Network Access Control (NAC) limits user access to certain IP security zones defined by the NETACCESS statement. A security product, such as RACF®, is used to check the permission of user IDs to send data to or receive data from these security zones. The NAC user ID is based on the Telnet address space user ID information.
The NACUSERID parameter provides more control over Network Access Control checking for Telnet. This parameter is used to associate Telnet ports with a specified user ID that is defined to the security server. The user ID specified on the NACUSERID parameter must be a valid user ID defined to the security server. If not, the Telnet port will fail initialization. NACUSERID can be coded in TELNETGLOBALS to affect all ports or TELNETPARMS to affect a single port. NACUSERID cannot be coded in PARMSGROUP. Specify NONACUSERID to disable a higher level specification. For example, a TN3270E Telnet server with an address space user ID of user1 can specify in TELNETGLOBALS the statement NACUSERID user2. If one port should instead be controlled by user1, the TELNETPARMS statement for that port should be NONACUSERID to disable the user2 specification in TELNETGLOBALS.
When Telnet is modified with a VARY TCPIP,tnproc,OBEYFILE command, the NACUSERIDs are reverified for the Telnet ports defined in the data set referenced by the command. If a Telnet port has NACUSERID NAC_name_1, you cannot use the VARY TCPIP,tnproc,OBEYFILE command to change that port's NACUSERID to NAC_name_2. The port must first be stopped, and then started with the new NAC_name_2 value using the VARY TCPIP,tnproc,OBEYFILE command.
The NETACCESS statement in the TCP/IP profile is used to configure portions of your IP network into named security zones. Each defined security zone must have a SERVAUTH profile for the resource named EZB.NETACCESS.sysname.tcpname.zonename. The user ID associated with the Telnet port must have READ access to the security zone that maps its bind address (0.0.0.0/32 for INADDR_ANY or ::/128 for the IPv6 unspecified address, in6addr_any, unless overridden by the PORT statement in the TCP/IP profile) and to every security zone that maps client IP addresses that Telnet is to accept connections from on this port.
For more information, see Network access control.