Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
1
Replies

ACS NDG nesting

Michael ONeil
Level 1
Level 1

‎11-03-2011 06:17 AM - edited ‎03-10-2019 06:31 PM

I have a admin who nested a Network device group inside another network device group. Is that reccomended? For instance, there is a NDG for Asia, and inside asia he put other NDG for Routers, another for switches, and yet another for firewalls. This seems way too complicated for Tacacs authentication use.

I have seen Cisco Security manager balk at these nested groups and not be able to see down into the nested groups to see if a device is setup in ACS .

I would like to restructure the group for Asia to be one big NDG containing all IPs of devices under one heading.

What do you reccommend?

Labels:
0 Helpful
1 Reply 1

c-computershare
Level 1
Level 1

‎11-03-2011 08:39 AM

Hi Michael

I don't think there is wrong or right way. I'm currently in testing stages of our new ACS roll out.

What I have done is to create 3 NDG and set them up as follows

Location - COntinent - COuntry - Town - Office location

Device Type - Type of device - Vendor name

Department - department who manages the device

I can then use these in my policies to allow read only access based on device type and location. I can also use the department ndg to allow admin access to devices if its managed by a different team other than ours.

This seems to work ok based on the bit of testing I have done so far.

Cheers

Jay

0 Helpful
Customers Also Viewed These Support Documents