03-19-2009 08:22 PM - edited 03-06-2019 04:42 AM
Hi every body!My book says;
" imagine a set of servers that need to be accessed by a small set of users. With acls, you can match the ip addresses of the host used by users. However, if the users borrows another pc, or leases a new address using dhcp or takes her laptop home and so on. the legitimate user now has a different ip address. So a traditional acl would have to be edited to support each new ip address.
Dynamic acl sloves this problem by tying the acl to a user name authentication process. Instead of starting by trying to connect to the server, the users must be told to first telnet to a router.The router asks for user name/password combination. If it is authentic,the router dynamically changes its acl."
Now my questions Does it mean user has to check every time he wants to connect to server if its ip address is same or changed. If changed then user knows he has to telnet first to router. Am i correct? If it is correct then it put alot of burdens on users .
thanks a lot!
Solved! Go to Solution.
03-20-2009 09:56 AM
Now my questions Does it mean user has to check every time he wants to connect to server if its ip address is same or changed. If changed then user knows he has to telnet first to router. Am i correct? If it is correct then it put alot of burdens on users .
Correct. That's the reason this implementation is not ideal for 'user' environment. You will see this kind of implementation mostly done in secured environments where Network Engineers need access to but adding a form of authentication to get there.
If you want to read more about it from CCO, check out this URL
When are you taking the exam?
__
Edison.
03-19-2009 09:09 PM
The user will not need to check his IP address. All he needs to do is telnet to the router. When he authenticates to the router the dynamic ACL will change to all access to the server.
03-19-2009 10:07 PM
Thanks for your reply.
Let me make my point
h---------s0R e0------------------server
R has access-list 110 permit ip host 199.199.199.1 any
As long as host has this ip address , it can access server,
Now host is turned off and then turned on and was assigned different ip address.
This time host has to telnet into router to provide username/password. My question how host determines when to telnet router when not to telnet router without checking if ip address has changed?
03-19-2009 11:38 PM
Hi Sarah,
You can change the acl to allow the range of ip addresses that is distributed by DHCP to the hosts.
Example:
If you have the following in the DHCP pool:
ip dhcp pool MYPOOL
network 199.199.199.0 /24
Then your dynamic ACL entry could be:
access-list 110 dynamic timeout XX permit ip 199.199.199.0 0.0.0.255 any
In this case, if the host is switched off and gets another ip address from the DHCP server from the 199.199.199.0 /24 range, it does not need to reauthenticate, because the dynamic ACL entry allows the range of ip addresses and it may still be in place, depending on the timeout value.
You should know that dynamic ACL entries time out after some time. If the entry times out then the host will need to reauthenticate at the router anyway.
You can also set the timeout values as it is given in the example.
Cheers:
Istvan
03-20-2009 09:08 AM
Thanks Istvan.
My intention is to understand dynamic acl . i understand there is alternative to dynamic acl as you mentioned one in your post. My goal is to understand how dynamic acl works.
Let revisit my question.
host----------r--------server
r is also connected to internet besides host which is inside the enterprise network.
Let say r has dynamic acl configured allowing connection through for 199.199.199.0/24 network
Now let say host is laptop, the user moved to different part of the country and want to access the server. He connects to internet from internet it gets to " r". Now how would user decide if he has to authenticate first or not if he does not check his ip address. By checking ip address user can decides if the ip address is the same or has changed. In our case, the ip address has changed so user knows he has to telnet first to " r" then having authenticated himself, he will be allowed to access server.
My question remains the same does user has to check his ip address if it has changed or not? if not then how user decides whether he has telnet into router for authentication or not?
Thanks a lot!
03-20-2009 09:46 AM
Hi Sarah,
Of course, a simple user has no idea of how his computer connects to the server, so he/she should not deal with any ip addresses.
The distribution of ip addresses through DHCP and the dynamic ACL entry have to be coordinated so this works automatically for the user.
The user has no option to decide about authenticating or not.
He must authenticate any time and that's all. No question.
But, do not consider this authentication method as the most scalable, secure and reliable in the world.
This type of authentication is not scalable to large networks, and will not replace AAA, Network Admission Control and other best practices for security.
Cheers:
Istvan
03-20-2009 09:56 AM
Now my questions Does it mean user has to check every time he wants to connect to server if its ip address is same or changed. If changed then user knows he has to telnet first to router. Am i correct? If it is correct then it put alot of burdens on users .
Correct. That's the reason this implementation is not ideal for 'user' environment. You will see this kind of implementation mostly done in secured environments where Network Engineers need access to but adding a form of authentication to get there.
If you want to read more about it from CCO, check out this URL
When are you taking the exam?
__
Edison.
03-20-2009 02:57 PM
Thanks Edison ! Exam itself is not my goal.
I will take in few moths after i master the basics and routing concept, . Most of my questions are not even relevant to ccnp routing exam. But by discovering answers to my weird questions help me understand the concept better.
Thanks and have a nice weekend!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide