02-26-2007 05:28 AM - edited 03-10-2019 03:00 PM
Hi .. i'm trying to restrict access to a modem attached to the aux port (2065)of a 2600.. i've created an IP based permit NAR with the AAA Client, port:2065, * .. which if i read correctly should give rev telnet access to just #.#.#.# 2065.
when i apply the nar the failed log shows 'User Access Filtered'. if i take the nar off it works fine so i'm pretty sure its a group problem rather than device config.
does the port apply to the src rather than dst port ?
Solved! Go to Solution.
02-27-2007 03:09 AM
Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.
Basically from the port field in the TACACS+ header is matched against the NAR port entry.
I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:
TACACS> authen login ascii login tty1 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication succeeded :
TACACS> authen login ascii login tty2 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication failed
Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.
Darran
02-27-2007 03:09 AM
Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.
Basically from the port field in the TACACS+ header is matched against the NAR port entry.
I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:
TACACS> authen login ascii login tty1 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication succeeded :
TACACS> authen login ascii login tty2 1.1.1.1
User Access Verification
Username: daz
Password: 123456
Authentication failed
Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.
Darran
02-27-2007 03:43 AM
your a star .. i had assumed as the NAR was IP based that the port reflected the IP port not the router assigned tty ..
putting tty65 in the NAR has resolved my problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide