Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.0 Network Device Groups

Hey everyone, got a question for you. I am running ACS 4.0 for windows. I have several NDGs configured including NETWORK 1 and NETWORK 2. I also have several user groups including GROUP A, GROUP B, and GROUP C. GROUP A should have access to all devices on all NETWORKs. This is configured as Enable Options: Max Priv Level any AAA device = 15; TACACS+ settings Shell checked and Priv Level =15.

GROUP B should have full access to NETWORK 1, but no access (or at least no privlidges) for NETWORK 2. I have this done by Enable Options: Define max per NDG with NETWORK 1 set to 15, and everything else blank; TACACS+ settings Shell checked; and Priv Level =15.

My problem is that when I do this, they are still able to log into both groups and have full priv on both groups. If I get get rid of TACACS+ Settings Priv Level, then I can still log into either NETWORK, but just need to put in the local enable password.

On each device I have the following:

aaa authentication login default group tacacs+ local

aaa authorization config-commands

aaa authorization exec default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

I know I could do command authorization and it may solve the problem, but some of these sites are low speed sites and I don't want to wait for each command to authenticate.



Re: ACS 4.0 Network Device Groups

You could try group level Network Access Restrictions.

This way you can actually prevent GROUP B from even logging onto NETWORK 2.

That would be the simplest approach.

CreatePlease to create content