We recently upgraded our ASAs from 7.x to 8.x code. When we did this, the members of our designated "HelpDesk" group in ACS were no longer able to login to ASDM or use Telnet/SSH. I see entries in the ACS failed attempts around NAR but cannot figure out what I'm missing. We do use a NAR to limit their commands to only show, ping, traceroute, etc. Has anyone else ran into this? Is there something additional that needs done in the ASA code?
Message type -- Authen failed
Failure code -- User Access Filtered
Details -- Access Filter CardLog HelpDesk from Cardlog HelpDesk did not permit any criteria. This is sufficient to reject an 'All Selected' SPC NAR config.