13-4 Controlling Access with Lock and Key Security | Cisco Field Manual[c] Router Configuration

Lock and Key uses dynamic access lists to temporarily allow access for certain authenticated users.
Traffic from users is normally blocked by an access list on a border router. To gain access, a user must open a Telnet session to that router and successfully authenticate.
Access can be finely controlled, down to a per-user basis.
After a dynamic access list entry has been created, it stays active for a preconfigured amount of time (based on an absolute or idle time) or until it is manually removed.
New dynamic entries are added to the beginning of the dynamic access list.

Configuration

Create a dynamic access list.
1. Use a named extended IP access list.
  - Create the access list and enable Telnet to the router:
```
 (global)  ip access list extended   name  (named-access-list)  permit tcp any host   ip-address   eq telnet  (named-access-list)  deny ...  
```
    The extended IP access list named name is used to control inbound access through a router. You must permit Telnet access with the second command so that external users can Telnet to the router and open a dynamic entry. Use the ip-address of the inbound router interface. The deny command represents any other commands that are necessary to block inbound traffic into your router.
  - Reference a named access list where dynamic entries will be put:
```
 (named-access-list)  dynamic   name  [  timeout   minutes  ]  permit ...  
```
    The dynamic access list named name is used to contain dynamic or temporary entries that are added by Lock and Key. You don't need to create this list; the router creates it and adds or deletes entries to or from it as needed. The timeout keyword is used to set an absolute time in minutes (1 to 9999; the default is infinite) for the temporary entry to remain in effect.
    
    The permit keyword should be used to define the conditions of the temporary access list entry. You can use a simple permit ip any any if you intend to trigger the temporary entries for a single host address. The temporary entry is added with one specific source address to the any destination address. Otherwise, you can trigger a temporary entry for an entire network address. In this case, use the permit keyword and define the specific protocol (if needed), the specific source network address and mask, and the specific destination network and mask. In other words, the temporary entry should open only specific access that was denied in the regular (nondynamic) access list.
2. Use a numbered extended IP access list.
  - Create the access list and enable Telnet to the router:
```
 (global)  access-list   number   permit tcp any host   ip-address   eq telnet  (global)  access-list   number  deny  ...  
```
    The extended IP access list number (100 to 199 or 2600 to 2699) is used to control inbound access through a router. You must permit Telnet access with the second command so that external users can Telnet to the router and open a dynamic entry. Use the ip-address of the inbound router interface. The deny command represents any other commands that are necessary to block inbound traffic into your router.
  - Reference a named access list where dynamic entries will be put:
```
 (global)  access-list   number   dynamic   name  [  timeout   minutes  ]  permit ...  
```
    The dynamic access list named name is used to contain dynamic or temporary entries that are added by Lock and Key. You don't need to create this list; the router creates it and adds or deletes entries to or from it as needed. The timeout keyword is used to set an absolute time in minutes (1 to 9999; the default is infinite) for the temporary entry to remain in effect.
    
    The permit keyword should be used to define the conditions of the temporary access list entry. You can use a simple permit ip any any if you intend to trigger the temporary entries for a single host address. The temporary entry is added with one specific source address to the any destination address. Otherwise, you can trigger a temporary entry for an entire network address. In this case, use the permit keyword and define the specific protocol (if needed), the specific source network address and mask, and the specific destination network and mask. In other words, the temporary entry should open only specific access that was denied in the regular (nondynamic) access list.
Apply the access list to an inbound interface:
```
 (interface)  ip access-group   access-list   in  
```
The named or numbered access-list is used to filter inbound traffic on the interface. Filtering follows the normal access list definitions until dynamic entries are added by Lock and Key.
Use authentication on the VTY (Telnet) lines:
```
 (line)  login  {  local   tacacs  } 
```
-OR-
```
 (line)  login authentication  {  default   list-name  } 
```
Authentication must be enabled on the VTY lines so that external users can Telnet to the router and attempt to authenticate themselves for a dynamic Lock and Key entry. If AAA is used (see Section 13-2 for more information), use the login authentication command. Otherwise, you can authenticate against usernames and passwords configured on the router with login local or against a TACACS server database with login tacacs.
Automatically add the dynamic access list entry:
```
 (line)  autocommand access-enable  [  host  ] [  timeout   minutes  ] 
```
When a user authenticates on a VTY line, a command is automatically run to add the dynamic Lock and Key entry to allow temporary access. The host keyword can be used to cause a specific dynamic entry to be added for the IP address of the user's machine. If host is not used, the dynamic entry is created by inheriting the source and destination addresses and masks, as well as any protocol and port values, from the dynamic access list command. In this way, temporary access for a whole range of users or types of traffic can be granted by a single authentication. The timeout keyword can be used to define an idle time in minutes (1 to 9999; the default is infinite) that the dynamic entry remains in effect. As long as the dynamic access list entry is visited by the user's traffic within the idle time, the entry remains. Otherwise, it must time out or be manually removed.

NOTE

The autocommand command can be omitted if an automatic dynamic entry is not desired. In this case, the user must Telnet to the router, be authenticated, and then manually run the EXEC command access-enable host to generate the dynamic entry.
(Optional) Manually add an entry to the dynamic access list:
```
 (global)  access-template  [  access-list  ] [  dynamic-name  ] [  source  ]   [  destination  ] [  timeout   minutes  ] 
```
Dynamic access list entries are usually created automatically from a template configured into a traffic filter access list containing the dynamic keyword. You can also manually add your own template to the dynamic access list with specific parameters. The template is associated with a named or numbered extended IP access-list that is acting as an inbound traffic filter. The dynamic-name points to the named dynamic access list where temporary entries are added. The source and destination addresses (including network addresses, the keywords host and any ) can also be specified to override the original access list template. The timeout keyword can be used to specify an absolute time in minutes (1 to 9999; the default is infinite) for the temporary entries to remain in effect.
(Optional) Manually remove temporary Lock and Key entries:
```
 (exec)  clear access-template  [  access-list  ] [  dynamic-name  ] [  source  ]   [  destination  ] 
```
If a temporary Lock and Key entry is created without an absolute or idle timeout, the entry remains in effect indefinitely. You must then manually remove it with this command. With no arguments, all temporary entries are removed. You can specify the named or numbered access-list, the name of the dynamic access list as dynamic-name, and the source and destination addresses. To display the current dynamic access lists and the temporary entries, use show access-lists and look for lines beginning with "Dynamic."

Example

The router is configured for AAA authentication using a TACACS+ server at 192.168.4.3, followed by the router enable password (as a last resort). An access list named mylist is used to permit Telnet access to the inbound router interface. The list also denies any external access to the inside network 192.168.4.0. The dynamic access list mydynlist is referenced so that temporary Lock and Key entries can be added. The mylist access list is applied to the inbound Ethernet 0 interface.

After a user Telnets to the router and successfully authenticates, the autocommand is executed on the VTY line. In this case, autocommand runs access-enable timeout 30, which creates a temporary access list entry for the external host. The entry is a permit for the specific host to any address, matching the dynamic access list template. The user's temporary access will have a 30-minute idle timeout.

  aaa new-model   aaa authentication login default group tacacs+ enable   tacacs-server host 192.168.4.3 key secret999   ip access list extended mylist   permit tcp any host 172.19.7.1 eq telnet   deny ip any 192.168.4.0 0.0.0.255   dynamic mydynlist permit ip any any   interface ethernet 0   ip address 172.19.7.1 255.255.255.0   ip access-group mylist in   line vty 0 4   login authentication default   autocommand access-enable timeout 30