cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2902
Views
0
Helpful
16
Replies

restricting access to devices on a per port basis

donaghq_2
Level 1
Level 1

I am running ACS2.6 - I am having a problem restricting access to devices on a per port basis. Although I can restrict access to groups by defining a NAS and using a wildcard entry for port and address it will not work if I restrict on a specific port number. I am using this on an async router acting as terminal server and want to restrict access to certain groups on a certain range of ports.

Thanks

16 Replies 16

gfullage
Cisco Employee
Cisco Employee

The port numbers are going to change dependent on the NAS type and the interface type they're coming in on. The best way to see what the port number the NAS is actually sending, is to enable the Passed Authentications log in ACS, then look at a user who has authenticated successfully and you'll see the NAS-port attribute in the log. If you then set the port number to this then it should work for you.

thanks for your suggestion. I have looked at the failed authentications list and see the user I have set up and the port number. The port number in question is 36 and the authentication failure code is User Access Filtered which suggests I am doing something wrong. I telnet to the router with its' address on port number 2036. Under network configuration I have defined the NAS. Under the group settings I have choosen this NAS (permitted calling/point of access locations) location and have put in 36 (i also tried 2036) as the port number and * as the address. Unfortunately this warrants the same error all the time i.e. user access filtered. I have tried a few different combinations and none of them work. I have also tried putting in * for port number and this works fine. any more ideas?

Thank You.

It appears you are using a Terminal Server if I understand correctly. If that is the case, enable:

aaa authorization reverse-access default tacacs+

It is a good idea to add local at the end and create a local username in case the AAA Server is down.

Let us know if this works.

I don't think this is your issue, so please send a copy of captured debug aaa authorization from the terminal server.

Hi

Unfortunately this still does not work. Here is a copy of the config I am using.

aaa new-model

aaa authentication login secure group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization reverse-access default group tacacs+

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting system default stop-only group tacacs+

line con 0

password 7 01101100584611076C5E5A444957232632

login authentication secure

transport input none

line 33 64

session-timeout 20

no exec

exec-timeout 15 0

password 7 04581C020C6C5B46440B115A42592F3013

login authentication secure

transport input telnet

line aux 0

line vty 0 4

exec-timeout 15 0

password 7 15111C0807673C2C6521216F4355203738

login authentication secure

Normally I do not have any authorization commands. I still get the same error in the failed authentications list.

Thanks.

looks like you are missing EXEC authorization:

aaa authorization exec default group tacacs+

If this doesn't work, send debug aaa authent and debug aaa author

I have tried to enter both of those authorization commands and not only does it not work but other users cannot access any of the devices! here is the debug for authentication and authorization. The username is DONAGH and the port I am trying to access on is 50. Interestingly in the failed attempts log the authentication failure code for the other rejected users is "Unknown"

.Nov 28 11:58:38: AAA: parse name=tty50 idb type=10 tty=50

.Nov 28 11:58:38: AAA: name=tty50 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=50 channel=0

.Nov 28 11:58:38: AAA/MEMORY: create_user (0x80DDFB1C) user='' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII ser1

.Nov 28 11:58:38: AAA/AUTHEN/START (3902359370): port='tty50' list='secure' action=LOGIN service=LOGIN

.Nov 28 11:58:38: AAA/AUTHEN/START (3902359370): found list secure

.Nov 28 11:58:38: AAA/AUTHEN/START (3902359370): Method=tacacs+ (tacacs+)

.Nov 28 11:58:38: TAC+: send AUTHEN/START packet ver=192 id=3902359370

.Nov 28 11:58:39: TAC+: ver=192 id=3902359370 received AUTHEN status = GETUSER

.Nov 28 11:58:39: AAA/AUTHEN (3902359370): status = GETUSER

.Nov 28 11:58:41: AAA/AUTHEN/CONT (3902359370): continue_login (user='(undef)')

.Nov 28 11:58:41: AAA/AUTHEN (3902359370): status = GETUSER

.Nov 28 11:58:41: AAA/AUTHEN (3902359370): Method=tacacs+ (tacacs+)

.Nov 28 11:58:41: TAC+: send AUTHEN/CONT packet id=3902359370

.Nov 28 11:58:41: TAC+: ver=192 id=3902359370 received AUTHEN status = GETPASS

.Nov 28 11:58:41: AAA/AUTHEN (3902359370): status = GETPASS

.Nov 28 11:58:46: AAA/AUTHEN/CONT (3902359370): continue_login (user='DONAGH')

.Nov 28 11:58:46: AAA/AUTHEN (3902359370): status = GETPASS

.Nov 28 11:58:46: AAA/AUTHEN (3902359370): Method=tacacs+ (tacacs+)

