[c-nsp] Limiting Tacacs groups per device - Solved

[Brian Raaen]

Ok I found something that works.  After reading around I found the following pages

http://tacacs.org/2009/05/08/granular-tacacs-control/
http://tacacs.org/2009/09/26/easy-tacacs-control-with-do_auth/
http://tacacs.org/2011/03/02/securing-rancid-with-do_auth/

my tac_plus.conf is similar to the following

accounting file = /var/log/tacacs/tac_plus.acct


host = xxx.xxx.xxx.xxx {
        key = T0p53cr3t
        enable = cleartext T0p53cr3t
}

host = yyy.yyy.yyy.yyy {
        key = T0p53cr3t
        enable = cleartext T0p53cr3t
}

default authentication = file /etc/passwd
user = DEFAULT {
        member = do_auth_access
}
group = do_auth_access {
        default service = permit
        service = exec { priv-lvl = 15
        idletime = 10 }
        after authorization "/usr/bin/python /etc/tacacs+/do_auth.pyc -i $address -u $user -d $name -l /etc/tacacs+/log.txt -f /etc/tacacs+/do_auth.ini"
}


in /etc/tacacs+/do_auth.ini I have somethign like this



[users]
architect1 =
        architect
noc_tech =
        limited1
        troubleshooter
rancid =
        rancid_access
[architect]
host_allow =
        .*
device_permit =
        .*
command_permit =
        .*
[troubleshooter]
# Normal login for troublshooters
host_allow =
        .*
# Blacklist of hosts with special rules
device_deny =
        $SPECIAL_RULES_HOST
device_permit =
        .*
command_permit =
        .*
[limited1]
host_allow =
        .*
device_permit =
        $SPECIAL_RULES_HOST
command_permit =
        show .*
        clear cable modem .*
        clear counters
[rancid_access]
host_allow =
        $rancid_host
device_permit =
        .*
command_permit =
        show.*
        dir.*
        more.*
        write t.*


---
Brian Raaen
Network Architect
ZCorum
braaen at zcorum.com