We currently are using Cisco ACS 4.1 and have TACACS+ configured on all devices (Pix, Routers, Switches) so that they let us in with Enable access. We need to add additional users but limit their access. I'm trying to figure out a way to allow certain users to have enable access (15) to our layer 2 devices but only terminal access (1) to our layer 3 devices. I've broken out the equipment into seperate NDG's and now I'm trying to configure the Group settings to make this work. I have configured the Shell Command Authorization settings to allow for this by assigning level 1 to layer3 devices and 15 to layer 2 devices. When I try and connect to any of the devices it only gives me level1 access. The logs show that it's hitting the proper NDG's but it's only showing level1 access. Why am I not getting level15 access when I hit my layer 2 devices? Is there something I'm missing?
I have this problem too.