[tac_plus] tac_plus configuration based on source IP

[Morty Abzug]

I have a variety of Cisco devices that require mutually incompatible
values in a certain TACACS+ attribute, Cisco-AVPair.  The way I have
dealt with this in the RADIUS world is with huntgroups -- I assign our
engineer group on huntgroup1 to have Cisco-AVPair set to
shell:roles=network-admin, while by default, the engineer group gets
shell:priv-lvl=15.  Unfortunately, my usual RADIUS solution isn't
working.  We also have tac_plus, so I fired that up, and realized that
I had a similar problem -- we already have one Cisco device type that
requires a conflicting attribute.  With tac_plus, I have no idea at
all of how to workaround this, i.e. what the tac_plus equivalent of a
huntgroup is.  I tried this:

group = engineer {
        pap = PAM
        service = exec {
                shell:roles="network-admin"
                acl = 1010_application
        }
        service = exec {
                shell:roles="admin"
                acl = fabric_interconnect
        }
}

No joy.  Each of those stanzas works individually, but the two
together cause unhappiness.  Is there a solution?

Thanks.

- Morty