Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS, Tacacs, and VPN


I was hoping someone can help me.

I currently have set up out ACS servers to AAA our routers and switches for different groups of users.

Can I also use the same ACS servers to manage the same people in a different group for our VPN concnetrators?

What I mean is, can one user belong to 2 differnent groups in the same ACS server?

Cisco Employee

Re: ACS, Tacacs, and VPN

A user can only be in one ACS group. In the routers, switches and VPN concentrators are all listed as NAS's in ACS then theoretically that one user should be able to access all the devices.

Not exactly sure what you mean by "manage the same people in a different group", can you explain that a bit more?

If you want to have the one userid only get access to the routers/switches and not the VPN conc, then you'll have to use the Network Access Restrictions in that ACS group and add the routers/switches in, that way if that user tries to authenticate to the VPN conc they'll be denied.

CreatePlease to create content