Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Best Practice for ACS 5.2 Policy

Hi All,

I am wondering if there is some sort of best practice guideline to implement ACS? I mean like how we are going to group device, or how the "if then" policy should be structured. Please help..



Best Practice for ACS 5.2 Policy


The ACS is entirely flexible in the way you to choose to implement it and it is based on your network specificiations. Some networks have site specific Administrators in which they will choose to implement their tacacs policies to permit access to devices in their regions, so they choose to assign a location to a network device.

Some customers have restrictions in which Adminstrators have access to which when you choose to group devices based on routers, switches, firewalls, or SAN devices you can choose to implement your policies as such.

Moving to the user side, some customers have a tiered structure in access levels, contractors, network-operators, admins and superadmins, so you can create policies and shell profiles to grant access to devices based on the user along with which group they are trying to access and finally what commands they are allowed to run.

Based on your scenario above i assumed TACACS, you can choose to implement radius in the same fashion but more customers base this off of what users are allowed to have certain access...guests (internet only), management (vpn access with higher privs)....etc.


Tarik Admani

Tarik Admani *Please rate helpful posts*
CreatePlease to create content