.Nov 28 11:58:46: TAC+: send AUTHEN/CONT packet id=3902359370

.Nov 28 11:58:46: TAC+: ver=192 id=3902359370 received AUTHEN status = FAIL

.Nov 28 11:58:46: AAA/AUTHEN (3902359370): status = FAIL

.Nov 28 11:58:47: AAA/MEMORY: free_user (0x80B66C60) user='oflynnb' ruser='' port='tty36' rem_addr='10.152.16.70' authen_type=ASCII1

.Nov 28 11:58:48: AAA/MEMORY: free_user (0x80DDFB1C) user='DONAGH' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII1

.Nov 28 11:58:48: AAA: parse name=tty50 idb type=10 tty=50

.Nov 28 11:58:48: AAA: name=tty50 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=50 channel=0

.Nov 28 11:58:48: AAA/MEMORY: create_user (0x80B66C60) user='' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII ser1

.Nov 28 11:58:48: AAA/AUTHEN/START (3808424197): port='tty50' list='secure' action=LOGIN service=LOGIN

.Nov 28 11:58:48: AAA/AUTHEN/START (3808424197): found list secure

.Nov 28 11:58:48: AAA/AUTHEN/START (3808424197): Method=tacacs+ (tacacs+)

.Nov 28 11:58:48: TAC+: send AUTHEN/START packet ver=192 id=3808424197

.Nov 28 11:58:49: TAC+: ver=192 id=3808424197 received AUTHEN status = GETUSER

.Nov 28 11:58:49: AAA/AUTHEN (3808424197): status = GETUSER

Many Thanks

Hi

Do you have any further suggestions on this? your help is appreciated.

Regards

Donagh

When you enforce exec authorization with the aaa authorization exec command you have to have the service=shell attribute assigned. That is why when you entered the command the users failed. Make sure the shell/exec option is checked for the user or group.

EXEC authorization should enforce your port filtering, if you have it properly configured.

I noticed one of your users is failing authentication currently, is this your issue now?

Hello

I have tried that and once again it fails unfortunately. I have ticked the shell(exec) box under tacacs+ settings under the group that the user DONAGH is a member of. This is a debug aaa authentication

.Dec 18 15:46:04: AAA/AUTHEN/CONT (3332232762): continue_login (user='(undef)')

.Dec 18 15:46:04: AAA/AUTHEN (3332232762): status = GETUSER

.Dec 18 15:46:04: AAA/AUTHEN (3332232762): Method=tacacs+ (tacacs+)

.Dec 18 15:46:04: TAC+: send AUTHEN/CONT packet id=3332232762

.Dec 18 15:46:04: TAC+: ver=192 id=3332232762 received AUTHEN status = GETPASS

.Dec 18 15:46:04: AAA/AUTHEN (3332232762): status = GETPASS

.Dec 18 15:46:07: AAA/AUTHEN/CONT (3332232762): continue_login (user='DONAGH')

.Dec 18 15:46:07: AAA/AUTHEN (3332232762): status = GETPASS

.Dec 18 15:46:07: AAA/AUTHEN (3332232762): Method=tacacs+ (tacacs+)

.Dec 18 15:46:07: TAC+: send AUTHEN/CONT packet id=3332232762

.Dec 18 15:46:07: TAC+: ver=192 id=3332232762 received AUTHEN status = FAIL

.Dec 18 15:46:07: AAA/AUTHEN (3332232762): status = FAIL

.Dec 18 15:46:09: AAA/MEMORY: free_user (0x80DDF340) user='DONAGH' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII1

This is my current config

aaa new-model

aaa authentication login secure group tacacs+ line

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+

aaa authorization reverse-access default group tacacs+

aaa accounting exec default stop-only group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa accounting system default stop-only group tacacs+

When this is in place users that have access restrctions to a NAS based on any address and any port number get denied saying % Authorization failed. I tried to tick the shell(exec) box for this group but that did not work either. When I remove the line "aaa authorization reverse-access default group tacacs+" they can login. When I try this with the user DONAGH who is a member of the group that has access restrictions based on port number I get % Authentication failed.

I also tried to put the command for lines 33 64

authorization exec default

but this does not work either. I still get %authentication failed

Thanks

Get rid of the 'reverse-access' list for good, you don't need it for this.

If you are failing authentication, you have other issues before you even get to Authorization.

I have never done port filtering in CSNT but have with Unix and it uses EXEC authorization to enforce this. Apparently CSNT uses authentication from what you are telling me.

My guess is you have the user or group profile configured incorrectly. Post the output of debug aaa authentication and debug tacacs+ synonymously.

I removed the reverse-access config. here is a copy of the debug when it does not work. Interestingly when I change the access restrictions so that the user can access the NAS on every port number i.e * in the config IT WORKS!

