Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
thanks in advance,
Why don't you use NAR (Network access restriction)
Under the network config > simply create one NDG and assign all the voice router under it.
After that go to the group/user where you want to put this restriction
You need to check that what are we getting in calling station id. If we are getting ip address then
 To accomplish above we would configure the group with following
NAR (network access restriction)
Define IP based Network Access Restriction
Permitted Calling Point
AAA client: VOICE NDG created
Src IP Address *
Subit the changes and try.
Here is more on configuring Network Access Restriction:
Plz rate helpful posts-
You can set it up using NAR in ACS.
Do rate helpful posts