Hi I'm trying to solve the following problem:
I use ACS for admin auth & accounting to network devices and I want to differentiate what devices users have access to. In my network I have about 2500 network devices and instead of adding all of them to the ACS DB I created a wildcard AAA client with IP *.*.*.*.
this has worked fine so far, an extremely simple setup I know, but now I want to add FWs and other sensitive devices and restrict access using NAR. The idea was to create new AAA clients for each type of device and deny access with NAR to restricted groups. The issue is that when defining the new groups an IP conflict is detected with the wildcard AAA client.
Is there any other way to resolve this issue apart from importing all the network devices and create NDGs? this was what I wanted to avoid.
Any help is greatly appreciated.
Firstly I would not recommend to have this kind of setup. Any person can plug in aaa-client and send many request to acs causing delay in processing legitimate requests. Its like opening acs doors for everyone.
For your issue, there is no way you can add separate IP since wildcard covers whole range.
Best way is to upload your aaa devices. You can use RDBMS synchronization to upload all in one go.
Other easy way is to add networks like, 10.5.*.* / 30.34.*.* / 30.35.*.*
Do rate helpful posts