[tac_plus] Re: tac plus acl problem with specific ip address

Tomas TRIYOSO tomas.triyoso at ap.equinix.com
Tue Jan 29 00:54:28 UTC 2008 

Hi John,

Thank you for your email.
I have already checked there is no source IP of the device connection on
the router (172.16.116.254) configuration.

BTW, when I remark the "acl" on the TACACS configuration, the group
"HKG-OPS" can successfully login to the device (172.16.116.254)

group = HKG-OPS {
  member = OPERATOR
#  acl = limit_hkg-ops
}

Please advice.

Regards,
Tomas Triyoso
Equinix Asia Pacific Pte Ltd.
Company Registration No: 200210224C
[The information in this email is confidential and may be legally
privileged. Access to this email by anyone other than the intended
addressee is unauthorized. If you are not the intended recipient of this
message, any review, disclosure, copying, distribution, retention, or
any action taken or omitted to be taken in reliance on it is prohibited
and may be unlawful. If you are not the intended recipient, please reply
to or forward a copy of this message to the sender and delete the
message, any attachments, and any copies thereof from your system.]

-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Tuesday, January 29, 2008 1:00 AM
To: Tomas TRIYOSO
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] tac plus acl problem with specific ip address

Mon, Jan 28, 2008 at 08:15:18PM +0800, Tomas TRIYOSO:
> Hi,
> 
> I have problem with tacacs plus implementation that I downloaded from
> ftp://ftp.shrubbery.net/pub/tac_plus
> 
> Below ACL was implemented on the group HKG-OPS.
> 
> acl = limit_hkg-ops {
> 
>     permit = 10.7.7\.
> 
>     permit = 172.16.113\.
> 
>     permit = 172.16.115\.
> 
>     permit = 10.5.21.2
> 
>     permit = 172.31.7.2
> 
>     permit = 172.16.115.4
> 
>     permit = 172.16.115.5
> 
>     permit = 172.16.116.254
> 
> }
> 
> The HKG-OPS groups successfully login to above IP address, except
> 172.16.116.254.
> 
> I also try to remove all the other IP address so the acl looks below:
> 
> acl = limit_hkg-ops {
> 
>     permit = 172.16.116.254
> 
> }
> 
>  
> 
> The HKG-OPS groups still can not login to that device. With message:
"%
> authentication failure"
> 
> While the other group without acl implementation, successfully login
to
> the device.

check the source ip of the device's connection.  ie:
	ip tacacs source-interface X

More information about the tac_plus mailing list