We currently have an underutilized ACS server and are trying to 'secure' more of our devices and the network in general utilizing the ACS 4.0 we have.
The problem, and I'm guessing it's a simple resolution, is that currently we have a Group called Remote_Access for vpn/citrix. It is mapped to an external database (Active Directory) group namped Remote_Access. Everything works fine there. The problem I'm having is, I created another group in ACS further down the list for TACACS_ADMIN. We also have this group mapped to an AD group called TACACSADM. However, it seems that due to the fact that I personally am a member of both RemoteAccess and TACACSADM, whenever I try to authenticate to a switch, it shows me hitting the RemoteAccess group.. not TACACS ADMIN. How do I tell the groups to ignore requests unless it comes from a certain AAA client? I tried doing a Define IP Based Restrictions and selecting the AAA NG that it could come from, but all that did was give me a 'user filtered' in the failed attempts log for RemoteAccess. Isn't there some way to have it skip the Remote Access group and go on to TACACS Admin group?
Confusing I know.