I have ACS 5.3 running TACACS+ and Nexus 7K with 2 x non-default VDC's, VDC-OTV and VDC-CR.
I want my TACACS account to have role "vdc-admin" on VDC-CR, and "vdc-operator" on VDC-OTV.
What is the best way to achieve this?
I tried putting the VDC's into different Network Device Groups, with VDC-CR being in an Authorization Rule that associated the Device Group with the "vdc-admin" Shell Profile.
But I'm getting the same roles on both VDC's--both get whatever the role in the Shell Profile.
It's possible I'm not organizing the Devices and Network Device Groups correctly. It seems to me when I add a new Device, it knows about all the Device Groups, and the IP range and exclude syntax seems to be a pain. I have existing Device Groups, one with a 10.10.*.* IP range, and I'm trying to isolate these two VDC's out of that IP range into their own individual Device Groups.
Thanks!