Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS NDG nesting

I have a admin who nested a Network device group inside another network device group. Is that reccomended? For instance, there is a NDG for Asia, and inside asia he put other NDG for Routers, another for switches, and yet another for firewalls. This seems way too complicated for Tacacs authentication use.

I have seen Cisco Security manager balk at these nested groups and not be able to see down into the nested groups to see if a device is setup in ACS .

I would like to restructure the group for Asia to be one big NDG containing all IPs of devices under one heading.

What do you reccommend?

Everyone's tags (5)
1 REPLY
New Member

ACS NDG nesting

Hi Michael

I don't think there is wrong or right way. I'm currently in testing stages of our new ACS roll out.

What I have done is to create 3 NDG and set them up as follows

Location - COntinent - COuntry - Town - Office location

Device Type - Type of device - Vendor name

Department - department who manages the device

I can then use these in my policies to allow read only access based on device type and location. I can also use the department ndg to allow admin access to devices if its managed by a different team other than ours.

This seems to work ok based on the bit of testing I have done so far.

Cheers

Jay

385
Views
0
Helpful
1
Replies
CreatePlease to create content