[tac_plus] Re: ACL

[Schmidt, Daniel]

You can do it with my after authorization script on tacacs.com *IF* you
can summarize those ranges as IP ranges in regular expressions.  Surely,
they don't have overlapping IP's.  

-----Original Message-----
From: Michael M. [mailto:michael at michaelwm.com] 
Sent: Tuesday, June 16, 2009 12:19 PM
To: Schmidt, Daniel
Subject: Re: [tac_plus] Re: ACL

I mean host or the pc doing the telnet in to a cisco router. I only  
want to be able to telnet from IPs that have DNS record of  
*.San.rr.com or *.DC.rr.com

Thank you for your help.


Sent from my iPhone

On Jun 16, 2009, at 11:06 AM, "Schmidt,
Daniel"<dan.schmidt at uplinkdata.com 
 > wrote:

> Possibly could be done with authorization scripts, but I'm a little
> unclear as your definition of host.  Is the device the host or are you
> the host?  Don't san.rr.com and dc.rr.com resolve to different ranges
> that you could key on?
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
> Sent: Monday, June 15, 2009 11:50 PM
> To: Michael M.
> Cc: tac_plus at shrubbery.net
> Subject: [tac_plus] Re: ACL
>
> Mon, Jun 15, 2009 at 09:11:56PM -0700, Michael M.:
>> Hello,
>> I have a working configuration that I need to add ACL by host names.
> In the release F4.0.4.18 is that possible to use permit or deny based
> upon then ending portion of a host name?  Example I connect from
> different locations from one ISP that has a common PTR of san.rr.com  
> or
> dc.rr.com. What do I need to add to my config to have it resolve IPs  
> and
> verify the host name in the allow?
>
> it'd have to be coded, which I never added because I didnt want to  
> have
> timeouts due to resolver problems.
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus