topic Re: NAR to allow Reverse Telnet only in Network Access Control

NAR to allow Reverse Telnet only

pregan — Sun, 10 Mar 2019 22:00:35 GMT

Hi .. i'm trying to restrict access to a modem attached to the aux port (2065)of a 2600.. i've created an IP based permit NAR with the AAA Client, port:2065, * .. which if i read correctly should give rev telnet access to just #.#.#.# 2065.

when i apply the nar the failed log shows 'User Access Filtered'. if i take the nar off it works fine so i'm pretty sure its a group problem rather than device config.

does the port apply to the src rather than dst port ?

Re: NAR to allow Reverse Telnet only

darpotter — Tue, 27 Feb 2007 11:09:08 GMT

Theres good info here (http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml#wp39282) about where the data port field comes from.

Basically from the port field in the TACACS+ header is matched against the NAR port entry.

I did a quick test using tactest with an IP based NAR allowing access to a test device on port tty1 from 1.1.1.1 and it worked:

TACACS> authen login ascii login tty1 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication succeeded :

TACACS> authen login ascii login tty2 1.1.1.1

User Access Verification

Username: daz

Password: 123456

Authentication failed

Look in your Failed Attempts report. Whatever value is in the "NAS-Port" column is one used by the NAR. I guess its possible for reverse telnet IOS might send the destination port.

Darran

Re: NAR to allow Reverse Telnet only

pregan — Tue, 27 Feb 2007 11:43:28 GMT

your a star .. i had assumed as the NAR was IP based that the port reflected the IP port not the router assigned tty ..

putting tty65 in the NAR has resolved my problem.