Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAR to allow Reverse Telnet only

Hi .. i'm trying to restrict access to a modem attached to the aux port (2065)of a 2600.. i've created an IP based permit NAR with the AAA Client, port:2065, * .. which if i read correctly should give rev telnet access to just #.#.#.# 2065.

when i apply the nar the failed log shows 'User Access Filtered'. if i take the nar off it works fine so i'm pretty sure its a group problem rather than device config.

does the port apply to the src rather than dst port ?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: NAR to allow Reverse Telnet only

Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.

Basically from the port field in the TACACS+ header is matched against the NAR port entry.

I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:

TACACS> authen login ascii login tty1 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication succeeded :

TACACS> authen login ascii login tty2 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication failed

Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.

Darran

2 REPLIES
Silver

Re: NAR to allow Reverse Telnet only

Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.

Basically from the port field in the TACACS+ header is matched against the NAR port entry.

I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:

TACACS> authen login ascii login tty1 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication succeeded :

TACACS> authen login ascii login tty2 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication failed

Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.

Darran

New Member

Re: NAR to allow Reverse Telnet only

your a star .. i had assumed as the NAR was IP based that the port reflected the IP port not the router assigned tty ..

putting tty65 in the NAR has resolved my problem.

256
Views
0
Helpful
2
Replies
CreatePlease login to create content