Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACS user access setting

I am trying to find solution for some type of settings in ACS.

Imagine for instance real situation as follows:

There is group "A" with 100 users. I need for 20 of them assign the access to devices in the group "B". I can't find any easy possibility how to do that.


Enable the user section “Per User Defined Network Access Restrictions” this replace the settings of the user group and I have to add there all the devices from Group "A" to preserve their access. When Group "A" changes, I have to apply the changes to separate persons.

when I insert the device group into user group Enable privileges (level 0) and I set the Max Privilege for any AAA Client for separate persons, I will grant them level 15 privileges for all the AAA devices

When I create new user group instead Group "A" and move the users to this group, I have 2 groups for maintenance with the same privileges except the Group "B"

When I create separate level 15 privileges for every person, I have to insert there all the groups and devices from user group and I have to maintain again changes to all the people, when settings of user group changes

We often have such kind of problems. Is there any normal possibility how to add the users from this group this privileges and preserve settings from Group "A" for them?


Re: ACS user access setting

Sounds like you really do need 2 groups since the access restrictions are totally different. If these 20 users always have different NARs to the other 80 users they should not be in the same group.

In essence this is the reason for shared profile components. So that you can multiple groups re-using pieces of config. It s obviously not perfect.

Im guessing you would like to see either nested groups or multi-group membership - but thats a world of pain and complexity.

CreatePlease to create content