Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS NDG nesting

I have a admin who nested a Network device group inside another network device group. Is that reccomended? For instance, there is a NDG for Asia, and inside asia he put other NDG for Routers, another for switches, and yet another for firewalls. This seems way too complicated for Tacacs authentication use.

I have seen Cisco Security manager balk at these nested groups and not be able to see down into the nested groups to see if a device is setup in ACS .

I would like to restructure the group for Asia to be one big NDG containing all IPs of devices under one heading.

What do you reccommend?

Everyone's tags (5)
New Member

ACS NDG nesting

Hi Michael

I don't think there is wrong or right way. I'm currently in testing stages of our new ACS roll out.

What I have done is to create 3 NDG and set them up as follows

Location - COntinent - COuntry - Town - Office location

Device Type - Type of device - Vendor name

Department - department who manages the device

I can then use these in my policies to allow read only access based on device type and location. I can also use the department ndg to allow admin access to devices if its managed by a different team other than ours.

This seems to work ok based on the bit of testing I have done so far.



CreatePlease to create content