cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
314
Views
0
Helpful
1
Replies

ACS 4.0 Network Device Groups

pyrodie18
Level 1
Level 1

Hey everyone, got a question for you. I am running ACS 4.0 for windows. I have several NDGs configured including NETWORK 1 and NETWORK 2. I also have several user groups including GROUP A, GROUP B, and GROUP C. GROUP A should have access to all devices on all NETWORKs. This is configured as Enable Options: Max Priv Level any AAA device = 15; TACACS+ settings Shell checked and Priv Level =15.

GROUP B should have full access to NETWORK 1, but no access (or at least no privlidges) for NETWORK 2. I have this done by Enable Options: Define max per NDG with NETWORK 1 set to 15, and everything else blank; TACACS+ settings Shell checked; and Priv Level =15.

My problem is that when I do this, they are still able to log into both groups and have full priv on both groups. If I get get rid of TACACS+ Settings Priv Level, then I can still log into either NETWORK, but just need to put in the local enable password.

On each device I have the following:

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

I know I could do command authorization and it may solve the problem, but some of these sites are low speed sites and I don't want to wait for each command to authenticate.

Thanks

1 Reply 1

darpotter
Level 5
Level 5

You could try group level Network Access Restrictions.

This way you can actually prevent GROUP B from even logging onto NETWORK 2.

That would be the simplest approach.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: