DENY IP – road to CCIE security

I tested autocommand feature (command run automatically when user is logged in) and it looks authorization is needed in order get this features working

without commad aaa authorization exec default local it didn’t work for me (if you have other experience let us know)

So configuration is following ( I tested it with show ip interface brief command)

aaa new-model
aaa authentication login default local
aaa authorization exec default local
username user1 password 0 cisco
username user1 autocommand show version

When user1 logs in

R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open

User Access Verification

Username: user1
Password:
R1>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Loopback0 192.168.10.1 YES NVRAM up up

[Connection to 150.50.78.2 closed by foreign host]

When using NOHANGUP feature with command
username user1 nohangup autocommand show version
it doesn’t mean you will stay logged in (as I though) but you get new user login prompt(instead of [Connection to 150.50.78.2 closed by foreign host] message)

R2#telnet 192.168.1.1
Trying 192.168.1.1 … Open

User Access Verification

Username: user1
Password:
R1>sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 192.168.1.1 YES NVRAM up up
Loopback0 192.168.10.1 YES NVRAM up up

User Access Verification

Username:

So if you have credentials only for user1 – this autocommand is only one thing you can do