I covered how to install and configure TACACS+ (tac_plus) on Ubuntu here. In this blog post, I am going to cover how to deny a group in accessing a network device or group of network devices. Yes, you can certainly restrict IPs using ACL on routers, switches, or ASA firewalls. However, if your security policy is to use a jump server to connect to network devices, then that jump server’s IP will not be blocked and users are still allowed. With this guide, you’ll be able to restrict access to network devices by user or group using your tac_plus server.
Configuration
This guide assumes you know how to configure TACACS+ (tac_plus) daemon. If you haven’t had a chance to work on this then please feel free to visit it here. Without further ado, here’s the configuration on how to restrict a group of users on a particular network device.
group = Test {
default service = deny
acl = test_acl
service = exec {
priv-lvl = 2
}
}
acl = test_acl {
deny = 192.168.12.100
permit = .*
}
The above configuration restricts the group called Test in accessing a network device with an IP address of 192.168.12.100. The IP address that is needed in the tac_plus.conf needs to be the IP address of the source interface (ip tacacs source-interface interface_type_here) that you configured on your network device. If the TACACS+ source interface IP address doesn’t match the one in the tac_plus.conf, then any other IP address of that network device can be used to connect and the group will be allowed to access it.
Below is an example of a user that is member of the Test group trying to access the network device and was denied.
networkjutsu@tacacs:~$ ssh -l test 192.168.12.100
test@192.168.12.100's password:
Permission denied, please try again.
test@192.168.12.100's password:
Permission denied, please try again.
test@192.168.12.100's password:
Permission denied (password).
The example config below is how to restrict group(s) using regex (regular expressions). If you’re not a scripter/programmer like me then please feel free to use cheat sheet found here. For more detailed info, regex is covered in CCIE Routing and Switching Certification Guide book by Wendell Odom.
group = Test {
default service = deny
acl = test_acl
service = exec {
priv-lvl = 2
}
}
acl = test_acl {
deny = 172.17.99.[0-9]
deny = 172.24.64\.50$
permit = .*
}
Here’s an attempt of a member of Test group being denied.
networkjutsu@tacacs1:~$ ssh -l test 172.17.99.50
Password:
Password:
Password:
test@172.17.99.50's password:
Permission denied, please try again.
test@172.17.99.50's password:
Permission denied, please try again.
test@172.17.99.50's password:
Permission denied (keyboard-interactive,password).
networkjutsu@tacacs1:~$ ssh -l test 172.17.99.17
test@172.17.99.17's password:
Permission denied, please try again.
test@172.17.99.17's password:
Permission denied, please try again.
test@172.17.99.17's password:
Permission denied (password).
networkjutsu@tacacs1:~$ ssh -l test 172.17.99.3
test@172.17.99.3's password:
Permission denied, please try again.
test@172.17.99.3's password:
Permission denied, please try again.
test@172.17.99.3's password:
Permission denied (password).
networkjutsu@tacacs1:~$ ssh -l test 172.24.64.50
Password:
Password:
Password:
test@172.24.64.50's password:
Connection closed by 172.24.64.50
If you noticed, the first attempt (172.17.99.50) had more prompts than others. This might be a bug on an IOS, due to the device type, or just how this particular IOS/device behaves with the tac_plus. Unfortunately, I didn’t dig deeper enough. In any case, tac_plus denied access to the device.
With this config, it allows an organization to give out privilege access to certain users or groups but still be able to deny access to certain devices. For example, an organization may allow the NOC employees to make changes on access layer routers/switches but are not allowed to connect to distribution and core routers/switches and ASA firewalls.
Hope this has been helpful and thank you for reading!
Are you ready to improve your network security?
Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.
You might also like to read
How to build and configure tac_plus
Adding two-factor authentication to TACACS+
Reference
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.