[tac_plus] Is there a config ACL to limit Client IP, not NAS IP?

Alan McKinnon alan.mckinnon at gmail.com
Sun Aug 2 14:36:57 UTC 2015


There is no way to do what you want directly in tac_plus.conf.

It's not only feasible with do_auth.py, it's fully supported and really
is the way you should be moving forward.

tl;dr

tac_plus.conf is very restrictive in what it can do, and I think this is
by design. So many parts of tac_plus to my mind hark back to ages ago
when dialup and ppp auth were firmly in Tacacs+ radar, one of these
things is the config, and it's the simplest thing possible the devs
could get away with :-)

If you need to do anything more (and these days everyone needs to do
much much more), you are supposed to delegate that complex decision to a
callout, and this is what do_auth.py does

For instance, it is entirely reasonable to limit rancid logins to your
rancid servers only, or for your support people to be in more than one
group, or trusted folks can enable on anything except your Nexus (NetOps
only). tac_plus.conf can't do any of these, do_auth can do all of them
and more.


On 02/08/2015 01:50, Matt Almgren wrote:
> 
> I'm  aware of the Host ACL usage in TACACS:
> 
> 
> acl = TEST-ACL {
> 
>    # Permit these NAS to login via TACACS
> 
>    permit = ^10\.
> 
> }
> 
> But is there any configuration that will limit which client (i.e. rancid server) is able to authenticate with TAC+ ?  I'm trying to lock down RANCID so only that server/user can login to our network equipment with certain privileges.
> 
> 
> I think this might be feasible with do_auth, but I haven't played around with that yet.
> 
> 
> --
> 
> Matt Almgren, Sr. Networking Engineer
> 
> 101 Lytton Ave., Palo Alto. CA 94301
> 
> matta at surveymonkey.com
> 
> 408.499.9669
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150801/784c14b6/attachment.html>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus
> 


-- 
Alan McKinnon
alan.mckinnon at gmail.com



More information about the tac_plus mailing list