Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Admin access scenario


what's the best way to deploy the below-mentioned setup

What's setup on tacacs

-NDGs containing list of AAA devices classfied by country.

I have an administrator that needs to access only 3 of the NDG and be denied access to the rest.

Do i achieve this with

-New group setup restricting TACACS+ and Enable Options to just the 3 NDGs?

-create this new administrator and have him assgined to this new group

Also,am i able to do the following :

-make a user be part of several Groups

-allow a user acces to 1 NDG and several standalone AAA clients that are not part of a group.


Re: Admin access scenario

You have a couple of choices. If this admin belongs to a group and they have similar profiles you could create a group with an IP based NAR allowing access to only the named NDGs.

or, if its a special case you can assign NARs directly to the admin user in question.

User cannot be in several groups. However using NDG->NAR and NDG->DCS mappings you can make users of a group get different authorisations based on the devices being managed, eg NDG1->full access, NDG2->read only

NARs can contain NDGs, NAFs and individual devices.


New Member

Re: Admin access scenario

Thanks for the notes on this.

I've created two Shell Command authorization Set

-Full Rights

-Read Only

I've assigned a user access to specific NDG with full rights.When i use his credentials to log into another switch that is not part of his NDG allow list,i'm puzzled.

Now i can't get into enable mode (that's the intended purpose) but i can run show ip/trace/ping w/o going to enable mode. It seems that this user has been assigned the Read-only shell command authorization set for all other switches.

Is there a way i can stop this?


Re: Admin access scenario

Hmm, interesting in theory the default position should always be to deny.

Anyway you could force this. Create a new empty DCS with default cmd = deny.

Add an entry at the bottom of the NDG->DCS mapping table using the special entry, ie --> DENYALL.

If that doesnt fix it... then, um.. I'll eat my hat!

New Member

Re: Admin access scenario

Thanks but i have just one qtn, i'm using the Cisco ACS Appliance(CSACSE-1113-K9). correct me if i'm wrong but is DCS available on that?


Re: Admin access scenario

Yes, DCSs are available. You might have to switch them on in interface config.