Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


AAA:How to separate the group authentication on Switches through Radius/Tac


Currently my ACS is being integrated with AD and all the users can access my IOS devices (configured AAA). I only need one group in my AD to access my IOS devices and another group to use VPN access or any other authentications.

Can anyone tell me how to restrick all other groups in AD to access my network devices except one group in AD which I only want to allow access to my network devices.


You can prevent unauthorized users from reconfiguring your switch and viewing configuration information. Typically, you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port, connect from outside the network through a serial port, or connect through a terminal or workstation from within the local network


I wanted to do the same thing with the Active Directory where I only wanted on group called "network admin" to have access to my switches. I have 3 ACSs appliances and 100 switches. This is my setup.

On the ACS Create a "Network Device Group" under NETWORK CONFIGURATION. I called this group "TACACS+ Switches".Once the group is created add all your AAA clients which are your switches.

(you can accomplish that by first going under INTERFACE CONFIGURATION-click on "Network Device Groups" this will enable the ACS to allow you to create "Network Device Groups" also check the "Group-Level Access Restrictions")

Then click on GROUP SETUP. edit the 0:default group and disabled that group.Then select a agroup available from the group list and rename the group "Network Admin" and map that group against the AD group named "Network Admin".

Once that group is correctly mapped.Go back to GROUP SETUP and edit the "Network Admin" group.Within the group you will see an option called "Netwrok Access Restriction (NAR)"

Click the option DEFINE IP-BASED ACCESS RESTRICTIONS. From The AAA Client drop down menu select the "NDG:TACS+ SWITCHES" for the port enter "*" (asterick) for the address you can specified the the network in whic the switches are residing in my case I used "10.*.*.*" the wild cards will allow any network on the 10. network. then click "enter"

This is a high level overview on how I did my setup. Remember to properly define your AAA statement under your Cisco IOS switches.

I hope this help!!



I did as above but still the proble same. Now users in member of Domain Admin cant access my AAA clients and rest can access the AAA clients, but I need the otherway around.

Let me tell you briefly my issue.

1. I need all users in AD to authenticate with AD username/password

2.Only one group in AD need to access my AAA clients

3. Only one group in my AD need to authenticate with VPN client.

Attached are the ACS group mapping and NAR in group DeviceAdmin.

Appreciate if anyone can give me a clear steps for the above requirement please....