The following process elaborates the operation of lock-and-key access.
- Configure an extended ACL to block traffic through the router, except the ability to telnet to the router from any host. This is important, as the user needs to telnet to the router to open the dynamic access entry. If the ACL is denying everything, the whole process will fail.
- Users who want to pass traffic through the lock-and-key router must initiate a Telnet to the router and authenticate successfully with valid credentials; dynamic entries are populated accordingly.
- Either the local router or remote authentication performs the authentication process using TACACS+ or Radius. (Cisco recommends using a TACACS+ server.)
- When the Telnet process completes, the router then disconnects the Telnet connection, and a dynamic entry is populated in the extended ACL that was configured earlier. This dynamic entry permits traffic for a particular period.
Follow the steps shown to configure lock-and-key access. Note this example uses local router authentication.
Configure a local username for authentication:
username must password must123
Under the vty lines, configure login local; this will trigger the authentication process.
line vty 0 4
login local
To automatically invoke the access-enable command and set the timeout parameter, configure a username by using one of the following methods:
- Configure the access-enable command and associate the timeout with the user allowing control on a peruser basis.
username test autocommand access-enable host timeout 10 - Configure a global timeout value for all users who telnet in, so that they all have the same timeout.
line vty 0 4
login local
autocommand access-enable host timeout 10
The value 10 in the previous example is the idle-timeout for the ACL. Absolute-timeout in the Dynamic ACL will always supersede this value.
Then configure an extended ACL that is applied when a user (any user) logs in to the router and the access-enable command is invoked. The maximum absolute time for this "hole" in the filter is set to 15 minutes; 15 (minutes) is the absolute timeout, and 10 (minutes) is the idle timeout. After 15 minutes, the dynamic entry is removed, regardless of the usage and whether anyone is connected. Limit the networks to which the user needs access by configuring the source or destination address and/or protocol/port details. The following example
allows the user to connect to the SSH server 192.168.1.1 after a successful authentication.
Code View:
access-list 102 dynamic myacl timeout 15 permit tcp any host 192.168.1.1 eq SSH
The ACL should explicitly ensure that the capability for the host to telnet into the router is allowed, as shown in the example that follows. The IP address used in this example is the Ethernet IP address of the router where the user would telnet to authenticate and open the dynamic hole.
access-list 102 permit tcp any host 172.16.1.2 eq telnet
Apply this ACL to the interface on which the user is connected:
interface Ethernet0
ip address 172.16.1.2 255.255.255.0
ip access-group 102 in
The ACL will show as follows after a user has successfully authenticated, and a dynamic entry will be populated in the extended ACL with the source address of the host. In the sample output that follows, the user host address is 172.16.1.5, and the user is allowed to connect to the SSH server at 192.168.1.1. All other traffic from this host is blocked.
Code View:
Router# show access-lists
Extended IP access list 102
10 Dynamic myacl permit tcp any host 172.16.1.1 eq smtp
permit ip host 172.16.1.5 permit tcp any host 192.168.1.1 eq smtp (time left 160)
20 permit tcp any host 172.16.1.2 eq telnet (104 matches)
The dynamic entry is appended in the ACL for every user who passes authentication, based on the source IP address.