cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1640
Views
0
Helpful
8
Replies

Restricting TELNET on port 7001

jvanwa1
Level 1
Level 1

We are using the DialOut-EZ software to dial out via an AS5300 running version 12.0 and authentication via a CISCOSECURE TACACS server. TACACS also provides authentication for logging in to the AS5300 for CLI.

Works fine but we discovered clients can inadvertently use Hyperterminal or other TELNET software to get in to the AS5300 on port 7001. It will then ask them for a password and they can change the password assigned to the dial out users in TACACS.

How can I restrict the dial out users so they can not TELNET in via port 7001 in to the AS5300 but still use 7001 for the dial out?

Thanks.

8 Replies 8

zahmed
Cisco Employee
Cisco Employee

Your question is not too clear to me. Do you mean the dialout-EZ users do a "telnet 1.1.1.1 7001" (Where 1.1.1.1 is the ip address of the 5300) and they land on router prompt?

~Zulfi

Yes. Here is what it looks like

* WARNING This computer employs a security system to prevent

unauthorized access. It is unlawful to attempt to use

this computer or gain access to the data stored, maintained

or processed.

Username:

User Access Verification

Username: the_dialout_userid

Password:

Old Password:

Tacacs is the one which is asking for the password and old password..Now on the successful authentication, do you get the router prompt?..If YES then somehow that telnet software is ignoring the port 7001 during telnet. 7001 is the rotary port and with "rotary 1" configured under the line config, it should connect you with the next available modem.

Yep, TACACS is asking for the pw. See the screen copy below.

************************

User Access Verification

Username: dial_out_users

Password:

Old Password:

New Password:

Re-enter New password:

Password Changed

************************

My biggest concern is the user can change the TACACS password (as shown above). My other concern is why a W2K machince get this when connecting to COM4 and my W2K does not; but, that problem may be the W2K and DialOutEz config.

I think there must be a way to disable that password change offer in TACACS..Who is a vendor for TACACS..?

Now fire up the DOS prompt on Win2K and do "telnet x.x.x.x 7001" where x.x.x.x is the ip of router..and see what you are getting..You should get the modem on successful authentication..That process is being automated by DialOut-EZ using virtual com port..Thx..Tejal

Telneting in via port 7001 gets me the Username: and Password: prompt displays I sent you. And if I enter the userid and password I do get to the modem and can issue AT commands.

The problem is the user can change the password if they press ENTER at the first Password: prompt.

I'm running CiscoSecure ACS 2.4 as my TACACS; why does it allow me to change the password ? Will I have to put something in the Network Access Restrictions in the userid's account in TACACS to prevent this ?

Thanks.

tepatel
Cisco Employee
Cisco Employee

If your users do a telnet to ip of the 5300 and port 7001 then after successful authentication, they should get the modem, not the router prompt, where they can use the atdtxxxx to dialout.

Pl. post the config and also explain your problem in little detail..Thx..Tejal

When telneting to port 7001 or using the DialOut software pointing to COM4 a connection is made to the router, not the modem. See the last post I made.

Here is the config. Thanks.

!

version 12.0

service timestamps debug datetime msec

service timestamps log datetime

service password-encryption

!

hostname EPE_AS5300

!

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login no_tacacs local

aaa authentication ppp default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

enable password 7 001asdfasdasdasd5E

!

username Chelmont password 7 010asdfasdfsdf5E70

username Fabens password 7 061asdfasasdfasd54

username Anthony password 7 1asdfasfasfd7A7579

username cisco password 7 14asdfasdfasdfaA75

username VHCASHIER password 7 1asdfasdfasdfasdfasdfasdfasfasasf6061318

username SBCASHIER password 7 02asdfasdfasdfsadfasfa18070E10041C47

username HTCASHIER password 7 08asdfasdfasdfasdfasdfasfsafas3C27303033041E0A0D53

spe 1/0 1/7

firmware location system:/ucode/mica_port_firmware

!

!

resource-pool disable

!

!

!

!

!

ip subnet-zero

ip domain-name intra.epelectric.com

ip name-server 172.19.1.103

ip name-server 192.168.234.41

!

async-bootp dns-server 172.19.1.103 192.168.234.41

isdn switch-type primary-5ess

mta receive maximum-recipients 0

!

