tacacs - Authorization limitations?

Unanswered Question
Jun 5th, 2008

Hi all,

Using tacacs, can you restrict a users rights to certain equipment while giving them full access to others?

What I mean to say is: Can "User A" have view access to Switch 1, Global config access to Switch 2, and no access to Router 1?

All using the same tacacs server.

Thanks in advance!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Thu, 06/05/2008 - 11:33

Yes it can be done, Sorry I am editing my post now, did not read your question carefully.

As stated by jgambhir, you need to have different NDGs for this to work. Please note that NDGs are not visible in ACS by default, you have to enable them from the 'Interface' Page.



Jagdeep Gambhir Thu, 06/05/2008 - 11:35


Yes that is possible. You can give an user different privilege on different NAS.

Here is the link for command authorization ,


In acs , group set up , we have a option of Assign a Shell Command Authorization Set on a per Network Device Group Basis.

You can also give different enable privilege by using option-

Define max Privilege on a per network device group basis

Hope that helps



Do rate helpful posts

aneelaka Fri, 06/20/2008 - 11:52

Configure NAR and command authorization, command authorization is only supported by TACACS


This Discussion