I am a ACS server for authentication/authorization of client's, routers/switches/users. This same ACS server I am also using for authorizing the router to use certificates (av-pair cert-application=all). For this to work you need to create a user (FQDN of router) in ACS.
The side affect is that anybody can use this username and password to login to any device in this setup. I did limit the privilege to 0 so no enable rights are possible
Is there a possibility on the ACS to make sure that this user is only allowed to use certificates and can't login at all?