!

controller T1 0

framing esf

clock source line primary

linecode b8zs

pri-group timeslots 1-24

description PRI coming through PBX

!

controller T1 1

framing esf

clock source line secondary 1

linecode b8zs

pri-group timeslots 1-24

description PRI coming directly in from ESPIRE

!

controller T1 2

shutdown

!

controller T1 3

shutdown

!

!

process-max-time 200

!

interface Loopback0

ip address 172.23.251.1 255.255.255.0

no ip directed-broadcast

!

interface Ethernet0

description

ip address 192.168.250.3 255.255.255.0

no ip directed-broadcast

no mop enabled

!

interface Serial0:23

ip unnumbered Ethernet0

no ip directed-broadcast

encapsulation ppp

dialer-group 1

isdn switch-type primary-5ess

isdn incoming-voice modem

ppp authentication chap pap

!

interface Serial1:23

ip unnumbered Ethernet0

no ip directed-broadcast

encapsulation ppp

dialer rotary-group 1

dialer-group 1

isdn switch-type primary-5ess

isdn incoming-voice modem

!

interface FastEthernet0

no ip address

no ip directed-broadcast

shutdown

!

interface Group-Async1

ip unnumbered Loopback0

no ip directed-broadcast

encapsulation ppp

ip tcp header-compression passive

async mode interactive

peer default ip address pool epedialin

ppp authentication chap pap

group-range 1 48

!

interface Dialer1

ip address 172.23.250.1 255.255.255.0

no ip directed-broadcast

encapsulation ppp

dialer in-band

dialer idle-timeout 7200

dialer map ip 172.23.1.1 name Chelmont broadcast 97803336

dialer map ip 172.23.2.1 name Fabens

dialer-group 1

ppp authentication chap pap

!

router eigrp 555

network 172.23.0.0

network 192.168.250.0

!

router rip

redistribute connected

redistribute static

network 192.168.250.0

!

ip local pool epedialin 172.23.251.2 172.23.251.250

no ip http server

ip classless

ip route 172.23.1.0 255.255.255.0 172.23.1.1

ip route 172.23.2.0 255.255.255.0 172.23.2.1

ip route 172.23.3.0 255.255.255.0 172.23.3.1

ip route 172.23.101.0 255.255.255.0 172.23.250.101

ip route 172.23.102.0 255.255.255.0 172.23.250.102

ip route 172.23.103.0 255.255.255.0 172.23.250.103

ip route 172.23.104.0 255.255.255.0 172.23.250.104

ip route 172.23.105.0 255.255.255.0 172.23.250.105

ip route 172.23.106.0 255.255.255.0 172.23.250.106

ip route 172.23.107.0 255.255.255.0 172.23.250.107

ip route 172.23.108.0 255.255.255.0 172.23.250.108

ip route 172.23.109.0 255.255.255.0 172.23.250.109

ip route 172.23.110.0 255.255.255.0 172.23.250.110

ip route 172.23.254.0 255.255.255.0 172.23.250.254

!

access-list 101 permit ip any any

dialer-list 1 protocol ip permit

tacacs-server host 192.168.224.19

tacacs-server timeout 20

tacacs-server key 34ygrdcnty

snmp-server engineID local 000000090200003080BD3F6E

snmp-server community wwwww RO

snmp-server community wwwww RW

snmp-server location ELP,Centre

snmp-server contact Information Technology

snmp-server chassis-id RTR777

banner motd

* WARNING This computer employs a security system to prevent

unauthorized access. It is unlawful to attempt to use

this computer or gain access to the data stored, maintained

or processed.

!

line con 0

login authentication no_tacacs

transport input none

line 1 24

autoselect during-login

autoselect ppp

modem Dialin

transport preferred pad telnet rlogin udptn mop v120 lapb-ta

transport output pad telnet rlogin udptn mop v120 lapb-ta

line 25 47

autoselect during-login

autoselect ppp

modem InOut

rotary 1

transport preferred pad telnet rlogin udptn mop v120 lapb-ta

transport input all

transport output pad telnet rlogin udptn mop v120 lapb-ta

line 48

autoselect during-login

autoselect ppp

modem Dialin

transport preferred pad telnet rlogin udptn mop v120 lapb-ta

transport output pad telnet rlogin udptn mop v120 lapb-ta

line aux 0

line vty 0 4

password 7 105EasdfasfasdfA5D

!

!

scheduler interval 1000

end

Review Cisco Networking for a $25 gift card