Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
2
Replies

NAR to allow Reverse Telnet only

Go to solution
pregan
Level 1
Level 1

‎02-26-2007 05:28 AM - edited ‎03-10-2019 03:00 PM

Hi .. i'm trying to restrict access to a modem attached to the aux port (2065)of a 2600.. i've created an IP based permit NAR with the AAA Client, port:2065, * .. which if i read correctly should give rev telnet access to just #.#.#.# 2065.

when i apply the nar the failed log shows 'User Access Filtered'. if i take the nar off it works fine so i'm pretty sure its a group problem rather than device config.

does the port apply to the src rather than dst port ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
darpotter
Level 5
Level 5

‎02-27-2007 03:09 AM

Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.

Basically from the port field in the TACACS+ header is matched against the NAR port entry.

I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:

TACACS> authen login ascii login tty1 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication succeeded :

TACACS> authen login ascii login tty2 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication failed

Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.

Darran

View solution in original post

0 Helpful
2 Replies 2

Go to solution
darpotter
Level 5
Level 5

‎02-27-2007 03:09 AM

Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.

Basically from the port field in the TACACS+ header is matched against the NAR port entry.

I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:

TACACS> authen login ascii login tty1 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication succeeded :

TACACS> authen login ascii login tty2 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication failed

Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.

Darran

0 Helpful

Go to solution
pregan
Level 1
Level 1
In response to darpotter

‎02-27-2007 03:43 AM

your a star .. i had assumed as the NAR was IP based that the port reflected the IP port not the router assigned tty ..

putting tty65 in the NAR has resolved my problem.

0 Helpful
Customers Also Viewed These Support Documents