The following examples show how to cause the network access server to request authorization information from a TACACS+ security
server before allowing a user to establish a reverse Telnet session:
Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication login default group tacacs+
Device(config)# aaa authorization reverse-access default group tacacs+
Device(config)# tacacs server server1
Device(config-server-tacacs)# address ipv4 172.31.255.0
Device(config-server-tacacs)# timeout 90
Device(config-server-tacacs)# key sharedkey
Device(config-server-tacacs)# end
The lines in this sample TACACS+ reverse Telnet authorization configuration are defined as follows:
-
The aaa
new-model command enables AAA.
-
The aaa
authentication
login
default
group
tacacs+ command specifies TACACS+ as the default method for user authentication during login.
-
The aaa
authorization
reverse-access
default
group
tacacs+ command specifies TACACS+ as the method for user authorization when trying to establish a reverse Telnet session.
-
The tacacs server command identifies the TACACS+ server.
-
The timeout command sets the interval of time that the network access server waits for the TACACS+ server to reply.
-
The key command defines the encryption key used for all TACACS+ communications between the network access server and the TACACS+
daemon.
The following example shows how to configure a generic TACACS+ server to grant a user, pat, reverse Telnet access to port
tty2 on the network access server named “maple” and to port tty5 on the network access server named “oak”:
user = pat
login = cleartext lab
service = raccess {
port#1 = maple/tty2
port#2 = oak/tty5

Note
|
In this example, “maple” and “oak” are the configured host names of network access servers, not DNS names or alias.
|
The following example shows how to configure the TACACS+ server (CiscoSecure) to grant a user named pat reverse Telnet access:
user = pat
profile_id = 90
profile_cycle = 1
member = Tacacs_Users
service=shell {
default cmd=permit
}
service=raccess {
allow “c2511e0” “tty1” “.*”
refuse “.*” “.*” “.*”
password = clear “goaway”

Note
|
CiscoSecure only supports reverse Telnet using the command line interface in versions 2.1(x ) through version 2.2(1).
|
An empty “service=raccess {}” clause permits a user to have unconditional access to network access server ports for reverse
Telnet. If no “service=raccess” clause exists, the user is denied access to any port for reverse Telnet.
For more information about configuring TACACS+, refer to the “Configuring TACACS” chapter. For more information about configuring
CiscoSecure, refer to the CiscoSecure Access Control Server User Guide , version 2.1(2) or greater.
The following example shows how to cause the network access server to request authorization from a RADIUS security server
before allowing a user to establish a reverse Telnet session:
Device> enable
Device# configure terminal
Device(config)# aaa new-model
Device(config)# aaa authentication login default group radius
Device(config)# aaa authorization reverse-access default group radius
Device(config)# radius server ip
Device(config-radius-server)# key sharedkey
Device(config-radius-server)# address ipv4 172.31.255.0 auth-port 1645 acct-port 1646
Device(config-radius-server)# end
The lines in this sample RADIUS reverse Telnet authorization configuration are defined as follows:
-
The aaa
new-model command enables AAA.
-
The aaa
authentication
login
default
group
radius command specifies RADIUS as the default method for user authentication during login.
-
The aaa
authorization
reverse-access
default
group
radius command specifies RADIUS as the method for user authorization when trying to establish a reverse Telnet session.
-
The radius
command identifies the RADIUS server.
-
The
key command defines the encryption key used for all RADIUS communications between the network access server and the RADIUS daemon.
The following example shows how to send a request to the RADIUS server to grant a user named “pat” reverse Telnet access
at port tty2 on the network access server named “maple”:
Username = “pat”
Password = “goaway”
User-Service-Type = Shell-User
cisco-avpair = “raccess:port#1=maple/tty2”
The syntax "raccess:port=any/any" permits a user to have unconditional access to network access server ports for reverse
Telnet. If no "raccess:port={nasname }/{tty number }" clause exists in the user profile, the user is denied access to reverse Telnet on all ports.
For more information about configuring RADIUS, refer to the chapter “Configuring RADIUS.”