https://community.cisco.com/t5/network-access-control/acs-user-groups/m-p/127967#M9400 <P>I have an issue.</P><P></P><P>We have 2 groups which are created in ACS, Group 1: Tacacs Access, and Group 2:Radius Access. The 1st group has individuals that have been created on the ACS server itself. The 2nd group is dynamic users who are being enabled access through User Manager for Domains. We do not want to have the 2nd group to be able to access our routers and switches with their Microsoft Accounts, which they currently can, atleast as far as to the enable prompt. I would like to have the 2 groups be totally independent of one another. Our 1st group is only used for our administrators to access all our network devices.</P><P></P><P>I am sure that some type of filtering or allowing of a certain group of IP addresses could be implemented on the ACS, but I am unsure where, if this is the case.</P><P></P><P>Can someone please help! </P><P></P><P>Thank You! </P><P></P><P>Matt</P> Fri, 21 Feb 2020 18:07:55 GMT matt.austin 2020-02-21T18:07:55Z https://community.cisco.com/t5/network-access-control/acs-user-groups/m-p/127967#M9400 <P>I have an issue.</P><P></P><P>We have 2 groups which are created in ACS, Group 1: Tacacs Access, and Group 2:Radius Access. The 1st group has individuals that have been created on the ACS server itself. The 2nd group is dynamic users who are being enabled access through User Manager for Domains. We do not want to have the 2nd group to be able to access our routers and switches with their Microsoft Accounts, which they currently can, atleast as far as to the enable prompt. I would like to have the 2 groups be totally independent of one another. Our 1st group is only used for our administrators to access all our network devices.</P><P></P><P>I am sure that some type of filtering or allowing of a certain group of IP addresses could be implemented on the ACS, but I am unsure where, if this is the case.</P><P></P><P>Can someone please help! </P><P></P><P>Thank You! </P><P></P><P>Matt</P> Fri, 21 Feb 2020 18:07:55 GMT https://community.cisco.com/t5/network-access-control/acs-user-groups/m-p/127967#M9400 matt.austin 2020-02-21T18:07:55Z https://community.cisco.com/t5/network-access-control/acs-user-groups/m-p/127968#M9402 <HTML><HEAD></HEAD><BODY><P>You need to set up Network Access Restrictions (NAR), restricting Group 2 to not be able to access the routers/switches. </P><P></P><P>Make sure Group-Level NAR is checked under Interface Config - Advanced Options. Then go under Group 2, to the NAR section, check the "Define IP-based access restrictions" box, select Table defines "Denied calling points", then select each of the routers/switches, using an * for Port and Address and add them to the table.</P><P></P><P>This will deny anyone in Group 2 from authenticating to any of the routers/switches.</P></BODY></HTML> Thu, 07 Aug 2003 05:43:14 GMT https://community.cisco.com/t5/network-access-control/acs-user-groups/m-p/127968#M9402 gfullage 2003-08-07T05:43:14Z https://community.cisco.com/t5/network-access-control/acs-user-groups/m-p/127969#M9404 <HTML><HEAD></HEAD><BODY><P>Thanks for your expertise!</P><P></P><P>The solution you recommended worked great!</P><P></P><P>I appreciate your assistance, good luck in your endeavors!</P></BODY></HTML> Thu, 07 Aug 2003 08:47:24 GMT https://community.cisco.com/t5/network-access-control/acs-user-groups/m-p/127969#M9404 matt.austin 2003-08-07T08:47:24Z