I'm sure this question has already been asked and the solution is simple - however it does not appear to be obvious!
My requirement is to have an AD group called 'CiscoAdmins' and another called 'VPNUsers'. Using ACS I want to only authorise members of the 'CiscoAdmins' group to perform telnet/SSH etc. and only permit members of the 'VPNUsers' group to connect in remotely via an ASA firewall. So in other words, authentication should only PASS if the user is a member of a particular AD group.
We currenty have all authentication/accounting working as needed using TACACS - refering to (Windows Database NOT LDAP) AD for correct username/password. However, we've noticed that members of the 'CiscoAdmins' group can perform VPN authentication and visa-versa - which is not so good. This is despite setting up the AD/ACS group mapping etc. and re-ordering many many times!
Is TACACS OK or should we revert to RADIUS & the same goes for Windows Database v LDAP ..?
I've trawled the net and this forum to no avail - please help!
There must be a guide somewhere for this simple request surely?