ACS Group Configuration Help Request

Unanswered Question
Feb 23rd, 2007

We currently have an underutilized ACS server and are trying to 'secure' more of our devices and the network in general utilizing the ACS 4.0 we have.

The problem, and I'm guessing it's a simple resolution, is that currently we have a Group called Remote_Access for vpn/citrix. It is mapped to an external database (Active Directory) group namped Remote_Access. Everything works fine there. The problem I'm having is, I created another group in ACS further down the list for TACACS_ADMIN. We also have this group mapped to an AD group called TACACSADM. However, it seems that due to the fact that I personally am a member of both RemoteAccess and TACACSADM, whenever I try to authenticate to a switch, it shows me hitting the RemoteAccess group.. not TACACS ADMIN. How do I tell the groups to ignore requests unless it comes from a certain AAA client? I tried doing a Define IP Based Restrictions and selecting the AAA NG that it could come from, but all that did was give me a 'user filtered' in the failed attempts log for RemoteAccess. Isn't there some way to have it skip the Remote Access group and go on to TACACS Admin group?

Confusing I know.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Vivek Santuka Fri, 02/23/2007 - 11:30


A user can be part of a single group only. The first group which is encountered in Active Directory will be used for Group mapping into ACS.

What you can do is add the tacacs attributes in the user profile for your username. This way you will have the Remote Access and also be able to login to the switch.



raun.williams Fri, 02/23/2007 - 12:30

But since I don't actually have a username in ACS and it's coming from AD, how would go about adding the TACACS details to it? Wouldn't it be a dynamic user that would go away after awhile?

Vivek Santuka Fri, 02/23/2007 - 12:34


Dynamic users do not go away after a while. Anyways another thing which can be done is add the user manually in ACS and set it to authenticate to Windows Database.

This way the use is no more a "dynamic" user.



mdufault Fri, 02/23/2007 - 19:14

I have been working on similar issues and the product is quite confusing. I think the way it works is you match the first group top down. You have 500 groups to work with so I think you need to create a group that has rights to both remote access and what you now call tacacsadm. Maybe call it NetAdmin and give that a try.

at Sat, 02/24/2007 - 14:13


you can solve your problem with the feature Network Access Profile. With this feature you can assign one user to different groups.

You must create two Network Access Profiles (profile_remote_access, profile_tacacs_admin)-

with different protocol types (radius for remote access, tacacs for administration).

Look at




This Discussion