[tac_plus] Re: ACL

Schmidt, Daniel dan.schmidt at uplinkdata.com
Tue Jun 16 21:36:53 UTC 2009 

Hum... yeah, I could do that.  Authorization script would be a good
place to do it, reverse lookup the host address passed IF you are
comparing it to string of chars instead of digits. 

Logic is easy: for item in host_addr, if item.isalpha and not '.',  get
nslookup(passed_host_addr).  Then, match a regular expression.  Would be
easy, even for me.  

But, I can't do it today.  Too busy. 

-----Original Message-----
From: john heasley [mailto:heas at shrubbery.net] 
Sent: Tuesday, June 16, 2009 2:37 PM
To: Schmidt, Daniel
Cc: michael at michaelwm.com; tac_plus at shrubbery.net
Subject: Re: [tac_plus] Re: ACL

Tue, Jun 16, 2009 at 12:33:53PM -0600, Schmidt, Daniel:
> You can do it with my after authorization script on tacacs.com *IF*
you
> can summarize those ranges as IP ranges in regular expressions.
Surely,
> they don't have overlapping IP's.  
> 
> -----Original Message-----
> From: Michael M. [mailto:michael at michaelwm.com] 
> Sent: Tuesday, June 16, 2009 12:19 PM
> To: Schmidt, Daniel
> Subject: Re: [tac_plus] Re: ACL
> 
> I mean host or the pc doing the telnet in to a cisco router. I only  
> want to be able to telnet from IPs that have DNS record of  
> *.San.rr.com or *.DC.rr.com
> 
> Thank you for your help.
> 
> 
> Sent from my iPhone
> 
> On Jun 16, 2009, at 11:06 AM, "Schmidt,
> Daniel"<dan.schmidt at uplinkdata.com 
>  > wrote:
> 
> > Possibly could be done with authorization scripts, but I'm a little

i'm thinking that an authentication script mechanism might be useful,
though not certain how that might work.  not to suggest that a knob
allowing the name resolution might be unacceptable.

> > unclear as your definition of host.  Is the device the host or are
you
> > the host?  Don't san.rr.com and dc.rr.com resolve to different
ranges
> > that you could key on?
> >
> > -----Original Message-----
> > From: tac_plus-bounces at shrubbery.net
> > [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of john heasley
> > Sent: Monday, June 15, 2009 11:50 PM
> > To: Michael M.
> > Cc: tac_plus at shrubbery.net
> > Subject: [tac_plus] Re: ACL
> >
> > Mon, Jun 15, 2009 at 09:11:56PM -0700, Michael M.:
> >> Hello,
> >> I have a working configuration that I need to add ACL by host
names.
> > In the release F4.0.4.18 is that possible to use permit or deny
based
> > upon then ending portion of a host name?  Example I connect from
> > different locations from one ISP that has a common PTR of san.rr.com

> > or
> > dc.rr.com. What do I need to add to my config to have it resolve IPs

> > and
> > verify the host name in the allow?
> >
> > it'd have to be coded, which I never added because I didnt want to  
> > have
> > timeouts due to resolver problems.
> > _______________________________________________
> > tac_plus mailing list
> > tac_plus at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

More information about the tac_plus mailing list