|
A router can be configured to authenticate for
lock-and-key using its own locally created database or a centralized database
on a network server. Local authentication can become burdensome when it has to
be repeated on dozens of routers. To prevent this administrative overhead,
routers and other nodes can be pointed to the security server to authenticate
username and password combinations. These security servers can keep track of
all users and passwords in the network in a single centralized database.
Typically, a network administrator will choose either a TACACS+ or a RADIUS
server for this purpose.
The following configuration uses a simple local
database for user authentication.
RTA(config)#username ernie password bert
RTA(config)#line vty 0 4
RTA(config-line)#login local
You can see that we have configured a single
user, ernie.
The login local command
configures all five VTY lines to authenticate users via the local
username/password database.
The final step to configuring lock-and-key is to
enable the router to create a temporary access list entry in the dynamic access
list that was specified in the original ACL (UNLOCK - continuing with the
example from 10.3.3). The router will not do this by default. The router can be
configured to create temporary access list entries in two ways. You could use
the following syntax to enable the creation of temporary entries:
router#access-enable [host] [timeout minutes]
A simple access-enable
command will work, but the optional keywords are strongly advised. If the host
keyword is used, the temporary entry will be created for the user's individual
IP address. Without the host
keyword, the user's entire network (or IP subnet) is permitted by the temporary
entry.
The timeout
keyword specifies the idle timeout, which is how long the connection can remain
idle before being terminated. If the access list entry is not used within this
period, it is automatically deleted and requires the user to authenticate
again. The default is for the entries to remain permanently.
Note: If you configure both idle and
absolute timeouts, the idle timeout value must be less than the absolute
timeout value.
The router could also be configured to create
temporary access list entries automatically. To set up lock-and-key, you configure the
VTY lines so that the router automatically issues the access-enable
command and then logs the user out. This is accomplished using the autocommand
feature, as shown:
RTA(config)#line vty 0 4
RTA(config-line)#autocommand access-enable host timeout 20
By configuring the VTY's with autocommand
access-enable, the hole in the firewall
is automatically created each time the user authenticates via Telnet. That
completes Lock-and-key configuration.
|