Hi Marc
If you have a router that is compromised in the sense that a user has been able to gain access without authenticating to the tacacs server it bypasses the ACL check.
The commands this user (hacker) runs will still go to the tacacs server for accounting and the client address is an address that is not in the ACL.
Is it possible to add a check for the client's address also on the accounting packet? It seems it is only check on authentication.
Or is there an ACL I can put in a profile that will do this?
The ACL checks the client's address.
Regards
Elad