Accounting ACL check

[MrShy]

Hi Marc

If you have a router that is compromised in the sense that a user has been able to gain access without authenticating to the tacacs server it bypasses the ACL check.

The commands this user (hacker) runs will still go to the tacacs server for accounting and the client address is an address that is not in the ACL.

Is it possible to add a check for the client's address also on the accounting packet? It seems it is only check on authentication.

Or is there an ACL I can put in a profile that will do this? 

The ACL checks the client's address.

Regards

Elad

   

[Marc Huber]

Hi Elad,

On 02.07.2024 09:13, MrShy wrote:

> If you have a router that is compromised in the sense that a user has
> been able to gain access without authenticating to the tacacs server
> it bypasses the ACL check.

yes, if a T+ server is unavailable a router may (depending on its
configuration) fall back to local authentication. However, if the T+
server becomes available again at least command authoriziation checking
could be active. Is that enabled on your router?

Regarding accounting: The T+ daemon will just log whatever the router
sends, but that data can't be used to limit access.

If your router is configured for authentication, authorization and
accounting against T+ but only accounting works than that's quite likely
a bug in the router T+ implementation.

Cheers,

Marc