I'm new when it comes to this stuff, but I have bumped into something that I can't seem to resolve.
IOS and Catalyst devices.
Every user in our company is in ACS. We currently have only one group(default) that all of the users are lumped into.
I have command and exec authorization working as expected on a few test devices, but a by product is that every user in the group is able to telnet to the device and enter user mode. They can't do anything, but I still do not want them in the device at all.
My thought is to create a "Administrators" group on the ACS server and associate the proper users with that group. Then set the group rights as appropriate. The question is how do I have the devices only recognize "THAT" ACS TACACS group for authentication?
Or how do I lock out users from even being able to access user mode?