Hi all, I'm in the process of migrating router AAA from RADIUS on Some Other Platform to TACACS on ACS, and I've hit a bit of a snag.
I'm making extensive use of the Network Groups in combination with User Groups to give a matrix of appropriate access rights, which has worked well for core and edge devices and various ops teams across different countries, but not so well for CE routers. We have, at the moment, a /19 allocated to management addresses for CE devices. Obviously I don't want to list every single one of those devices as an individual AAA client, so I was looking at putting in a single entry with a range. (Ignoring for the moment the very strange address wildcarding in ACS). However, there are some CE routers that need to go into a distinct group from the rest, as they need special treatment - typically that a customer has limited access. I'd have hoped that ACS would follow the common-sense route of taking the most specfic match - but it doesn't even let you configure an AAA client with a range at the same time as a specific host entry from within that range. Am I really the first person to want to do this? It seems an obvious way to work, general case, then pull out specific exceptions... Is there some simple solution that I'm missing? Going forward, I could carve off part of my /19 to be reserved for 'special cases' and take it out of the general range, but that would still necessitate re-numbering all the 'special case' devices that already exist in the network :( Advice is very welcome. Thanks in advance, Tim. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
