https://community.cisco.com/t5/network-access-control/acs-ndg-nesting/m-p/1796189#M213776 <P>I have a admin who nested a Network device group inside another network device group. Is that reccomended? For instance, there is a NDG for Asia, and inside asia he put other NDG for Routers, another for switches, and yet another for firewalls. This seems way too complicated for Tacacs authentication use.</P><P></P><P>I have seen Cisco Security manager balk at these nested groups and not be able to see down into the nested groups to see if a device is setup in ACS .</P><P>I would like to restructure the group for Asia to be one big NDG containing all IPs of devices under one heading. </P><P></P><P>What do you reccommend?</P> Mon, 11 Mar 2019 01:31:30 GMT Michael ONeil 2019-03-11T01:31:30Z https://community.cisco.com/t5/network-access-control/acs-ndg-nesting/m-p/1796189#M213776 <P>I have a admin who nested a Network device group inside another network device group. Is that reccomended? For instance, there is a NDG for Asia, and inside asia he put other NDG for Routers, another for switches, and yet another for firewalls. This seems way too complicated for Tacacs authentication use.</P><P></P><P>I have seen Cisco Security manager balk at these nested groups and not be able to see down into the nested groups to see if a device is setup in ACS .</P><P>I would like to restructure the group for Asia to be one big NDG containing all IPs of devices under one heading. </P><P></P><P>What do you reccommend?</P> Mon, 11 Mar 2019 01:31:30 GMT https://community.cisco.com/t5/network-access-control/acs-ndg-nesting/m-p/1796189#M213776 Michael ONeil 2019-03-11T01:31:30Z https://community.cisco.com/t5/network-access-control/acs-ndg-nesting/m-p/1796190#M213808 <HTML><HEAD></HEAD><BODY><P>Hi Michael</P><P></P><P>I don't think there is wrong or right way. I'm currently in testing stages of our new ACS roll out.</P><P></P><P>What I have done is to create 3 NDG and set them up as follows</P><P></P><P>Location - COntinent - COuntry - Town - Office location</P><P></P><P>Device Type - Type of device - Vendor name</P><P></P><P>Department - department who manages the device</P><P></P><P>I can then use these in my policies to allow read only access based on device type and location. I can also use the department ndg to allow admin access to devices if its managed by a different team other than ours.</P><P></P><P>This seems to work ok based on the bit of testing I have done so far. </P><P></P><P>Cheers</P><P></P><P>Jay</P></BODY></HTML> Thu, 03 Nov 2011 15:39:34 GMT https://community.cisco.com/t5/network-access-control/acs-ndg-nesting/m-p/1796190#M213808 c-computershare 2011-11-03T15:39:34Z