Let's take a quick look at access lists as they relate to TACACS+ and RADIUS. Access lists are normally used to filter traffic at the packet level. In other words, when a connection is attempted through a router interface, packet headers are inspected for prohibited IP addresses or application port numbers, and traffic is passed or blocked. These are called extended access lists, and they're discussed in Chapter 7. To review here, such access lists are extended in that they can filter based on network application port numbers instead of just addresses. They're also called static extended access lists, because the permit and deny commands are blindly enforced, regardless of the user. To make an exception for a particular person, an administrator would need to go into the router's config file and edit the list for that interface.
Dynamic access lists are configured using so-called lock-and-key commands. By employing these, a user who would otherwise be blocked can be granted temporary access to a network or subnet through a Telnet session over the Internet.
The Telnet session is opened to a router configured for lock-and-key. The dynamic access list prompts the user for authentication information. As with other user-based security protocols, lock-and-key can be configured to check against a user database on the router itself (local) or against a user database maintained on a TACACS+ or RADIUS server. If authenticated, the user is automatically logged out of the Telnet session and can start a normal application, such as a browser.
The following sequence of code snippets shows how lock-and-key could be configured on a router using a locally maintained user authentication file. To start, a particular network interface on the router is declared, along with a subnetted IP address. The ip access-group command places the just-named interface and networks under the control of access list 103:
MyRouter(config)# interface ethernet1 MyRouter(config-if)# ip address 188.8.131.52 255.255.255.0 MyRouter(config-if)# ip access-group 103 in
The keyword in specifies that access control be applied only to inbound connections (lock-and-key can also be used to restrict outbound connections).
In the following statement, the first entry of access list 103 allows only Telnet connections into the router. The second entry of access list 103 is ignored until lock-and-key is triggered whenever a Telnet connection has been established in the router. The keyword dynamic defines access list 103 as a dynamic (lock-and-key) list.
MyRouter(config)# access-list 103 permit tcp any host 184.108.40.206 eq telnet MyRouter(config)# access-list 103 dynamic InCrowd timeout 60 permit ip any any
This is the key juncture. If so configured, an attempted Telnet connection to the router causes it to check against its local user database to see if the user and password are valid for lock-and-key access to the router. If validated, the timeout 60 permit ip any any statement gives the user 60 minutes to use the router as a connection between any two IP addresses.
Finally, an autocommand statement creates a temporary inbound access list entry (named InCrowd in the previous statement) at the network interface Ethernet1 and line 0 on the router. The temporary access list entry will time out after five minutes.
MyRouter(config)# line vty 0 MyRouter(config-line)# login local MyRouter(config-line)# autocommand access-enable timeout 5
The temporary access list entry isn't automatically deleted when the user terminates the session. It will remain configured until the timeout period expires.
Dynamic access lists can also be configured to authenticate users against a user database maintained on either a TACACS+ or RADIUS server. This, in effect, turns a router into an access server through which a user can gain entry into an internetwork, but only by logging in through a Telnet session.
It goes without saying, and is certainly a cliché, that network security is extremely important and necessary. However, understanding that it's important and understanding how to actually implement it are two different things. To be sure, an entire book can be (and many have been) written on the subject of network security in general and Cisco security in particular. The object of this chapter was to show you various details behind some of the important components in securing your internetwork. In Chapter 7, we'll talk about some specific tools that Cisco offers in the realm of network access and security.