Lock & Key ACL

Unanswered Question
Jun 9th, 2009

Hi, I have resource on router R4. I have to implement a policy stating that before using any resource on R4, you have to authenticate on R1 with username CISCO. My question is, I have two option for autocommand e.g.Vty line & Username. Which one I have to follow--

Router(config-line)# autocommand access-enable [host] [timeout minutes]


Router(config)# Username CISCO autocommand access-enable [host] [timeout minutes]

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 06/09/2009 - 23:05

Hello Rupesh,

when I tested this on C3725 with 12.3T the command effective was the first under line vty.

I didn't like my test results: I had the impression there were troubles with AAA new model on the device.

I was not able to get access to the router after the lock and key triggered.

It was a lab and I could easily recover with a power cycle.

About the options documentation of 12.3 says:

The autocommand Command

Use the following guidelines for configuring the autocommand command:

• If you use a TACACS+ server to authenticate the user, you should configure the autocommand

command on the TACACS+ server as a per-user autocommand. If you use local authentication, use

the autocommand command on the line.

• Configure all virtual terminal (VTY) ports with the same autocommand command. Omitting an

autocommand command on a VTY port allows a random host to gain EXEC mode access to the

router and does not create a temporary access list entry in the dynamic access list

I tried local authentication with authentication on the line but using aaa new-model.

Hope to help


Rupesh Kashyap Tue, 06/09/2009 - 23:17

Where we have to give Autocommand access-enable---On vty or on Username if using local authenticatio.

Giuseppe Larosa Wed, 06/10/2009 - 02:32

Hello Rupesh,

>> If you use local authentication, use

the autocommand command on the line.

I did so

Hope to help



This Discussion