3 |
Router(config)# interface type number |
Configures an interface and enters interface configuration mode. |
|
Step 4 |
Router(config-if)# ip access-group access-list-number |
Applies the access list to the interface. |
|
Step 5 |
Router(config-if)# exit |
Exits interface configuration mode and enters global configuration mode. |
|
Step 6 |
Router(config)# line vty line-number [ending-line-number] |
Defines one or more virtual terminal (VTY) ports and enters line configuration mode. If you specify multiple VTY ports, they must all be configured identically because the software hunts for available VTY ports on a round-robin basis. If you do not want to configure all your VTY ports for lock-and-key access, you can specify a group of VTY ports for lock-and-key support only. |
|
Step 7 |
Router(config-line)# login tacacs or Router(config-line)# password password or Router(config-line)# login local or Router(config-line)# exit then Router(config)# username name password secret |
Configures user authentication in line or global configuration mode. |
|
Step 8 |
Router(config-line)# autocommand access-enable [host] [timeout minutes] or Router(config)# autocommand access-enable [host] [timeout minutes] |
Enables the creation of temporary access list entries in line or global configuration mode. If the optional host keyword is not specified, all hosts on the entire network are allowed to set up a temporary access list entry. The dynamic access list contains the network mask to enable the new network connection. |
Dynamic Access Lists
Use the following guidelines for configuring dynamic access lists:
•
Do not create more than one dynamic access list for any one access list. The software only refers to the first dynamic access list defined.
•Do not assign the same dynamic-name to another access list. Doing so instructs the software to reuse the existing list. All named entries must be globally unique within the configuration.
•Assign attributes to the dynamic access list in the same way you assign attributes for a static access list. The temporary access list entries inherit the attributes assigned to this list.
•Configure Telnet as the protocol so that users must open a Telnet session into the router to be authenticated before they can gain access through the router.
•Either define an idle timeout now with the timeout keyword in the access-enable command in the autocommand command, or define an absolute timeout value later with the access-list command. You must define either an idle timeout or an absolute timeout—otherwise, the temporary access list entry will remain configured indefinitely on the interface (even after the user has terminated their session) until the entry is removed manually by an administrator. (You could configure both idle and absolute timeouts if you wish.)
•If you configure an idle timeout, the idle timeout value should be equal to the WAN idle timeout value.
•If you configure both idle and absolute timeouts, the idle timeout value must be less than the absolute timeout value.
•If you realize that a job will run past the ACL's absolute timer, use the access-list dynamic-extend command to extend the absolute timer of the dynamic ACL by six minutes. This command allows you to open a new Telnet session into the router to re-authentication yourself using lock-and-key.
•The only values replaced in the temporary entry are the source or destination address, depending whether the access list was in the input access list or output access list. All other attributes, such as port, are inherited from the main dynamic access list.
•Each addition to the dynamic list is always put at the beginning of the dynamic list. You cannot specify the order of temporary access list entries.
•Temporary access list entries are never written to NVRAM.
Lock-and-Key with Local Authentication Example
This example shows how to configure lock-and-key access, with authentication occurring locally at the router. Lock-and-key is configured on the Ethernet 0 interface.
interface ethernet0
ip address 172.18.23.9 255.255.255.0
ip access-group 101 in
access-list 101 permit tcp any host 172.18.21.2 eq telnet
access-list 101 dynamic mytestlist timeout 120 permit ip any any
line vty 0
login local
autocommand access-enable timeout 5
The first access-list entry allows only Telnet into the router. The second access-list entry is always ignored until lock-and-key is triggered.
In the access-list command, the timeout is the absolute timeout. In this example, the lifetime of the mytestlist ACL is 120 minutes; that is, when a user logs in and enable the access-enable command, a dynamic ACL is created for 120 minutes (the maximum absolute time). The session is closed after 120 minutes, whether or not anyone is using it.
In the autocommand command, the timeout is the idle timeout. In this example, each time the user logs in or authenticates there is a 5-minute session. If there is no activity, the session closes in 5 minutes and the user has to reauthenticate. If the user uses the connection, the absolute time takes affect and the session closes in 120 minutes.
After a user opens a Telnet session into the router, the router will attempt to authenticate the user. If authentication is successful, the autocommand executes and the Telnet session terminates. The autocommand creates a temporary inbound access list entry at the Ethernet 0 interface, based on the second access-list entry (mytestlist). This temporary entry will expire after 5 minutes, as specified by the timeout.
Comments
정보처리기사보단 좀 어렵군...
켁....진모 홈페이지였네.... dynamic access-list 자료 검색하다가 들어왔는데...ㅎㅎㅎㅎ
여자친구분 이쁘시네~ ^^ 잘 보고 간다~