<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On May 4, 2009, at 1:24 PM, Schmidt, Daniel wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hum... don't even have a web page to post it on. 326 lines - a bit long<br>for an email. Perhaps I should find a place to post it in case I wish<br>to add/fix the code. Suggestions? </div></blockquote><div><br></div><div>tacacs.org would be happy to host it....</div><br><blockquote type="cite"><div><br><br>-----Original Message-----<br>From: john heasley [<a href="mailto:heas@shrubbery.net">mailto:heas@shrubbery.net</a>] <br>Sent: Monday, May 04, 2009 11:14 AM<br>To: Schmidt, Daniel<br>Subject: Re: [tac_plus] After Authorizaion Script<br><br>Mon, May 04, 2009 at 10:57:28AM -0600, Schmidt, Daniel:<br><blockquote type="cite">I have finished my python implementation of the "after authorization<br></blockquote><blockquote type="cite">script", thanks all for your help. It allows more granular control of<br></blockquote><blockquote type="cite">logins. <br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">If anybody would be interested in testing it, I would be happy to send<br></blockquote><blockquote type="cite">it out. The configuration is fairly simple; as an example, let's say<br></blockquote>I<br><br>please do, if nothing else I'll include it as an example.<br><br><blockquote type="cite">wanted to have user Homer have full access to 192.168.1.1 and<br></blockquote><blockquote type="cite">10.1.1.0/24, but only do show commands for everything else in<br></blockquote><blockquote type="cite">10.0.0.0/8. For the heck of it, let's say we only want them to<br></blockquote>connect<br><blockquote type="cite">from 192.168.1.0/24, but never 192.168.1.4 - he can only do the show<br></blockquote><blockquote type="cite">commands. The config would be as follows: <br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">[users]<br></blockquote><blockquote type="cite">homer =<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>simpson_group<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>television_group<br></blockquote><blockquote type="cite">[simpson_group]<br></blockquote><blockquote type="cite">host_deny =<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>192.168.1.4<br></blockquote><blockquote type="cite">host_allow =<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>192.168.1.*<span class="Apple-tab-span" style="white-space:pre"> </span><br></blockquote><blockquote type="cite">device_permit =<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>192.168.1.1<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>10.1.1.*<br></blockquote><blockquote type="cite">command_permit =<br></blockquote><blockquote type="cite"> .*<br></blockquote><blockquote type="cite">[television_group]<br></blockquote><blockquote type="cite">host_allow =<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>192.168.1.*<span class="Apple-tab-span" style="white-space:pre"> </span><br></blockquote><blockquote type="cite">device_permit = <br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>10.*<br></blockquote><blockquote type="cite">command_permit =<br></blockquote><blockquote type="cite"><span class="Apple-tab-span" style="white-space:pre"> </span>show.*<br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">tac_plus mailing list<br></blockquote><blockquote type="cite"><a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br></blockquote><blockquote type="cite"><a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br></blockquote>_______________________________________________<br>tac_plus mailing list<br><a href="mailto:tac_plus@shrubbery.net">tac_plus@shrubbery.net</a><br><a href="http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus">http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus</a><br><br></div></blockquote></div><br></body></html>