10.3 Dynamic access lists: lock-and-key
10.3.4 Configuring lock-and-key authentication
A router can be configured to authenticate for lock-and-key using its own locally created database or a centralized database on a network server. Local authentication can become burdensome when it has to be repeated on dozens of routers. To prevent this administrative overhead, routers and other nodes can be pointed to the security server to authenticate username and password combinations. These security servers can keep track of all users and passwords in the network in a single centralized database. Typically, a network administrator will choose either a TACACS+ or a RADIUS server for this purpose.

The following configuration uses a simple local database for user authentication.

RTA(config)#username ernie password bert
RTA(config)#line vty 0 4
RTA(config-line)#login local

You can see that we have configured a single user, ernie. The login local command configures all five VTY lines to authenticate users via the local username/password database.

The final step to configuring lock-and-key is to enable the router to create a temporary access list entry in the dynamic access list that was specified in the original ACL (UNLOCK - continuing with the example from 10.3.3). The router will not do this by default. The router can be configured to create temporary access list entries in two ways. You could use the following syntax to enable the creation of temporary entries:

router#access-enable [host] [timeout minutes]

A simple access-enable command will work, but the optional keywords are strongly advised. If the host keyword is used, the temporary entry will be created for the user's individual IP address. Without the host keyword, the user's entire network (or IP subnet) is permitted by the temporary entry.

The timeout keyword specifies the idle timeout, which is how long the connection can remain idle before being terminated. If the access list entry is not used within this period, it is automatically deleted and requires the user to authenticate again. The default is for the entries to remain permanently.

Note: If you configure both idle and absolute timeouts, the idle timeout value must be less than the absolute timeout value.

The router could also be configured to create temporary access list entries automatically. To set up lock-and-key, you configure the VTY lines so that the router automatically issues the access-enable command and then logs the user out. This is accomplished using the autocommand feature, as shown:

RTA(config)#line vty 0 4
RTA(config-line)#autocommand access-enable host timeout 20

By configuring the VTY's with autocommand access-enable, the hole in the firewall is automatically created each time the user authenticates via Telnet. That completes Lock-and-key configuration.