Wednesday, April 20, 2016

Lock and Key ACLs

 on  with No comments 
In , ,  
Lock and key, or dynamic ACLs allow you to configure dynamic access on a per user basis using authentication to destinations that would otherwise be blocked.  This functionality relies on three technologies: telnet or ssh, an authentication process, and an extended ACL.

Here's the basic idea of how it operates. First, the user starts a Telnet or ssh session to the router that the Lock and Key ACL is configured on. The router prompts the user to authenticate.  After the user successfully authenticates, the router closes the Telnet session and then creates a dynamic entry or entries into the extended access-list.  This entry or entries allow that user access for a set amount of time.  Once that time has expired, the router removes the dynamic entries from the extended access-list.  This time period can be configured as an idle-timer, or an ablsolute timeout.

We'll use the following topology to demonstrate.  In this network, there is a host PC where the user who needs access sits, the server that the user requires access to, and the router configured with the Lock and Key ACL to grant that access.  The router interface will have the .1 address on both networks, and the hosts will be .2 on their respective networks.  For simplicity sake, we'll just use Telnet in this simulation.
Let's move on to the configuration now.  The first thing we'll do is to configure a local user with the name test. User authentication can be done using the local database, an AAA server, or a line password on the VTY lines. We'll create a user like any other local user, and then the second line associates the user with the lock and key ACL.  Without the second line, the user will telnet into the router as normal.

username test password 123
username test autocommand acccess-enable host timeout 10

Next, we'll create the extended ACL.  Don't forget to permit any traffic needed by the network such as routing protocol, and permit Telnet traffic to the router itself.  For the sake of testing, I'm going to also allow pings to this interface.  Then apply that ACL to the appropriate router interface. You can allow all access beyond this router with permit ip any any, or you can get granular with individual subnets or hosts.

access-list 100 permit ospf any any
access-list 100 permit icmp any any
access-list 100 permit tcp any host eq telnet
access-list 100 dynamic ACCESS timeout 15 permit ip any any
access-list 100 deny ip any any log

interface FastEthernet0/0
 ip address
 ip access-group 100 in

Finally, configure the VTY lines for telnet access as you normally would.  You can also set a global timeout value on the VTY line.

line vty 0 4
 login local
 autocommand access-enable host timeout 5

Note that we've set timeout values in three different places.  Absolute-timeout in the dynamic ACL will supercede values set on the user and on the VTY lines, and the timeout set per user overrides that of the ACL, which is the default timeout.

Let's test this ACL now.  First on pc1, note that we're able to ping the first router interface, but we're not able to ping through to the server.

So let's authenticate to the router.  Simply type telnet at the c: prompt and enter the credentials for the test user.  Now, you'll be able to ping through to server1 and reach it's web page.



Post a Comment

Discuss this post!