02-26-2007 05:28 AM - edited 03-10-2019 03:00 PM
Hi .. i'm trying to restrict access to a modem attached to the aux port (2065)of a 2600.. i've created an IP based permit NAR with the AAA Client, port:2065, * .. which if i read correctly should give rev telnet access to just #.#.#.# 2065.
when i apply the nar the failed log shows 'User Access Filtered'. if i take the nar off it works fine so i'm pretty sure its a group problem rather than device config.
does the port apply to the src rather than dst port ?
Solved! Go to Solution.
02-27-2007 03:09 AM
Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.
Basically from the port field in the TACACS+ header is matched against the NAR port entry.
I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:
TACACS> authen login ascii login tty1 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication succeeded :
TACACS> authen login ascii login tty2 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication failed
Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.
Darran
02-27-2007 03:09 AM
Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.
Basically from the port field in the TACACS+ header is matched against the NAR port entry.
I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:
TACACS> authen login ascii login tty1 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication succeeded :
TACACS> authen login ascii login tty2 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication failed
Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.
Darran
02-27-2007 03:43 AM
your a star .. i had assumed as the NAR was IP based that the port reflected the IP port not the router assigned tty ..
putting tty65 in the NAR has resolved my problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: