cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2543
Views
0
Helpful
2
Replies

AAA killed my reverse telnet

kevtown
Level 1
Level 1

I am trying to allow my users to reverse telnet to a US Robotics Sportster 56K modem which is connected to the auxilary port of a Cisco 1710. First I want them to authenticate either the local or radius user databases. I have been able to reverse telnet into the modem using the configuration listed below if I disable the aaa new-model and telnet in without authentication. I have preformed debugging on AAA Authentication and AAA Authorization and only receive this output while attempting to authenticate:

02:55:33: AAA/AUTHEN/LOGIN (00000025): Pick method list 'default'

02:55:39: AAA/AUTHOR/CONN(00000025): Authorization FAILED for tty5

At which point I will get a message stating that my connection has been closed by foreign host.

The same local user account works fine when attempting to telnet to a vty port in EXEC mode.

I have also attempted to set all the aaa defaults none so that no authentication takes place and it still terminates my connections in the same way.

Additionally in posibly a related issue when I do a "show user" the user field is blank. On other routers I have done this with it shows the name of the user that is logged onto the port.

Any help would be greatly appreciated.

FYI - This configuration is a work in progress there are some things such as radius client configurations that I have not yet configured.

version 12.2

no parser cache

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname mycisco1710

!

logging rate-limit console 10 except errors

aaa new-model

!

!

aaa authentication login default local group radius

aaa authentication ppp default local group radius

aaa authorization exec default local group radius

aaa authorization network default local group radius

aaa authorization reverse-access default local group radius

aaa session-id common

enable secret 5 XXXXXXXXXXXXXXX

enable password 7 XXXXXXXXXXXXXXX

!

username test password 7 XXXXXXXXXXXXXXXX

memory-size iomem 20

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip routing

!

!

ip host modem 2005 140.188.164.47

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

no ip dhcp-client network-discovery

!

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

!

!

interface Ethernet0

no ip address

no ip route-cache

no ip mroute-cache

shutdown

half-duplex

!

interface FastEthernet0

ip address 172.16.11.1 255.255.255.0

no ip route-cache

no ip mroute-cache

speed auto

half-duplex

!

interface Async5

no ip address

encapsulation ppp

async mode interactive

ppp authentication chap pap

!

ip classless

no ip http server

!

!

!

!

line con 0

line aux 0

exec-timeout 0 0

modem InOut

modem autoconfigure type default

transport preferred none

transport input all

autoselect during-login

autoselect ppp

stopbits 1

speed 115200

flowcontrol hardware

line vty 0 4

exec-timeout 0 0

line vty 5 15

!

end

2 Replies 2

mmellet
Level 3
Level 3

Take a look at this line:

aaa authorization reverse-access

default local group radius

May want to change it to:

aaa authorization reverse-access

radius

A good link on this is below:http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur_r/srprt1/srauth.htm#xtocid1560415

skaragozian
Level 1
Level 1

Hi Kevtown,

Looking at yr AAA config why do you need the word local after default , try:

aaa authorization reverse-access default group radius

Also go to Cisco Documentation: Configuring Authorization.

Cisco has good examples for reverse telnet via ACS/AAA server authentication.

Sarkis

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: