Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CS ACS v2.3->v4.0 Multiple Command Authorization Sets

I have a situation where I need members of the same group to have different TACACS command authorization depending upon the device that they are logged into. In the old Unix software (v2.3 I think it is), this was easy to implement. However, I have not figured out how to do it in the newer Windows software (v4.0). The closest I have gotten is that it looks like one can have different command authorization sets for different NDGs (all assigned to the same group), but I?ve only figured out how to make a device and more importantly, the AAA server, a member of one NDG!?


Re: CS ACS v2.3->v4.0 Multiple Command Authorization Sets


Generally the AAA server itself doesnt need to be in an NDG, just leave it in "Default".

But your approach is sound, by adding NDG->DCS mappings you are in effect creating "Role based access control".

Design of the NDGs is critical as you can only have a single topology, ie one device cant be in multiple NDGs.

The obvious example is geography, where ACS users in the admins group get a full access DCS for their own locale and more restricted (or read only) access to others.

There's an excellent white paper by Andrew Clymer still on at


New Member

Re: CS ACS v2.3->v4.0 Multiple Command Authorization Sets

Thank you much for the reply and link, and I apologize for my tardiness in responding. I had tried a couple of times w/o success to leave the AAA server in the default group, but after reading the white paper and your response, I decided that I probably had something else the problem as well.

The problem turned out to be a Shell Command Authorization Set with an invalid naming convention. Well, no errors were generated in the GUI, but it wasn?t working. I renamed the set with letters only, and all is well.

CreatePlease login to create content