Authorization for Protocol Translation
In releases of Cisco IOS software prior to 12.3(2)T, protocol translation sessions established using one-step protocol translation are set up without an authorization request being issued first. The Authorization for Protocol Translation feature adds an option to require that an authorization request is issued as a prerequisite to establishing a protocol translation session. This feature improves authentication, authorization, and accounting (AAA) support for protocol translation.
Feature History for the Authorization for Protocol Translation Feature
|
|
Cisco IOS XE Gibraltar 16.10.1 |
This feature was introduced. |
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Prerequisites for Authorization for Protocol Translation
Packet assembler/disassembler (PAD) must be configured. For more information on configuring PAD, refer to Configuring the Cisco PAD Facility for X.25 Connections.
A TACACS+ server must be configured to perform authorization. For more information about configuring authorization, refer to the “ Configuring Authorization ” chapter in the Cisco IOS Security Configuration Guide .
Restrictions for Authorization for Protocol Translation
This feature is supported only for protocol translation sessions in which the incoming protocol is TCP or X.25, and in which the outgoing protocol is TCP, X.25, or autocommand.
For incoming X.25 sessions, this feature is restricted to switched virtual circuits (SVCs) only; permanent virtual circuits (PVCs) may be used only for the outgoing side.
If the pvc keyword is specified in the translate command, the authorize and login keywords may not be used.
Information About Authorization for Protocol Translation
To configure the Authorization for Protocol Translation feature, you must understand the following concepts:
AAA Authorization and the Authorization Packet
Once authorization is enabled, authorization occurs before access to the connection is granted. If authentication is configured, authorization occurs after authentication.
During authorization, a TACACS+ authorization packet is generated. This authorization packet contains the following attribute-value (AV) pairs:
- service—A new value, translate, has been added to the existing service AV pair defined in the args section. This AV pair is marked as mandatory.
- azn-tag—This new attribute contains the authorization tag assigned to the command. The azn-tag attribute may contain a series of lowercase alphanumeric ASCII characters up to 64 bytes in length. Allowable characters are digits, lowercase letters, the hyphen, and the underscore. This AV pair is marked as mandatory.
Benefits of Authorization for Protocol Translation
Releases of Cisco IOS software prior to 12.3(2)T did not allow authorization of protocol translation sessions established using one-step protocol translation. The Authorization for Protocol Translation feature introduces the ability to configure one-step protocol translation sessions for AAA authorization using TACACS+. This feature improves AAA support for protocol translation sessions.
How to Configure Authorization for Protocol Translation
This section contains the following procedures:
Configuring Authorization for Protocol Translation for a TCP-to-X.25 Protocol Translation Session
Perform this task to enable AAA authorization of a TCP-to-X.25 protocol translation session.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization network { default | list-name } method1 [ method2... ]
4. translate tcp incoming-address [ incoming-options ] x25 outgoing-address [ outgoing-options ] [ global-options ] authorize method-list tag
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa authorization network { default | list-name } method1 [ method2...]
Router(config)# aaa authorization network mylist group tacacs+ |
Sets parameters that restrict user access to a network. |
Step 4 |
translate tcp incoming-address [ incoming-options ] x25 outgoing-address [ outgoing-options ] [ global-options ] authorize method-list tag
Router(config)# translate tcp 10.60.155.63 pvc 3 dynamic x25 12345678 authorize mylist 05149c3 |
Translates a connection request to another protocol connection type when receiving a TCP connection request to a particular destination address or host name.
- authorize —Enables AAA authorization for a protocol translation session.
- method-list —The list of authorization methods defined with the aaa authorization command using the network keyword. The method-list argument may have the value of list-name or default.
- tag —An alphanumeric string of up to 64 characters. The tag argument need not be unique; more than one instance of the translate command can specify identical values for the tag argument.
Note The tag argument is not interpreted by the router. The tag argument simply identifies the translate command or the resource being accessed by the protocol translation session to the authorization server. |
Configuring Authorization for Protocol Translation for an X.25-to-TCP Protocol Translation Session
Perform this task to enable AAA Authorization of an X.25-to-TCP protocol translation session.
SUMMARY STEPS
1. enable
2. configure terminal
3. aaa authorization network { default | list-name } method1 [ method2... ]
4. translate x25 incoming-address [ incoming-options ] tcp outgoing-address [ outgoing-options ] [ global-options ] authorize method-list tag
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Router# configure terminal |
Enters global configuration mode. |
Step 3 |
aaa authorization network { default | list-name } method1 [ method2...]
