Monday, November 24, 2008

Lock and Key ACL


A Lock and Key ACL is also known as a dynamic ACL. This feature effectively allows a router to control downstream access to other devices.

Once the user has authenticated to the router access is opened up according to the configured dynamic acl.

R3 ------ R2 ------R7

In this scenario telent access to R7 is prohibited by R2 until the user has authenticated to R2.

ip access-list extended RICH
dynamic TEST permit tcp any host 150.1.7.7 eq telnet
deny tcp any host 150.1.7.7 eq telnet
permit ip any any

lint vty 0 4
login local

username RICH pasword RICH
username RICH autocommand access-enable timeout 5

From R3 i try and telnet to R7.

R3#telnet 150.1.7.7
Trying 150.1.7.7 ...
% Destination unreachable; gateway or host down


I then telent to R2 first...
R3#telnet 150.1.2.2
Trying 150.1.2.2 ... Open


User Access Verification

Username: RICH
Password:
[Connection to 150.1.2.2 closed by foreign host]

Once authenticated to R2 controll is returned to R3 from where i can now telnet to R7.
R3#telnet 150.1.7.7
Trying 150.1.7.7 ... Open

Router_7>

On R2 i examine the access-list and can see the dynamic acl has been activated.

Extended IP access list RICH
10 Dynamic DYNAMIC permit tcp any any eq telnet
permit tcp any any eq telnet (6 matches) (time left 281)
20 deny tcp any host 150.1.7.7 eq telnet (45 matches)
30 permit ip any any (1005 matches)


N.B.
In a later lock and key scenario i encountered the extra requirement - Once authenticated the user alone should be the only one able to access the host via telnet. This was initially food for thought as with the configuration above access is opened up from 'any' source.

In fact to tie a dynamic access list down to the user in question the aoutocommand must include the 'host' keyword. i.e.

username RICH autocommand access-enable host timeout 1

N.B.B One further note the autocommand can be applied directly under the vty interface and thus applied to all vty logins.

live vty 0 4
autocommand access-enable host timeout 1


N.B.B.B!!! Whilst researching this i realised that the autocommand feature can be used to execute any command upon user login. For example

username RICH autocommand show ip interface brief

This works! Once the user has logged in, the interface status is displayed and then the user is logged out.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)