• Skip to main content
  • Skip to footer

NetworkJutsu

Networking & Security Services | San Francisco Bay Area

  • Blog
  • Services
  • Testimonials
  • About
    • About Us
    • Terms of Use
    • Privacy Policy
  • Contact Us

TACACS+ (tac_plus daemon) ACL

10/29/2012 By Andrew Roderos 15 Comments

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

I covered how to install and configure TACACS+ (tac_plus) on Ubuntu here. In this blog post, I am going to cover how to deny a group in accessing a network device or group of network devices. Yes, you can certainly restrict IPs using ACL on routers, switches, or ASA firewalls. However, if your security policy is to use a jump server to connect to network devices, then that jump server’s IP will not be blocked and users are still allowed. With this guide, you’ll be able to restrict access to network devices by user or group using your tac_plus server.

Configuration

This guide assumes you know how to configure TACACS+ (tac_plus) daemon. If you haven’t had a chance to work on this then please feel free to visit it here. Without further ado, here’s the configuration on how to restrict a group of users on a particular network device.

group = Test {
        default service = deny
        acl = test_acl
        service = exec {
        priv-lvl = 2
        }
}
acl = test_acl {
        deny = 192.168.12.100
        permit = .*
}

The above configuration restricts the group called Test in accessing a network device with an IP address of 192.168.12.100. The IP address that is needed in the tac_plus.conf needs to be the IP address of the source interface (ip tacacs source-interface interface_type_here) that you configured on your network device. If the TACACS+ source interface IP address doesn’t match the one in the tac_plus.conf, then any other IP address of that network device can be used to connect and the group will be allowed to access it.

Below is an example of a user that is member of the Test group trying to access the network device and was denied.

networkjutsu@tacacs:~$ ssh -l test 192.168.12.100
test@192.168.12.100's password:
Permission denied, please try again.
test@192.168.12.100's password:
Permission denied, please try again.
test@192.168.12.100's password:
Permission denied (password).

The example config below is how to restrict group(s) using regex (regular expressions). If you’re not a scripter/programmer like me then please feel free to use cheat sheet found here. For more detailed info, regex is covered in CCIE Routing and Switching Certification Guide book by Wendell Odom.

group = Test {
        default service = deny
        acl = test_acl
        service = exec {
        priv-lvl = 2
        }
}
acl = test_acl {
        deny = 172.17.99.[0-9]
        deny = 172.24.64\.50$
        permit = .*
}

Here’s an attempt of a member of Test group being denied.

networkjutsu@tacacs1:~$ ssh -l test 172.17.99.50
Password:
Password:
Password:
test@172.17.99.50's password:
Permission denied, please try again.
test@172.17.99.50's password:
Permission denied, please try again.
test@172.17.99.50's password:
Permission denied (keyboard-interactive,password).
networkjutsu@tacacs1:~$ ssh -l test 172.17.99.17
test@172.17.99.17's password:
Permission denied, please try again.
test@172.17.99.17's password:
Permission denied, please try again.
test@172.17.99.17's password:
Permission denied (password).
networkjutsu@tacacs1:~$ ssh -l test 172.17.99.3
test@172.17.99.3's password:
Permission denied, please try again.
test@172.17.99.3's password:
Permission denied, please try again.
test@172.17.99.3's password:
Permission denied (password).
networkjutsu@tacacs1:~$ ssh -l test 172.24.64.50
Password:
Password:
Password:
test@172.24.64.50's password:
Connection closed by 172.24.64.50

If you noticed, the first attempt (172.17.99.50) had more prompts than others. This might be a bug on an IOS, due to the device type, or just how this particular IOS/device behaves with the tac_plus. Unfortunately, I didn’t dig deeper enough. In any case, tac_plus denied access to the device.

With this config, it allows an organization to give out privilege access to certain users or groups but still be able to deny access to certain devices. For example, an organization may allow the NOC employees to make changes on access layer routers/switches but are not allowed to connect to distribution and core routers/switches and ASA firewalls.

Hope this has been helpful and thank you for reading!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

How to build and configure tac_plus
Adding two-factor authentication to TACACS+

Reference

TACACS+ daemon

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Filed Under: Security Tagged With: AAA, Network Security, tac_plus, TACACS+, Ubuntu

About Andrew Roderos

I am a network security engineer with a passion for networking and security. Follow me on Twitter, LinkedIn, and Instagram.

Footer

WORK WITH US

Schedule a free consultation now!

LET’S TALK

Copyright © 2011–2023 · NetworkJutsu · All Rights Reserved · Privacy Policy · Terms of Use