- Terminal Services Overview
- Configuring Terminal Operating Characteristics for Dial-In Sessions
- Configuring Dial-In Terminal Services
- Cisco IOS Software Feature Removal
- Configuring AppleTalk Remote Access
- Configuring the Cisco PAD Facility for X.25 Connections
- PAD Subaddress Formatting Option
- Configuring Protocol Translation and Virtual Asynchronous Devices
- Authorization for Protocol Translation
- End-of-Record Function for DCNs
- Protocol Translation Ruleset
- Regular Expressions
- X.3 PAD Parameters
- Contents
- Prerequisites for Authorization for Protocol Translation
- Restrictions for Authorization for Protocol Translation
- Information About Authorization for Protocol Translation
- How to Configure Authorization for Protocol Translation
- Configuration Examples for Authorization for Protocol Translation
- Additional References
- Command Reference
Authorization for Protocol Translation
In releases of Cisco IOS software prior to 12.3(2)T, protocol translation sessions established using one-step protocol translation are set up without an authorization request being issued first. The Authorization for Protocol Translation feature adds an option to require that an authorization request is issued as a prerequisite to establishing a protocol translation session. This feature improves authentication, authorization, and accounting (AAA) support for protocol translation.
Feature History for the Authorization for Protocol Translation Feature
|
|
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
- Prerequisites for Authorization for Protocol Translation
- Restrictions for Authorization for Protocol Translation
- Information About Authorization for Protocol Translation
- How to Configure Authorization for Protocol Translation
- Configuration Examples for Authorization for Protocol Translation
- Additional References
- Command Reference
Prerequisites for Authorization for Protocol Translation
Packet assembler/disassembler (PAD) must be configured. For more information on configuring PAD, refer to Configuring the Cisco PAD Facility for X.25 Connections.
A TACACS+ server must be configured to perform authorization. For more information about configuring authorization, refer to the “ Configuring Authorization ” chapter in the Cisco IOS Security Configuration Guide .
Restrictions for Authorization for Protocol Translation
This feature is supported only for protocol translation sessions in which the incoming protocol is TCP or X.25, and in which the outgoing protocol is TCP, X.25, or autocommand.
For incoming X.25 sessions, this feature is restricted to switched virtual circuits (SVCs) only; permanent virtual circuits (PVCs) may be used only for the outgoing side.
If the pvc keyword is specified in the translate command, the authorize and login keywords may not be used.
Information About Authorization for Protocol Translation
To configure the Authorization for Protocol Translation feature, you must understand the following concepts:
AAA Authorization and the Authorization Packet
Once authorization is enabled, authorization occurs before access to the connection is granted. If authentication is configured, authorization occurs after authentication.
During authorization, a TACACS+ authorization packet is generated. This authorization packet contains the following attribute-value (AV) pairs:
- service—A new value, translate, has been added to the existing service AV pair defined in the args section. This AV pair is marked as mandatory.
- azn-tag—This new attribute contains the authorization tag assigned to the command. The azn-tag attribute may contain a series of lowercase alphanumeric ASCII characters up to 64 bytes in length. Allowable characters are digits, lowercase letters, the hyphen, and the underscore. This AV pair is marked as mandatory.
Benefits of Authorization for Protocol Translation
Releases of Cisco IOS software prior to 12.3(2)T did not allow authorization of protocol translation sessions established using one-step protocol translation. The Authorization for Protocol Translation feature introduces the ability to configure one-step protocol translation sessions for AAA authorization using TACACS+. This feature improves AAA support for protocol translation sessions.
How to Configure Authorization for Protocol Translation
This section contains the following procedures:
- Configuring Authorization for Protocol Translation for a TCP-to-X.25 Protocol Translation Session
- Configuring Authorization for Protocol Translation for an X.25-to-TCP Protocol Translation Session
Configuring Authorization for Protocol Translation for a TCP-to-X.25 Protocol Translation Session
Perform this task to enable AAA authorization of a TCP-to-X.25 protocol translation session.
SUMMARY STEPS
3. aaa authorization network { default | list-name } method1 [ method2... ]
4. translate tcp incoming-address [ incoming-options ] x25 outgoing-address [ outgoing-options ] [ global-options ] authorize method-list tag
DETAILED STEPS
Configuring Authorization for Protocol Translation for an X.25-to-TCP Protocol Translation Session
Perform this task to enable AAA Authorization of an X.25-to-TCP protocol translation session.
SUMMARY STEPS
3. aaa authorization network { default | list-name } method1 [ method2... ]
4. translate x25 incoming-address [ incoming-options ] tcp outgoing-address [ outgoing-options ] [ global-options ] authorize method-list tag
DETAILED STEPS
Configuration Examples for Authorization for Protocol Translation
This section contains the following configuration example:
- Configuring Translation Authorization for a TCP-to-X.25 Protocol Translation Session: Example
- Configuring Translation Authorization for an X.25-to-TCP Protocol Translation Session: Example
Configuring Translation Authorization for a TCP-to-X.25 Protocol Translation Session: Example
The following example uses an authorization method list named mygroup. Serial interfaces 2/0 and 2/1 connect to X.25 hosts, each of which provides multiple services at different X.25 subaddresses. Some of the translate statements specify unique authorization tags so the services can be individually controlled; others specify generic tags (perhaps because they are less critical, such as a monitoring service rather than one which permits configuration changes).
With this configuration, the router accepts Telnet requests to 10.60.155.36 at any of the TCP ports listed. The user is required to log in, then the router sends an authorization request specifying “translate” as the value of the “service” AV pair, and the authorization tag from the corresponding translate command as the value of the “azn-tag” AV pair. The user id and remote address of the Telnet session are also included in the authorization request. If the authorization server approves the request, the connection to the specified X.25 address is attempted; if the request is denied, the Telnet connection is closed.
The authorization server would not be able to distinguish between connections to 10.60.155.36 port 2003 and 10.60.155.36 port 2104, because they specify the same authorization tag.
Configuring Translation Authorization for an X.25-to-TCP Protocol Translation Session: Example
The following example uses the default authorization method list. Incoming PAD calls to the router on serial interface 1/1 are translated to Telnet calls to various destinations based on the X.25 subaddress. Use of the first two translate statements is restricted to users that are approved by the authorization server for access to group1; the third translate statement will complete the connection only if the authorization server grants access to group2.
Additional References
The following sections provide additional information related to the Authorization for Protocol Translation feature.
Related Documents
Standards
|
|
---|---|
MIBs
|
|
---|---|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
|
---|---|
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Terminal Services Command Reference at http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.