Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restrict User to specific NAS if only default NAS profile is configured


I use ACSWin4.1/tacacs+ and I want to restrict shell-users to specific NAS without defining all the NAS on the ACS server. I have only defined very few NAS profiles and the <other>-NAS-profile on the ACS-server because I do not like to maintain thousands of NAS profiles on the ACS.

I get this working on the old CSU without problems by using NAS-names and wildcards (worked over configured hostname/DNS-name of the NAS) like NAS:"customer-.*" (Routername: customer-router1,..).

Is there any solution for ACSWin4.1 to get such a function or at least to enter ip/masks instead of defining every nas and making big NDGs.




Re: Restrict User to specific NAS if only default NAS profile is

You can do this, but you'll have to enter some of the devices into ACS, eg whichever you specifically need to permit or deny access to.

The NAR UI control doesnt allow you enter IP addresses - only select from device names already configured.

New Member

Re: Restrict User to specific NAS if only default NAS profile is

I know this solution but this means for specific restricted users who needs many devices to define at least 50 NAS entries. So the solution is not as nice as my old solution used by CSU.

I now found another way by defining a specific nas which includes all ip addresses (or even ip-ranges are allowed for nas definitions) a specific restricted user needs, but this solution does not allow mixing another restricted user to a subset of the nas addresses of the first restricted user.

The problem is that this solution does not allow to mix restricted users easily.

CreatePlease to create content