Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

User mode TACACS+ authentication

I'm new when it comes to this stuff, but I have bumped into something that I can't seem to resolve.

ACS 3.2-

IOS and Catalyst devices.


Every user in our company is in ACS. We currently have only one group(default) that all of the users are lumped into.

I have command and exec authorization working as expected on a few test devices, but a by product is that every user in the group is able to telnet to the device and enter user mode. They can't do anything, but I still do not want them in the device at all.

My thought is to create a "Administrators" group on the ACS server and associate the proper users with that group. Then set the group rights as appropriate. The question is how do I have the devices only recognize "THAT" ACS TACACS group for authentication?

Or how do I lock out users from even being able to access user mode?


Cisco Employee

Re: User mode TACACS+ authentication

Is there any reason/need for these non-admin type users to even be in the ACS database? If not simply remove them and they won't be able to get into the routers anymore.

If they're there because ACS is checking an external user database that they are all defined in, then you can easily set up Database Group Mappings and put the admin users into a specific ACS group (say Admins). Go under External User Database - Group Mappings and define a group mapping such that the users in say, the "admin" group (or some group you define) in your external user DB get mapped into the "Admins" group in ACS. Then give this Admins group access to the routers as normal with their authorization. All other external DB users can get mapped to the special "No Access" group in ACS (available in the drop-down list), which basically denies them access to everything.

If you have entered all users into the ACS internal database, but only a portion of them need access to the routers, then first thing you will need to do is create two ACS groups and separate the users accordingly. Then the easiest way to restrict users in the non-admin group is to create a dummy NAS entry for a non-existent NAS, modify the non-admin group, check the "Define IP-based access restrictions" box under the NAR section and then add that dummy NAS in as the only "Permitted calling point" (add * in for Port and Address also). This then only allows them access to the dummy NAS, which of course will never happen.

You could of course do it the inverse way and add all your NAS's into this list as "Denied Calling Points", up to you.

Leave the admin group with no restrictions and they'll be able to get into all NAS's as they can now.

Community Member

Re: User mode TACACS+ authentication

All the users are from Active Directory so your second choice seems to be the best. Is there just a way to turn off TACACS for the default group. The default group uses ONLY RADIUS for VPN authentication. If there was an easy way to turn off TACACS for the default all my problems would go away:)

CreatePlease to create content