cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

494
Views
0
Helpful
1
Replies
Michael ONeil
Beginner

ACS NDG nesting

I have a admin who nested a Network device group inside another network device group. Is that reccomended? For instance, there is a NDG for Asia, and inside asia he put other NDG for Routers, another for switches, and yet another for firewalls. This seems way too complicated for Tacacs authentication use.

I have seen Cisco Security manager balk at these nested groups and not be able to see down into the nested groups to see if a device is setup in ACS .

I would like to restructure the group for Asia to be one big NDG containing all IPs of devices under one heading.

What do you reccommend?

1 REPLY 1
c-computershare
Beginner

Hi Michael

I don't think there is wrong or right way. I'm currently in testing stages of our new ACS roll out.

What I have done is to create 3 NDG and set them up as follows

Location - COntinent - COuntry - Town - Office location

Device Type - Type of device - Vendor name

Department - department who manages the device

I can then use these in my policies to allow read only access based on device type and location. I can also use the department ndg to allow admin access to devices if its managed by a different team other than ours.

This seems to work ok based on the bit of testing I have done so far.

Cheers

Jay

Content for Community-Ad