Lock and Key uses dynamic access lists to temporarily allow access for certain authenticated users.
Traffic from users is normally blocked by an access list on a border router. To gain access, a user must open a Telnet session to that router and successfully authenticate.
Access can be finely controlled, down to a per-user basis.
After a dynamic access list entry has been created, it stays active for a preconfigured amount of time (based on an absolute or idle time) or until it is manually removed.
New dynamic entries are added to the beginning of the dynamic access list.
Create a dynamic access list.
Use a named extended IP access list.
Create the access list and enable Telnet to the router:
(global) ip access list extended name (named-access-list) permit tcp any host ip-address eq telnet (named-access-list) deny ...
The extended IP access list named name is used to control inbound access through a router. You must permit Telnet access with the second command so that external users can Telnet to the router and open a dynamic entry. Use the ip-address of the inbound router interface. The deny command represents any other commands that are necessary to block inbound traffic into your router.
Reference a named access list where dynamic entries will be put:
(named-access-list) dynamic name [ timeout minutes ] permit ...
The dynamic access list named name is used to contain dynamic or temporary entries that are added by Lock and Key. You don't need to create this list; the router creates it and adds or deletes entries to or from it as needed. The timeout keyword is used to set an absolute time in minutes (1 to 9999; the default is infinite) for the temporary entry to remain in effect.
The permit keyword should be used to define the conditions of the temporary access list entry. You can use a simple permit ip any any if you intend to trigger the temporary entries for a single host address. The temporary entry is added with one specific source address to the any destination address. Otherwise, you can trigger a temporary entry for an entire network address. In this case, use the permit keyword and define the specific protocol (if needed), the specific source network address and mask, and the specific destination network and mask. In other words, the temporary entry should open only specific access that was denied in the regular (nondynamic) access list.
Use a numbered extended IP access list.
Create the access list and enable Telnet to the router:
(global) access-list number permit tcp any host ip-address eq telnet (global) access-list number deny ...
The extended IP access list number (100 to 199 or 2600 to 2699) is used to control inbound access through a router. You must permit Telnet access with the second command so that external users can Telnet to the router and open a dynamic entry. Use the ip-address of the inbound router interface. The deny command represents any other commands that are necessary to block inbound traffic into your router.
Reference a named access list where dynamic entries will be put:
(global) access-list number dynamic name [ timeout minutes ] permit ...
The dynamic access list named name is used to contain dynamic or temporary entries that are added by Lock and Key. You don't need to create this list; the router creates it and adds or deletes entries to or from it as needed. The timeout keyword is used to set an absolute time in minutes (1 to 9999; the default is infinite) for the temporary entry to remain in effect.
The permit keyword should be used to define the conditions of the temporary access list entry. You can use a simple permit ip any any if you intend to trigger the temporary entries for a single host address. The temporary entry is added with one specific source address to the any destination address. Otherwise, you can trigger a temporary entry for an entire network address. In this case, use the permit keyword and define the specific protocol (if needed), the specific source network address and mask, and the specific destination network and mask. In other words, the temporary entry should open only specific access that was denied in the regular (nondynamic) access list.
Apply the access list to an inbound interface:
(interface) ip access-group access-list in
The named or numbered access-list is used to filter inbound traffic on the interface. Filtering follows the normal access list definitions until dynamic entries are added by Lock and Key.
Use authentication on the VTY (Telnet) lines:
(line) login { local tacacs }
-OR-
(line) login authentication { default list-name }
Authentication must be enabled on the VTY lines so that external users can Telnet to the router and attempt to authenticate themselves for a dynamic Lock and Key entry. If AAA is used (see Section 13-2 for more information), use the login authentication command. Otherwise, you can authenticate against usernames and passwords configured on the router with login local or against a TACACS server database with login tacacs.
Automatically add the dynamic access list entry:
(line) autocommand access-enable [ host ] [ timeout minutes ]
When a user authenticates on a VTY line, a command is automatically run to add the dynamic Lock and Key entry to allow temporary access. The host keyword can be used to cause a specific dynamic entry to be added for the IP address of the user's machine. If host is not used, the dynamic entry is created by inheriting the source and destination addresses and masks, as well as any protocol and port values, from the dynamic access list command. In this way, temporary access for a whole range of users or types of traffic can be granted by a single authentication. The timeout keyword can be used to define an idle time in minutes (1 to 9999; the default is infinite) that the dynamic entry remains in effect. As long as the dynamic access list entry is visited by the user's traffic within the idle time, the entry remains. Otherwise, it must time out or be manually removed.
NOTE
The autocommand command can be omitted if an automatic dynamic entry is not desired. In this case, the user must Telnet to the router, be authenticated, and then manually run the EXEC command access-enable host to generate the dynamic entry.
(Optional) Manually add an entry to the dynamic access list:
(global) access-template [ access-list ] [ dynamic-name ] [ source ] [ destination ] [ timeout minutes ]
Dynamic access list entries are usually created automatically from a template configured into a traffic filter access list containing the dynamic keyword. You can also manually add your own template to the dynamic access list with specific parameters. The template is associated with a named or numbered extended IP access-list that is acting as an inbound traffic filter. The dynamic-name points to the named dynamic access list where temporary entries are added. The source and destination addresses (including network addresses, the keywords host and any ) can also be specified to override the original access list template. The timeout keyword can be used to specify an absolute time in minutes (1 to 9999; the default is infinite) for the temporary entries to remain in effect.
(Optional) Manually remove temporary Lock and Key entries:
(exec) clear access-template [ access-list ] [ dynamic-name ] [ source ] [ destination ]
If a temporary Lock and Key entry is created without an absolute or idle timeout, the entry remains in effect indefinitely. You must then manually remove it with this command. With no arguments, all temporary entries are removed. You can specify the named or numbered access-list, the name of the dynamic access list as dynamic-name, and the source and destination addresses. To display the current dynamic access lists and the temporary entries, use show access-lists and look for lines beginning with "Dynamic."
The router is configured for AAA authentication using a TACACS+ server at 192.168.4.3, followed by the router enable password (as a last resort). An access list named mylist is used to permit Telnet access to the inbound router interface. The list also denies any external access to the inside network 192.168.4.0. The dynamic access list mydynlist is referenced so that temporary Lock and Key entries can be added. The mylist access list is applied to the inbound Ethernet 0 interface.
After a user Telnets to the router and successfully authenticates, the autocommand is executed on the VTY line. In this case, autocommand runs access-enable timeout 30, which creates a temporary access list entry for the external host. The entry is a permit for the specific host to any address, matching the dynamic access list template. The user's temporary access will have a 30-minute idle timeout.
aaa new-model aaa authentication login default group tacacs+ enable tacacs-server host 192.168.4.3 key secret999 ip access list extended mylist permit tcp any host 172.19.7.1 eq telnet deny ip any 192.168.4.0 0.0.0.255 dynamic mydynlist permit ip any any interface ethernet 0 ip address 172.19.7.1 255.255.255.0 ip access-group mylist in line vty 0 4 login authentication default autocommand access-enable timeout 30