ACL with Group Not working?

1

Hello,

I need some guidance here. I have acl working with defining a user and then the destinations but when I put a group there is nothing, no accesses. I need some real guidance here. I have read the samples over and over and I don’t see what I am doing wrong?

here is what I have currently:

	{
		"action": "accept",
		"src":    ["myuser@mydomain.com"],
		"dst": [
			"192.168.xxx.xxx:xxx",
			"192.168.xxx.xxx:*",
			"192.168.xx.0/24:*",
			"192.168.xxx.xx:*",
			"192.168.xxx.xxx:*",
		],
	},

this works.

but if I change it to a group, I get nothing, no access:
“groups”: {
“group:network”: [“email1@mydomain.com”, “myuser@mydomain.com”],

},

"acls": [
	// all employees can access their own devices
	{
		"action": "accept",
		"src":    ["autogroup:members"],
		"dst":    ["autogroup:self:*"],
	},
		"action": "accept",
		"src":    ["group:network"],
		"dst": [
			"192.168.xxx.xxx:xxx",
			"192.168.xxx.xxx:*",
			"192.168.xx.0/24:*",
			"192.168.xxx.xx:*",
			"192.168.xxx.xxx:*",
		],
	},
2

Have you defined the Group in the ACL, or do you instead mean “autogroup:network-admin”?

Define a group like so:
“groups”: {
“group:network”: [“soANDso@myDomain.com”, “suchANDsuch@myDomain.com”,],
},

EDIT: Never mind, I see that you did define it, it just wasn’t in the ‘Code’ window.

3

Just to be sure, are you using Tags? That can potentially cause problems with groups.

I also assume you are using a subnet router so that Tailscale knows about the 192.168.x.x routes.

EDIT: It might help if you post your entire ACL (just sanitize it first).

4

thanks for the reply…took me a while to grab it and clean it.

here is the whole ACL: (having issues posting this)

// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
“groups”: {
// “group:admin”: [“user1”],
“group:network”: [“user2”, “user1”],
// “group:members”: [“user3”],
},
// Define the tags which can be applied to devices and by which users.
“tagOwners”: {
// all Tailscale admins can manage which devices are tagged tag:network
“tag:network”: [“group:network”],
},
“autoApprovers”: {
“routes”: {
// subnets included in 10.0.0.0/16 advertised by devices tagged
// tag:network or users who are Tailscale admins will be automatically approved
“192.168.XXX.0/24”: [“tag:network”],
// subnets included in XXX.XXX.XXX.0/24 advertised by devices tagged
// tag:network or users who are Tailscale admins will be automatically approved
“192.168.XX.0/24”: [“tag:network”],
},
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
“acls”: [
// all employees can access their own devices
{
“action”: “accept”,
“src”: [“autogroup:members”],
“dst”: [“autogroup:self:"],
},
// all employees can access devices tagged tag:network
{
“action”: “accept”,
“src”: [“user1”],
“dst”: [
“192.168.XXX.XXX:XXXX”,
"192.168.XX.XX:”,
“192.168.XX.0/24:",
"192.168.XX.XX:”,
“192.168.XXX.XXX:",
],
},
{
“action”: “accept”,
“src”: [“group:network”],
“dst”: ["tag:network:”],
},
// users in group:dev, and devices in subnets 192.168.XXX.0/24 and
// 192.168.xx.0/24 can access firewall device 192.168.XXX.XXX:XXXX and
// file server xxx.xxx.xx.xx
{
“action”: “accept”,
“src”: [“group:network”, “192.168.XXX.0/24”, “192.168.XXX.0/24”],
“dst”: [“192.168.XXX.XXX:XXXX”, “192.168.XX.XX:", "192.168.XXX.XX:”],
},
],
// Readable shorthands for devices and networks.
“hosts”: {
“firewall”: “192.168.XXX.XXX”,
“network”: “192.168.XXX.XXX/24”,
},
// Define users and devices that can use Tailscale SSH.
“ssh”: [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
“action”: “check”,
“src”: [“autogroup:members”],
“dst”: [“autogroup:self”],
“users”: [“autogroup:nonroot”, “root”],
},
],
// Test access rules every time they’re saved.
// “tests”: [
// {
// “src”: “alice”,
// “accept”: [“tag:example”],
// “deny”: [“xxx.xxx.xxx.xxx:443”],
// },
// ],
}

5

are your devices tagged? If so, the owner goes away and the device is now ‘owned’ by the tag.

6

here is what is in the system:

image

7

One thing I see is that:

{
“action”: “accept”,
“src”: [“group:network”],
“dst”: ["tag:network:”],
},

Should be:

{
“action”: “accept”,
“src”: [“group:network”],
“dst”: ["tag:network:*”],
},

notice the * after tag:network.
It looks like you have a few of those in your ACL.

Your ACL is somewhat hard for me to follow, and I think it is because you have a host, tag, and group all called ‘network’.

Other than the above though, I don’t see anything glaring that would cause an issue. With that said, if you don’t have the ‘*’ in the destination, it won’t work…but I didn’t think it would even save, so I am wondering if it is a copy/paste error perhaps?