client ip limitation
35 views
Skip to first unread message
codcodoe
Mar 17, 2025, 3:20:57 AMMar 17
to Event-Driven Servers
Hi Marc,
Regarding tac_plus-ng/sample/tac_plus-ng-demo-database.cfg, by setting $V[AV_A_TACPROFILE] to assign a profile to a user, how can we restrict the client's IP address from which the user logs in?
I tried adding a check in the script, but it doesn't seem to have any effect.
# Check if the client IP is allowed
if (client.address != "192.168.1.100") {
deny
}
if (client.address != "192.168.1.100") {
deny
}
$V[AV_A_TACPROFILE] = <<EOT
{
# This demo uses a profile defined in user context. Other possibilities
# include referring to an existing profile or using a rule set.
#
# Do NOT put comments here in real life, it's just wasting CPU.
tag = cust001,ro # this will be evaluated in the profile, see below
profile {
script {
# Check if the client IP is allowed
if (client.address != "192.168.1.100") {
deny
}
if (device.tag != user.tag)
deny
if (aaa.protocol == tacacs || aaa.protocol == tacacss) {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
if (user.tag == ro) {
if (cmd =~ /^show /) permit
if (cmd =~ /^ping /) permit
if (cmd =~ /^traceroute /) permit
deny
}
if (user.tag == rw)
permit
}
deny
}
if (aaa.protocol == radius || aaa.protocol == radsec) {
set radius[cisco:Cisco-AVPair] = "shell:priv-lvl=15"
permit
}
deny
}
}
}
EOT
{
# This demo uses a profile defined in user context. Other possibilities
# include referring to an existing profile or using a rule set.
#
# Do NOT put comments here in real life, it's just wasting CPU.
tag = cust001,ro # this will be evaluated in the profile, see below
profile {
script {
# Check if the client IP is allowed
if (client.address != "192.168.1.100") {
deny
}
if (device.tag != user.tag)
deny
if (aaa.protocol == tacacs || aaa.protocol == tacacss) {
if (service == shell) {
if (cmd == "") {
set priv-lvl = 15
permit
}
if (user.tag == ro) {
if (cmd =~ /^show /) permit
if (cmd =~ /^ping /) permit
if (cmd =~ /^traceroute /) permit
deny
}
if (user.tag == rw)
permit
}
deny
}
if (aaa.protocol == radius || aaa.protocol == radsec) {
set radius[cisco:Cisco-AVPair] = "shell:priv-lvl=15"
permit
}
deny
}
}
}
EOT
Marc Huber
Mar 17, 2025, 1:39:34 PMMar 17
to event-driv...@googlegroups.com
Hi,
profiles are evaluated for authorization, not for authentication.
I'll think about adding a script option at user and/or group
level, but this will take some time.
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/4af56981-8e46-4075-a43f-346b3b611e95n%40googlegroups.com.
Marc Huber
Mar 17, 2025, 3:22:49 PMMar 17
to event-driv...@googlegroups.com
Hi,
commit c0a2483efd05b336a261f38ec46f8efb03825f4c adds support for
adding a profile ACL that will be applied for both authc and
authz:
profile {
acl {
# Check if the client
IP is allowed
if (client.address !=
"192.168.1.100") {
deny
permit
}
...
}
This still needs to find its way into the docs.
Cheers,
Marc
To view this discussion visit https://groups.google.com/d/msgid/event-driven-servers/574b05f7-5e6f-4a2e-a04b-8820f528c14a%40googlemail.com.
Reply all
Reply to author
Forward
0 new messages