Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.5 Configuration Example? Multi-site Ideas...

Hi Folks,

Working on deploying ACS 5.5 in a multi-site (5+) environment.  With groups going away, what is the best way to allow location based access?.  So far, I have the following - but it seems way overcomplicated.


Each device is assigned a location in the NDG

User Attributes: Location Restriction (string)

Device Restrictions - Enumeration (e.g. Router: Read <or> Read/Write <or> No Access)


Access Service Selection - Each site has its own TACACS and RADIUS Access Service
Matches are done on NDG Location and Protocol

Each SITE Access service (SITE_A-TACACS) has role based policies per device type. The following is an authorization policy for SITE_A Router Admin Access

Router Admin Policy

Check User Attribute: Device Restrictions: Enumeration Value: Router Admin


- Check User Attributes: String: Location Restriction ( IF CONTAINS ) SITE_A

-Check User Attributes: String: Location Restriction ( IF CONTAINS ) None

Shell: Router Admin

Command Set:  Router Admin

It works great, however, that means the rules need to be duplicated if a new site is brought online.  Also, if a new device type is created, say, Firewalls, an additional user attribute would need to be created and all users updated.  Additionally, all sites in the service selection would need the appropriate device type added - SITE_A,B,C,etc would need a firewall authorization profile created.


Thanks for reading


Nathan, thanks for sharing

New Member

Hello, ACS is a policy base



ACS is a policy base server and as every policy server you need to comply with a set of conditions to have a result.


The best way to do it is by having as condition NDG location + NDG Device Type + User AD or local group = xxxx permission.




Erick Delgado

CreatePlease to create content