[tac_plus] Multiple Groups / Restricting Source IP

Schmidt, Daniel DSchmi at wyo.gov
Tue Mar 15 21:52:20 UTC 2011


I notice this question got asked a couple times over the last year.  I am hopeful that this title will enable this to be Googled so John does not have to explain "after authentication scripts" again as he and others did for me a year or two ago.  (Thanks John/others)

After authentication scripts can allow extended configuration for those who wish to do more than basic tacacs configuration.  You can force user to connect only from 10.1.1.1 if that is what you require.  Or, if you want to make sure user 'Homer' connected to device '10.1.1.1' can only do 'show users' when connecting from '192.168.1.1', you CAN do that.   (Though "why" might be an appropriate question)  It's simply a matter of matching strings.

If you are unable to, due to time or knowledge, write an after authorization script, you may wish to try out the do_auth.py example which I wrote.  It also allows you to assign multiple groups to users, and restrict those groups in just about any imaginable grouping of ip, command, and source IP.  It's in the tarball, type 'python do_auth.py | less'.   Examples are on tacacs.org, it's really quite trivial to use.  Suggestions/questions welcome, job == networker; job != programmer, standard disclaimer - tacacs is a good way to lock yourself out if you aren't careful, yada yada.

 E-Mail to and from me, in connection with the transaction of public business, is subject to the Wyoming Public Records Act and may be disclosed to third parties.


More information about the tac_plus mailing list