NAR to allow Reverse Telnet only

Answered Question
Feb 26th, 2007

Hi .. i'm trying to restrict access to a modem attached to the aux port (2065)of a 2600.. i've created an IP based permit NAR with the AAA Client, port:2065, * .. which if i read correctly should give rev telnet access to just #.#.#.# 2065.

when i apply the nar the failed log shows 'User Access Filtered'. if i take the nar off it works fine so i'm pretty sure its a group problem rather than device config.

does the port apply to the src rather than dst port ?

I have this problem too.
0 votes
Correct Answer by darpotter about 9 years 7 months ago

Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.

Basically from the port field in the TACACS+ header is matched against the NAR port entry.

I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:

TACACS> authen login ascii login tty1 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication succeeded :

TACACS> authen login ascii login tty2 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication failed

Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.

Darran

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
darpotter Tue, 02/27/2007 - 03:09

Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.

Basically from the port field in the TACACS+ header is matched against the NAR port entry.

I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:

TACACS> authen login ascii login tty1 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication succeeded :

TACACS> authen login ascii login tty2 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication failed

Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.

Darran

pregan Tue, 02/27/2007 - 03:43

your a star .. i had assumed as the NAR was IP based that the port reflected the IP port not the router assigned tty ..

putting tty65 in the NAR has resolved my problem.

Actions

This Discussion