[tac_plus] Is there a config ACL to limit Client IP, not NAS IP?

John Fraizer john at op-sec.us
Sun Aug 2 17:53:21 UTC 2015


+1 do_auth.py

--
John Fraizer
LinkedIn profile: http://www.linkedin.com/in/johnfraizer/




On Sun, Aug 2, 2015 at 7:36 AM, Alan McKinnon <alan.mckinnon at gmail.com> wrote:
> There is no way to do what you want directly in tac_plus.conf.
>
> It's not only feasible with do_auth.py, it's fully supported and really
> is the way you should be moving forward.
>
> tl;dr
>
> tac_plus.conf is very restrictive in what it can do, and I think this is
> by design. So many parts of tac_plus to my mind hark back to ages ago
> when dialup and ppp auth were firmly in Tacacs+ radar, one of these
> things is the config, and it's the simplest thing possible the devs
> could get away with :-)
>
> If you need to do anything more (and these days everyone needs to do
> much much more), you are supposed to delegate that complex decision to a
> callout, and this is what do_auth.py does
>
> For instance, it is entirely reasonable to limit rancid logins to your
> rancid servers only, or for your support people to be in more than one
> group, or trusted folks can enable on anything except your Nexus (NetOps
> only). tac_plus.conf can't do any of these, do_auth can do all of them
> and more.
>
>
> On 02/08/2015 01:50, Matt Almgren wrote:
>>
>> I'm  aware of the Host ACL usage in TACACS:
>>
>>
>> acl = TEST-ACL {
>>
>>    # Permit these NAS to login via TACACS
>>
>>    permit = ^10\.
>>
>> }
>>
>> But is there any configuration that will limit which client (i.e. rancid server) is able to authenticate with TAC+ ?  I'm trying to lock down RANCID so only that server/user can login to our network equipment with certain privileges.
>>
>>
>> I think this might be feasible with do_auth, but I haven't played around with that yet.
>>
>>
>> --
>>
>> Matt Almgren, Sr. Networking Engineer
>>
>> 101 Lytton Ave., Palo Alto. CA 94301
>>
>> matta at surveymonkey.com
>>
>> 408.499.9669
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20150801/784c14b6/attachment.html>
>> _______________________________________________
>> tac_plus mailing list
>> tac_plus at shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo/tac_plus
>>
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo/tac_plus


More information about the tac_plus mailing list