I followed your post but how does it know when to use the RW group as opposed to the RO group?.. I can only place the user in one group..

This can be done by creating two NDG's and map them with respective command authorization set under the same user account.

Creating NDG's

----------------

NDG1 for ASA ---add ASA as a aaa client

NDG2 for switch---add switch as aaa client.

Creating command authorization set

----------------------------------

Create two different command authorization set under shared profile component for

Switch = permit all

ASA = Deny all

and permit show only

Now, under the user account you need to map the NDG with appropriate command authorization set. When user tries to login to switch/ASA it will check the authorization set mapped with their NDG's

Regards,

JK

"Now, under the user account you need to map the NDG with appropriate command authorization set." I cant see how to do this.

Doesnt exist in version 4.1

This does exist in 4.1.x

You need to enable this feature on the ACS under interface configuration > Advanced Options > check this option "Per-user TACACS+/RADIUS Attributes"

After that click on cancel > go to TACACS+ (Cisco) > check this option "Shell (exec)" for user > hit submit and you are done :)

Thanks, but I only have

-None

-As Group

-Assign a Shell Command Auth for any network device

-Per User command authorization

I dont have "Based on per network device group basis"

Got it !! didnt have NDG selected under interface options