I have made great progress configuring my ACS 5.1 for tacacs+ services. However, there is one thing that is not working quite as I expected.
Instead of creating local ACS accounts for our network group I've decided to use the group setup in AD for our network team to authenticate and provide full access (privilege 15) to network team members.
Under Access Policies "Default Device Admin" I chose the AD1 identity source and then under "Authorization" created rules that seem to work only for authorization. AD users that are not in the network group are not authorized to execute any commands on our network devices.
However, what bothers me is that these non-network team AD users (in other AD groups) are still able to authenticate to the devices. They are granted the "permit access" shell profile according to the logs.
I would like it so that non-network AD users are not even authenticated to the network devices.
Does anyone have any thoughts on how I can accomplish this. I only want to see network team members authenticated to network devices. I am sure it is something simple I am missing. How can I grant "deny access" shell profile to any AD user that is not in the AD network team group?