ACS 4.0 Network Device Groups

Unanswered Question
Jan 21st, 2009

Hey everyone, got a question for you. I am running ACS 4.0 for windows. I have several NDGs configured including NETWORK 1 and NETWORK 2. I also have several user groups including GROUP A, GROUP B, and GROUP C. GROUP A should have access to all devices on all NETWORKs. This is configured as Enable Options: Max Priv Level any AAA device = 15; TACACS+ settings Shell checked and Priv Level =15.

GROUP B should have full access to NETWORK 1, but no access (or at least no privlidges) for NETWORK 2. I have this done by Enable Options: Define max per NDG with NETWORK 1 set to 15, and everything else blank; TACACS+ settings Shell checked; and Priv Level =15.

My problem is that when I do this, they are still able to log into both groups and have full priv on both groups. If I get get rid of TACACS+ Settings Priv Level, then I can still log into either NETWORK, but just need to put in the local enable password.

On each device I have the following:

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

I know I could do command authorization and it may solve the problem, but some of these sites are low speed sites and I don't want to wait for each command to authenticate.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Wed, 01/21/2009 - 08:21

You could try group level Network Access Restrictions.

This way you can actually prevent GROUP B from even logging onto NETWORK 2.

That would be the simplest approach.


This Discussion