My <a href="tac_plus.F4.0.3.alpha.t.tar">version</a> of tac_plus is based on ftp://ftp-eng.cisco.com/pub/tacacs/tac_plus.F4.0.3.alpha.tar.Z. It adds the
additional attribute "nas_allowed", which allows to limit access
of a user or group to one or several NAS. 
<p>
It is constructed similar to the "cmd" attribute. So it is recursively
usable in group defnitions. Note, that with this version every user without
a nas_allowed line in his personal definition or in his group definitions
is rejected by default. To turn this off you have to configure "nas_allowed
= all".
<p>
Whether you must specify the NAS name with FQDN or IP address depends on
having started tac_plus with the L flag or not.
<p>
Debugging for this attribute is available with the DEBUG_AUTHEN_FLAG    16.
<p>
Configuration examples:
<pre>
group = big_chiefs {
	member = chiefs
        nas_allowed = nas3.subdomain.org
	nas_allowed = 10.1.1.1
}

group = chiefs {
        nas_allowed = nas1.subdomain.org
        nas_allowed = nas2.subdomain.org
}
user = Peter {
        nas_allowed = nas1.subdomain.org
}
user = Paul {
	member = chiefs
}
user = John {
	member = big_chiefs
}
user = Mary {
	nas_allowed = all
}

Peter is only allowed to log into nas1.subdomain.org.
Paul is allowed to the NAS mentioned in group chiefs. John gets into nas3 +
the NAS in group chief. Mary has the NAS check turned off.
</pre>