My version of tac_plus is based on ftp://ftp-eng.cisco.com/pub/tacacs/tac_plus.F4.0.3.alpha.tar.Z. It adds the additional attribute "nas_allowed", which allows to limit access of a user or group to one or several NAS.

It is constructed similar to the "cmd" attribute. So it is recursively usable in group defnitions. Note, that with this version every user without a nas_allowed line in his personal definition or in his group definitions is rejected by default. To turn this off you have to configure "nas_allowed = all".

Whether you must specify the NAS name with FQDN or IP address depends on having started tac_plus with the L flag or not.

Debugging for this attribute is available with the DEBUG_AUTHEN_FLAG 16.

Configuration examples:

group = big_chiefs {
	member = chiefs
        nas_allowed = nas3.subdomain.org
	nas_allowed = 10.1.1.1
}

group = chiefs {
        nas_allowed = nas1.subdomain.org
        nas_allowed = nas2.subdomain.org
}
user = Peter {
        nas_allowed = nas1.subdomain.org
}
user = Paul {
	member = chiefs
}
user = John {
	member = big_chiefs
}
user = Mary {
	nas_allowed = all
}

Peter is only allowed to log into nas1.subdomain.org.
Paul is allowed to the NAS mentioned in group chiefs. John gets into nas3 +
the NAS in group chief. Mary has the NAS check turned off.