.Dec 18 17:43:04: AAA/MEMORY: free_user (0x80DED910) user='DONAGH' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII1

.Dec 18 17:43:07: AAA: parse name=tty50 idb type=10 tty=50

.Dec 18 17:43:07: AAA: name=tty50 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=50 channel=0

.Dec 18 17:43:07: AAA/MEMORY: create_user (0x80DE0468) user='' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII ser1

.Dec 18 17:43:07: AAA/AUTHEN/START (3630906745): port='tty50' list='secure' action=LOGIN service=LOGIN

.Dec 18 17:43:07: AAA/AUTHEN/START (3630906745): found list secure

.Dec 18 17:43:07: AAA/AUTHEN/START (3630906745): Method=tacacs+ (tacacs+)

.Dec 18 17:43:07: TAC+: send AUTHEN/START packet ver=192 id=3630906745

.Dec 18 17:43:07: TAC+: Using default tacacs server-group "tacacs+" list.

.Dec 18 17:43:07: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

.Dec 18 17:43:07: TAC+: Opened TCP/IP handle 0x80DF08E4 to x.x.x.x/49 using source 10.152.12.242

.Dec 18 17:43:07: TAC+: x.x.x.x (3630906745) AUTHEN/START/LOGIN/ASCII queued

.Dec 18 17:43:07: TAC+: (3630906745) AUTHEN/START/LOGIN/ASCII processed

.Dec 18 17:43:07: TAC+: ver=192 id=3630906745 received AUTHEN status = GETUSER

.Dec 18 17:43:07: AAA/AUTHEN (3630906745): status = GETUSER

.Dec 18 17:43:10: AAA/AUTHEN/CONT (3630906745): continue_login (user='(undef)')

.Dec 18 17:43:10: AAA/AUTHEN (3630906745): status = GETUSER

.Dec 18 17:43:10: AAA/AUTHEN (3630906745): Method=tacacs+ (tacacs+)

.Dec 18 17:43:10: TAC+: send AUTHEN/CONT packet id=3630906745

.Dec 18 17:43:10: TAC+: x.x.x.x (3630906745) AUTHEN/CONT queued

.Dec 18 17:43:11: TAC+: (3630906745) AUTHEN/CONT processed

.Dec 18 17:43:11: TAC+: ver=192 id=3630906745 received AUTHEN status = GETPASS

.Dec 18 17:43:11: AAA/AUTHEN (3630906745): status = GETPASS

.Dec 18 17:43:14: AAA/AUTHEN/CONT (3630906745): continue_login (user='DONAGH')

.Dec 18 17:43:14: AAA/AUTHEN (3630906745): status = GETPASS

.Dec 18 17:43:14: AAA/AUTHEN (3630906745): Method=tacacs+ (tacacs+)

.Dec 18 17:43:14: TAC+: send AUTHEN/CONT packet id=3630906745

.Dec 18 17:43:14: TAC+: x.x.x.x (3630906745) AUTHEN/CONT queued

.Dec 18 17:43:14: TAC+: (3630906745) AUTHEN/CONT processed

.Dec 18 17:43:14: TAC+: ver=192 id=3630906745 received AUTHEN status = FAIL

.Dec 18 17:43:14: AAA/AUTHEN (3630906745): status = FAIL

.Dec 18 17:43:16: TAC+: Closing TCP/IP 0x80DF08E4 connection to x.x.x.x/49

.Dec 18 17:43:16: AAA/MEMORY: free_user (0x80DE0468) user='DONAGH' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII1

.Dec 18 17:43:16: AAA: parse name=tty50 idb type=10 tty=50

.Dec 18 17:43:16: AAA: name=tty50 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=50 channel=0

.Dec 18 17:43:16: AAA/MEMORY: create_user (0x80DE0468) user='' ruser='' port='tty50' rem_addr='10.152.21.126' authen_type=ASCII ser1

.Dec 18 17:43:16: AAA/AUTHEN/START (789921102): port='tty50' list='secure' action=LOGIN service=LOGIN

.Dec 18 17:43:16: AAA/AUTHEN/START (789921102): found list secure

.Dec 18 17:43:16: AAA/AUTHEN/START (789921102): Method=tacacs+ (tacacs+)

.Dec 18 17:43:16: TAC+: send AUTHEN/START packet ver=192 id=789921102

.Dec 18 17:43:16: TAC+: Using default tacacs server-group "tacacs+" list.

.Dec 18 17:43:16: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=5

.Dec 18 17:43:16: TAC+: Opened TCP/IP handle 0x80DF0D60 to x.x.x.x/49 using source 10.152.12.242

.Dec 18 17:43:16: TAC+: x.x.x.x (789921102) AUTHEN/START/LOGIN/ASCII queued

.Dec 18 17:43:16: TAC+: (789921102) AUTHEN/START/LOGIN/ASCII processed

.Dec 18 17:43:16: TAC+: ver=192 id=789921102 received AUTHEN status = GETUSER

From the debugs, looks like your issue is in the group or user configuration...I'd have to test this in the lab to see if I can get it working....

so does that mean you will try it out and come back to me?! :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: