To configure a network access server to request authorization information from a security server before allowing a user to establish a reverse Telnet session, use theaaa authorization reverse-access global configuration command. Use the no form of this command to restore the default value for this command.
aaa authorization reverse-access {radius | tacacs+ }
no aaa authorization reverse-access {radius | tacacs+ }
radius Specifies that the network access server will request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session.
tacacs+ Specifies that the network access server will request authorization from a TACACS+ security server before allowing a user to establish a reverse Telnet session.
The default for this command is disabled, meaning that authorization for reverse Telnet is not requested.
Global configuration
| Release | Modification | 11.3 | This command was introduced. |
|---|
Telnet is a standard terminal emulation protocol used for remote terminal connection. Normally, you log in to a network access server (typically through a dialup connection) and then use Telnet to access other network devices from that network access server. There are times, however, when it is necessary to establish a reverse Telnet session. In reverse Telnet sessions, the Telnet connection is established in the opposite directionfrom inside a network to a network access server on the network periphery to gain access to modems or other devices connected to that network access server. Reverse Telnet is used to provide users with dialout capability by allowing them to Telnet to modem ports attached to a network access server.
It is important to control access to ports accessible through reverse Telnet. Failure to do so could, for example, allow unauthorized users free access to modems where they can trap and divert incoming calls or make outgoing calls to unauthorized destinations.
Authentication during reverse Telnet is performed through the standard AAA login procedure for Telnet. Typically the user has to provide a username and password to establish either a Telnet or reverse Telnet session. This command provides an additional (optional) level of security by requiring authorization in addition to authentication. When this command is enabled, reverse Telnet authorization can use RADIUS or TACACS+ to authorize whether or not this user is allowed reverse Telnet access to specific asynchronous ports, after the user successfully authenticates through the standard Telnet login procedure.
The following example causes the network access server to request authorization information from a TACACS+ security server before allowing a user to establish a reverse Telnet session:
aaa new-model aaa authentication login default tacacs+ aaa authorization reverse-access tacacs+ ! tacacs-server host 172.31.255.0 tacacs-server timeout 90 tacacs-server key goaway
The lines in this sample TACACS+ reverse Telnet authorization configuration are defined as follows:
The following example configures a generic TACACS+ server to grant a user, "jim," reverse Telnet access to port tty2 on the network access server named "site1" and to port tty5 on the network access server named gamera:
user = jim
login = cleartext lab
service = raccess {
port#1 = site1/tty2
port#2 = site2/tty5In this example, "site1" and "site2" are the configured host names of network access servers, not DNS names or alias.
The following example configures the TACACS+ server (CiscoSecure) to authorize a user named Jim for reverse Telnet:
user = jim
profile_id = 90
profile_cycle = 1
member = Tacacs_Users
service=shell {
default cmd=permit
}
service=raccess {
allow "c2511e0" "tty1" ".*"
refuse ".*" ".*" ".*"
password = clear "goaway"CiscoSecure only supports reverse Telnet using the command line interface in versions 2.1(x) through version 2.2(1).
An empty "service=raccess {}" clause permits a user to have unconditional access to network access server ports for reverse Telnet. If no "service=raccess" clause exists, the user is denied access to any port for reverse Telnet.
For more information about configuring TACACS+, refer to the "Configuring TACACS+" chapter in the Security Configuration Guide . For more information about configuring CiscoSecure, refer to the CiscoSecure Access Control Server User Guide , version 2.1(2) or later.
The following example causes the network access server to request authorization from a RADIUS security server before allowing a user to establish a reverse Telnet session:
aaa new-model aaa authentication login default radius aaa authorization reverse-access radius ! radius-server host 172.31.255.0 radius-server key go away
The lines in this sample RADIUS reverse Telnet authorization configuration are defined as follows:
The following example configures the RADIUS server to grant a user named "jim" reverse Telnet access at port tty2 on network access server site1:
Password = "goaway" User-Service-Type = Shell-User cisco-avpair = "raccess:port#1=site1/tty2"
An empty "raccess:port#1=nasname1/tty2" clause permits a user to have unconditional access to network access server ports for reverse Telnet. If no "raccess:port#1=nasname1/tty2" clause exists, the user is denied access to any port for reverse Telnet.
For more information about configuring RADIUS, refer to the "Configuring RADIUS" chapter in the Security Configuration Guide .
Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003
All material in this document copyright 2000 Cisco Systems, Inc. All rights reserved. No material may be reproduced or distributed without written permission of Cisco Systems, Inc.