Router(config)# aaa authorization network mylist group tacacs+ |
Sets parameters that restrict user access to a network. |
Step 4 |
translate x25 incoming-address [ incoming-options ] tcp outgoing-address [ outgoing-options ] [ global-options ] authorize method-list tag
Router(config)# translate x25 12345678 tcp 10.60.155.63 login authorize mylist 73234r45 |
Translates a connection request to another protocol connection type when receiving an X.25 connection request to a particular destination address or host name.
- authorize —Enables AAA authorization for a protocol translation session.
- method-list —The list of authorization methods defined with the aaa authorization command using the network keyword. The method-list argument may have the value of list-name or default.
- tag —An alphanumeric string of up to 64 characters. The tag argument need not be unique; more than one instance of the translate command can specify identical values for the tag argument.
|
Configuration Examples for Authorization for Protocol Translation
This section contains the following configuration example:
Configuring Translation Authorization for a TCP-to-X.25 Protocol Translation Session: Example
The following example uses an authorization method list named mygroup. Serial interfaces 2/0 and 2/1 connect to X.25 hosts, each of which provides multiple services at different X.25 subaddresses. Some of the translate statements specify unique authorization tags so the services can be individually controlled; others specify generic tags (perhaps because they are less critical, such as a monitoring service rather than one which permits configuration changes).
aaa authorization network mygroup group tacacs+
ip address 10.60.155.30 255.255.255.0
x25 route ^13033 interface Serial2/0
x25 route ^13133 interface Serial2/1
translate tcp 10.60.155.36 port 2001 x25 1303301 login authorize mygroup a-port01
translate tcp 10.60.155.36 port 2002 x25 1303302 login authorize mygroup a-port02
translate tcp 10.60.155.36 port 2003 x25 1303303 login authorize mygroup monitor
translate tcp 10.60.155.36 port 2004 x25 1303304 login authorize mygroup monitor
translate tcp 10.60.155.36 port 2005 x25 13033 pvc 1 login authorize mygroup a-admin01
translate tcp 10.60.155.36 port 2101 x25 1313301 login authorize mygroup b-port01
translate tcp 10.60.155.36 port 2102 x25 1313302 login authorize mygroup b-port02
translate tcp 10.60.155.36 port 2103 x25 1313303 login authorize mygroup monitor
translate tcp 10.60.155.36 port 2104 x25 1313304 login authorize mygroup monitor
With this configuration, the router accepts Telnet requests to 10.60.155.36 at any of the TCP ports listed. The user is required to log in, then the router sends an authorization request specifying “translate” as the value of the “service” AV pair, and the authorization tag from the corresponding translate command as the value of the “azn-tag” AV pair. The user id and remote address of the Telnet session are also included in the authorization request. If the authorization server approves the request, the connection to the specified X.25 address is attempted; if the request is denied, the Telnet connection is closed.
The authorization server would not be able to distinguish between connections to 10.60.155.36 port 2003 and 10.60.155.36 port 2104, because they specify the same authorization tag.
Configuring Translation Authorization for an X.25-to-TCP Protocol Translation Session: Example
The following example uses the default authorization method list. Incoming PAD calls to the router on serial interface 1/1 are translated to Telnet calls to various destinations based on the X.25 subaddress. Use of the first two translate statements is restricted to users that are approved by the authorization server for access to group1; the third translate statement will complete the connection only if the authorization server grants access to group2.
aaa authorization network default group tacacs+
translate x25 555108801 tcp 10.60.155.1 login authorize default group1
translate x25 555108802 tcp 10.60.155.2 login authorize default group1
translate x25 555108803 tcp 10.60.155.3 login authorize default group2
Additional References
The following sections provide additional information related to the Authorization for Protocol Translation feature.
Related Documents
|
|
Information on configuring PAD |
The “ Configuring the Cisco PAD Facility for X.25 Connections ” chapter in the Cisco IOS Terminal Services Configuration Guide |
Additional PAD commands: complete command syntax, command mode, defaults, usage guidelines and examples |
Cisco IOS Terminal Services Command Reference, Release 12.3 |
Additional information about configuring authorization |
“ Configuring Authorization ” chapter in the Cisco IOS Security Configuration Guide |
Additional authentication commands: complete command syntax, command mode, defaults, usage guidelines and examples |
Cisco IOS Security Command Reference , Release 12.3 |
MIBs
|
|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
Technical Assistance
|
|
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. |
http://www.cisco.com/public/support/tac/home.shtml |
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Terminal Services Command Reference at http://www.cisco.com/en/US/docs/ios/termserv/command/reference/tsv_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
- aaa authorization
- translate tcp
- translate x25
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.