https://community.cisco.com/t5/network-access-control/acs-4-0-network-device-groups/m-p/1138565#M364199 <P>Hey everyone, got a question for you. I am running ACS 4.0 for windows. I have several NDGs configured including NETWORK 1 and NETWORK 2. I also have several user groups including GROUP A, GROUP B, and GROUP C. GROUP A should have access to all devices on all NETWORKs. This is configured as Enable Options: Max Priv Level any AAA device = 15; TACACS+ settings Shell checked and Priv Level =15.</P><P></P><P>GROUP B should have full access to NETWORK 1, but no access (or at least no privlidges) for NETWORK 2. I have this done by Enable Options: Define max per NDG with NETWORK 1 set to 15, and everything else blank; TACACS+ settings Shell checked; and Priv Level =15.</P><P></P><P>My problem is that when I do this, they are still able to log into both groups and have full priv on both groups. If I get get rid of TACACS+ Settings Priv Level, then I can still log into either NETWORK, but just need to put in the local enable password.</P><P></P><P>On each device I have the following:</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization config-commands</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P></P><P>I know I could do command authorization and it may solve the problem, but some of these sites are low speed sites and I don't want to wait for each command to authenticate.</P><P></P><P>Thanks</P> Sun, 10 Mar 2019 23:17:42 GMT pyrodie18 2019-03-10T23:17:42Z https://community.cisco.com/t5/network-access-control/acs-4-0-network-device-groups/m-p/1138565#M364199 <P>Hey everyone, got a question for you. I am running ACS 4.0 for windows. I have several NDGs configured including NETWORK 1 and NETWORK 2. I also have several user groups including GROUP A, GROUP B, and GROUP C. GROUP A should have access to all devices on all NETWORKs. This is configured as Enable Options: Max Priv Level any AAA device = 15; TACACS+ settings Shell checked and Priv Level =15.</P><P></P><P>GROUP B should have full access to NETWORK 1, but no access (or at least no privlidges) for NETWORK 2. I have this done by Enable Options: Define max per NDG with NETWORK 1 set to 15, and everything else blank; TACACS+ settings Shell checked; and Priv Level =15.</P><P></P><P>My problem is that when I do this, they are still able to log into both groups and have full priv on both groups. If I get get rid of TACACS+ Settings Priv Level, then I can still log into either NETWORK, but just need to put in the local enable password.</P><P></P><P>On each device I have the following:</P><P>aaa authentication login default group tacacs+ local</P><P>aaa authorization config-commands</P><P>aaa authorization exec default group tacacs+ local</P><P>aaa accounting exec default start-stop group tacacs+</P><P>aaa accounting commands 15 default start-stop group tacacs+</P><P></P><P>I know I could do command authorization and it may solve the problem, but some of these sites are low speed sites and I don't want to wait for each command to authenticate.</P><P></P><P>Thanks</P> Sun, 10 Mar 2019 23:17:42 GMT https://community.cisco.com/t5/network-access-control/acs-4-0-network-device-groups/m-p/1138565#M364199 pyrodie18 2019-03-10T23:17:42Z https://community.cisco.com/t5/network-access-control/acs-4-0-network-device-groups/m-p/1138566#M364210 <HTML><HEAD></HEAD><BODY><P>You could try group level Network Access Restrictions.</P><P></P><P>This way you can actually prevent GROUP B from even logging onto NETWORK 2.</P><P></P><P>That would be the simplest approach. </P></BODY></HTML> Wed, 21 Jan 2009 16:21:45 GMT https://community.cisco.com/t5/network-access-control/acs-4-0-network-device-groups/m-p/1138566#M364210 darpotter 2009-01-21T16:21:45Z