Hey everyone, got a question for you. I am running ACS 4.0 for windows. I have several NDGs configured including NETWORK 1 and NETWORK 2. I also have several user groups including GROUP A, GROUP B, and GROUP C. GROUP A should have access to all devices on all NETWORKs. This is configured as Enable Options: Max Priv Level any AAA device = 15; TACACS+ settings Shell checked and Priv Level =15.
GROUP B should have full access to NETWORK 1, but no access (or at least no privlidges) for NETWORK 2. I have this done by Enable Options: Define max per NDG with NETWORK 1 set to 15, and everything else blank; TACACS+ settings Shell checked; and Priv Level =15.
My problem is that when I do this, they are still able to log into both groups and have full priv on both groups. If I get get rid of TACACS+ Settings Priv Level, then I can still log into either NETWORK, but just need to put in the local enable password.
On each device I have the following:
aaa authentication login default group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
I know I could do command authorization and it may solve the problem, but some of these sites are low speed sites and I don't want to wait for each command to authenticate.