topic Re: ACS NDG in Network Access Control

ACS NDG

wasiimcisco — Sun, 10 Mar 2019 22:50:05 GMT

have ACS appliance, I have made multiiple device group and add different region devices in it. I have redudent ACS running in my enviroment. BUt when i try to add AAA server in my different Device groups i got the error that host already exist. I am only able to add AAA server in only one device group, not other.

Please tell me is it possible to have one AAA server for multiple group.

I have made 5 users and each user will only able to access one group.

Please tell me where i m missing the configuration.

Re: ACS NDG

Jagdeep Gambhir — Thu, 08 May 2008 15:04:39 GMT

Wasim,

There is no need to add aaa server in each NDG. We just need one server and that will take care of all aaa-clients and users.

Regards,

~JG

Do rate helpful posts

Re: ACS NDG

wasiimcisco — Thu, 08 May 2008 20:53:54 GMT

Thanks for the reply, now i have three groups, one group is DCN and my two AAA server added in it, Rest of three groups are without the ACS,

I have made four users and i want only one user can manage all devices in one group.

Right now ALL users in member of default user group.

How to restrict users so that they will be able to login on specific device group and do their job, not all device group.

Re: ACS NDG

Jagdeep Gambhir — Fri, 09 May 2008 01:35:12 GMT

Wasim,

You need to feature called NAR (Network access restrictions), please see this link,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

Regards,

~JG

Do rate helpful posts

Re: ACS NDG

wasiimcisco — Fri, 09 May 2008 20:48:12 GMT

Thanks for the reply, it is working fine for me, but now i m not able to configure the command authorization. I obey the pattern that u send on the fourm, I did the same but still not getting user is able to do all the tasks.

i made a command authorization set as mentioned with show and deny it with unmatch argument.

because i want user only able to run show commands,

user have level 1 permission, it is also showing me in taccac administration that user have level 1 permission.

i did following configuration on cisco router for command authorization

aaa new-model

aaa authentication login default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa authorization config-commands

tacacs-server host 172.28.31.132

tacacs-server host 172.28.31.133

tacacs-server key xxxxxxxx