[tac_plus] Multiple groups, multiple ACL-s
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Fri Aug 17 13:36:51 UTC 2007
Dear folks,
At http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/
you can find a patch against tacacs+-F4.0.4.14.
Now multiple membership is allowed as well as a kind of
hierarchical ACL-s.
Let's assume you have a large scale network
at several locations and a lot of users.
If you want to allow certain users to enter into a certain
NAS-es only you can use the following schema:
########## elementary ACLs and location groups ############
acl = city1 {
permit = ^192\.168\.1\.
permit = ^192\.168\.23\.
return = .*
}
group = location_city1 {
acl = city1
}
acl = city2 {
permit = ^192\.168\.17\.
return = .*
}
group = location_city2 {
acl = city2
}
acl = city3 {
permit = ^10\.61\.
return = .*
}
group = location_city3 {
acl = city3
}
acl = city4 {
permit = ^172\.16\.28\.
return = .*
}
group = location_city4 {
acl = city4
}
############# composite location groups #####################
group = location_all {
member = location_city1
member = location_city2
member = location_city3
member = location_city4
}
group location_northern_region {
member = location_city1
member = location_city2
}
group location_western_region {
member = location_city3
}
group location_eastern_region {
member = location_city4
}
group location_northeastern_region {
member = location_northern_region
member = location_eastern_region
}
################### users #######################
user = groucho {
member = location_all
...
}
user = harpo {
member = location_eastern_region
...
}
user = zeppo {
member = location_northeastern_region
...
}
...
Any feedback is welcome.
Gábor
More information about the tac_plus
mailing list