Showing results for 
Search instead for 
Did you mean: 

ACS 3.0 overlapping device groups


Trying to restrict users to a single device group e.g. 172.17.*.*. I can get it to work fine using "Network Configuration-> Network Device Groups"but I can't set up overlapping NDGs.

Now I can't get NAR to restrict access.

** My NAR call "172.17-Europe" looks like

Define IP-based access restrictions - ticked

Table defines = Permitted Calling/Point of Access Locations

AAA Client = "All AAA Clients"

Port = *

Src IP Address = 172.17.*.*

** My group looks like

Only allow network access when - ticked

Any one selected NAR results in permit - selected


When I attempt to telnet and login to any 172.17 device, Failed Attempts.csv reports....

Message Type = Authen failed

Authen Failure Code = User Access Filtered

If I can get this woirking I then want to create additional NAR which are subsets of the 172.17 domain e.g. 172.17.20-London or 172.17.*.1-Europe-routers.

Thanks in advance.

2 Replies 2

Community Manager
Community Manager

Often times complex configuration/troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit and to open a case with one of our TAC engineers, visit

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.


Some trial and error in the lab proved successful.

AAA Clients cannot overlap

NDGs cannot overlap

BUT NARs can overlap

It's a bit messy but works, on to the next problem, applying priv levels to diff user in diff groups on diff over lapping device groups.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers