ACS 4.2 groups

HI
i have access point with tow SSID one for staff and the other for students,
i m doing MAC authentecation . lets say that staff is accessing vlan 10 and student going for vlan 20.
i have tow groups on the ACS group1 with staff MAC address , Group 2 with the student MAC addess.
my question is what if a student connect to staff SSID how can i force them to authenticate aginst Group 2 , so they get a faild authentication
and dont get access through that SSID ??
any solution ??
regards

any udate ??

Similar Messages

  • ACS 5.3 Group Mapping based on AD group membership

    Hi,
    I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.
    What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.
    It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
    I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.
    Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
    Thank you,
    Sami

    Ok, my case is like this.
    I use ACS 5.3 for VPN authentication, using AD and an external RSA for token authentication (2 factor authentication)
    I didn't add all the VPN users in the ACS, because it will be troublesome, the users authentication will be managed by AD and RSA server.
    In some cases where we need to restrict a group of user to only access certain resources, downloadable ACL is used.
    Following the Cisco docs, i manage to get downloadable ACL works when the authorization profile matching criteria is username, but when i change the matching criteria to Identity group, the downloadable ACL won't work.
    I have a case with Cisco engineer now and still in the middle to sort things out.
    The advice from the Cisco engineer is to have the Access Service set to Internal User instead of RSA server, but that will require us(the admin) to import all the VPN users into the ACS database.
    Wondering whether there is a fix for this.
    Thanks.

  • Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

    Hello All,
    I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
    My Steps:
    Created a user in ACS
    Shared Profile Components
    Create Shell command Autorization Set - "ReadOnly"
    Unmatched Commands - Deny
    Unchecked - Permit Unmatched Arg
    Commands Added
    permit interface
    permit vlan
    permit snmp contact
    permit power inline
    permit version
    permit switch
    permit controllers utilization
    permit env all
    permit snmp location
    permit ip http server status
    permit logging
    Created a group - "GroupTest" with the following
    Confirgured - Network Access Restrictions (NAR)
    Max Sessions - Unlimited
    Enable Options - No Enable Privilege
    TACACS+ Settings
    Shell (exec)
    Priviledge level is check with 1 as the assigned level
    Shell Command Authorization Set
    "ReadOnly" - Assign a Shell Command Authorization Set for any network device
    I have configured following on my Router/Switch
    aaa authorization config-commands
    aaa authorization commands 1 default group tacacs+ if-authenticated
    privilege exec level 1 show log
    I have attached below the documention I have gone over.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

    "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
    Correct me if I am wrong."
    Regards
    Vamsi

  • ACS and AD groups

    I have ACS v5 connected to a Windows 2008 AD.
    Why cant I see any other groups besides the default builtin or Users?  If I set my Base DN to search for groups :  CN=Groups,DC=LAB,DC=LOCAL, I do not see any groups listed within it. But if I do CN=Builtin,DC=LAB,DC=LOCAL
    Thank you
    William

    Hi,
    You are hitting DDTS
    CSCtc51643
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtc51643
    Please upgrade to ACS 5.1.

  • ACS group mapping

    hello
    we are using ACS4.2 to authenticate network admins to access switches and routers. ACS is integrated with Windows Active Directory.
    so we map AD groups to ACS groups and we specify access restriction in ACS groups.
    now we want to use this ACS to authenticate wireless users. wireless users will use their AD accounts.
    so i think we should create a new internal group in ACS and map AD mobile users to this group. using Radius attributes we can put these users in one particular vlan.
    however what if one network administrator will access the wireless network? he will use the AD account that belongs to both groups : network-admin group and wireless group.
    so what will ACS do in this case? will it be mapped to the first group or the second or may be both?!!!

    i can't see how NAP can resolve my issue.
    suppse ohasairi is one account in AD that belongs to AD groups: network-admin and wireless-users
    AD netwrk-admin is mapped to ACS network-admin group. this group is configured with NAR to limit access to some network devices
    AD wireless-users is mapped to ACS wireless-users that is configured with adequate airespace attributes and ietf attibutes to let it in vlan 80 (wireless vlan)
    now if i put network-admin map the first one, then if ohasairi tries to access wireless network it will not succeed because it will be mapped to network-admin group. and this group is not configured with ietf attributes that let the user in vlan 80!
    if i put wireless-users map the first one, then if ohasairi tries to access one network device, i am afraid it will be assigned to vlan 80!

  • Cisco ACS 4.2 one user in multiple local groups

    Currently i have group mapping like this
    ACS Groups           Window Groups
        Grp-A-B             Grp-1 and Grp-2
        Grp-A                        Grp-1
        Grp-B                        Grp-2
    For example currently one user test1 is part of both groups 1 and 2 in windows and is mapped to Grp-A-B in ACS. Is it possible if i delete the Grp-A-B mapping in ACS and can see the user test1 speratley in both groups ( Grp-A and Grp-B) in ACS?            

    Salam Muhammad,
    If you have a local user in ACS, that user can not be a member of two groups at the same time.
    The same concept applies to the external users. They can not be mapped to two different groups at the same time.
    If you remove the Grp-A-B configuration, the user test1 will be mapped to the first group in the list because ACS 4.2 process the goup mapping in order:
    '''snip'''
    Group Mapping Order
    ACS always maps users to a single ACS group; yet a user can belong to more than one group set mapping. For example, a user named John could be a member of the group combination Engineering and California, and at the same time be a member of the group combination Engineering and Managers. If ACS group set mappings exist for both these combinations, ACS has to determine to which group John should be assigned.
    ACS prevents conflicting group set mappings by assigning a mapping order to the group set mappings. When a user who is authenticated by an external user database is assigned to an ACS group, ACS starts at the top of the list of group mappings for that database. ACS sequentially checks the user group memberships in the external user database against each group mapping in the list. When finding the first group set mapping that matches the external user database group memberships of the user, ACS assigns the user to the ACS group of that group mapping and terminates the mapping process.
    '''snip'''
    Reference:http://goo.gl/cvc474
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • ACS Mapping Group @ Trust-Tree (Domain Trust)

    Dears,
    Could ACS mapping group @ AD Domain trust??
    I install abc.com / qqq.com and trust other!
    My ACS install in abc.com domain, but I cannot get qqq.com user information?
    ^ ^
    消息编辑者为:mr.marslin

    The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a CiscoSecure ACS group for assigning authorization profiles. For external user databases from which CiscoSecure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific CiscoSecure ACS groups
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a4f.html#wp712817

  • ASA and ACS 5 multiple VPN profiles for one user

    Hi there
    I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
    ACS 5.3 group hierarchy:
    - VPN users global
    -- VPN users A
    -- VPN users B
    ASA VPN profiles:
    - VPN profile A
    - VPN profile B
    - VPN profile Z
    VPN authorizations:
    1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
    2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
    3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
    Thanks a lot in advance and best regards
    Dominic

    Hi Dominic,
    first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
    The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
    The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
    So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
    In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
    However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
    vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
    vendor ID = 3076, attribute 150 is "Client Type" (integer)
    0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)
    So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
    If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
    hth
    Herbert

  • How do I restrict access to 4 devices using ACS

    Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
    We are now trying to implement 4 new users, however we only want them
    to have access to 4 devices-routers (4 IP addresses)-and only have
    basic level 1 functions in the router
    Is this done under Network Access Filter or Network Access Group?
    Do I need to create a new group or can I somehow implent that into

    I'm using ACS v 4.2 on windows server-TACACS
    Under NAF I have configured the IP's of the server I want them to access under Selected Items
    Under NAR I have permitted calling point
    with the NAF and  *  *
    Under the Group Settings
    Network Access Restrictions (NAR)
      Shared Network Access Restrictions
    Only Allow network access when
    All selected NARs result in permi
    all selected NARs result in permit..with the NAR i just configured in the selected NAR list

  • TACACS enable password is not working after completing ACS & MS AD integration

    Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
    1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
    2. Enable password is not working (using the same user password configured in MS AD.
    3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
    Switch Tacacs Configuration
    aaa new-model
    aaa authentication login default none
    aaa authentication login ACS group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec ACS group tacacs+ local 
    aaa authorization commands 15 ACS group tacacs+ local 
    aaa accounting exec ACS start-stop group tacacs+
    aaa accounting commands 15 ACS start-stop group tacacs+
    aaa authorization console
    aaa session-id common
    tacacs-server host 10.X.Y.11
    tacacs-server timeout 20
    tacacs-server directed-request
    tacacs-server key gacakey
    line vty 0 4
     session-timeout 5 
     access-class 5 in
     exec-timeout 5 0
     login authentication ACS
     authorization commands 15 ACS
     authorization exec ACS
     accounting commands 15 ACS
     accounting exec ACS
     logging synchronous
    This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
    Regards,

    Hi Edward,
    I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
    1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
    2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
    Note:
    I also attached here the captured screen and debug result for the "shell profiles"

  • ACS 4.2 authentication and Privelged exec mode on Test Router.

    The goal is to have ACS authenticate my username via ssh and allow me to get into privileged exec mode once authenticated. Details below.
    I have ACS 4.2 Solution Engine and I have a test router with the following commands setup:
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa session-id common
    tacacs-server host 10.4.4.21 single-connection
    tacacs-server key $#$&$*#
    The problem is this. I can SSH and logon to the router which uses a user in the ACS database but the router will not allow me to use the enable command to get to exec mode. The error it gives me is:
    AAA_ROUTER_CLIENT>enable
    % Error in authentication.
    AAA_ROUTER_CLIENT>
    I must be missing something in the ACS. Any help would be appreciated.

    You are missing this command
    aaa authorization exec default group tacacs+ if-authenticated
    This is what you need on router
    Router(config)# username [username] password [password]
    tacacs-server host [ip]
    tacacs-server key [key]
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authorization exec default group tacacs+ if-authenticated
    On ACS
    Bring users/groups in at level 15
    1. Go to user or group setup in ACS
    2. Drop down to "TACACS+ Settings"
    3. Place a check in "Shell (Exec)"
    4. Place a check in "Privilege level" and enter "15" in the adjacent field
    Regards,
    ~JG
    Do rate helpful posts

  • ACS 5.x with either AD or RSA Authentication depending on user

    I am trying to implement RSA two-factor authentication for our company for access to secure resources.
    Our current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
    I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
    We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.
    I cannot figure out how to configure this.  With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against.  Not as easy with 5.x
    I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found.  This broke VPN completely.
    From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.
    Anyone know how to accomplish this?
    I am running 5.4 with the latest patches.

    Hope you're well!
    I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
    Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
    1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
    2. Enable password is not working (using the same user password configured in MS AD.
    3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
    Switch Tacacs Configuration
    aaa new-model
    aaa authentication login default none
    aaa authentication login ACS group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec ACS group tacacs+ local 
    aaa authorization commands 15 ACS group tacacs+ local 
    aaa accounting exec ACS start-stop group tacacs+
    aaa accounting commands 15 ACS start-stop group tacacs+
    aaa authorization console
    aaa session-id common
    tacacs-server host 10.X.Y.11
    tacacs-server timeout 20
    tacacs-server directed-request
    tacacs-server key gacakey
    line vty 0 4
     session-timeout 5 
     access-class 5 in
     exec-timeout 5 0
     login authentication ACS
     authorization commands 15 ACS
     authorization exec ACS
     accounting commands 15 ACS
     accounting exec ACS
     logging synchronous
    This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
    Regards,

  • Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

    Hi,
    I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
    ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
    Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
    I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
    tacacs-server key 7 "xxxxxxxxxxxxx"
    aaa group server tacacs+ tac_admin
      server xx.xx.xx.xx
    aaa authentication login default group tac_admin local
    aaa authentication login console group tac_admin local
    aaa accounting default group tac_admin

    Hi,
    Since the ACS is receiving the request.
    Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
    tacacs-server host x.x.x.x key 7 "xxx"
    aaa group server tacacs+  tac_admin
       server x.x.x.x
    aaa authentication login default group  tac_admin local
    aaa authentication login console group  tac_admin local 
    aaa accounting default group x.x.x.x
    On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
    1. Shell  (exec) enable
    2. Privilege level 15
    3. Custom attributes:
               shell:Admin*Admin default-domain
        if you have additional  context add next line
              shell:mycontext*Admin  default-domain
    After  loging to ACE and issuing sh users command you should see following
    User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
    *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

  • ACS not authorising Security Manager devices

    Hi I have a setup ACS 4.1 CS-Manager 3.2.2
    I have intergrated the CS-Manager into ACS with no problems.
    However when I try to add devices into the CS-Manager I get the message "The Device is not in the Cisco Secure ACS"
    I have one wildcard entry encompassing all devices and the CS-Manager (TACACS+ (cisco IOS))
    I am wondering if CS-Manager is not liking the wildcards.
    Unfortunatley as we have 500 or so production devices already using this entry I am not in a position to remove it to test my theory at present.
    Any one know if Wildcards are supported for authorising CS-Manager devices?
    Regards
    Colin

    Colin
    Assumption: you have CSM's common services integrated correctly into ACS, first with a admin account in acs with full rights and second with the system identity user and pass in the ACS server with full rights as a user (not admin portal) and during the setup of AAA in CS you used the [tick box] to push out the authorization categories from CS into ACS.
    Assumption: you have a super admin group in ACS setup that has full rights to CSM authorization categories that was pushed into ACS from Common Services when you first setup AAA in CS. And you have setup a user that is part of that the ACS super admin group.
    Three things to check.
    1. Under ACS, click the 'Share Profile Components' buttom, check that Common services has pushed out the Authorization categories into ACS, you should see CSM and auto update modules. Drill down into the CSM and check to see which authorization category gives the most access, should be 'System Administrator', make sure that all the tick boxes in this profile is all ticked with no gray or shaded boxes.
    2. The user account your logging into CSM is part of the ACS super user group that you created. Check the ACS super user group is correctly matching the CS-manager authorization categories. i.e make sure that you have matched the group that you checked in my previous point, 'System Administrator' or what ever group you created that gave full rights.
    3. Finally, you must have the device listed in your network device groups in ACS. Remembering that CSM will check against the ACS's NDG lists and WILL also matches against a FQDN, so if you added domain information into a device in CSM then the device listed in ACS will need to be the FQDN, if its not, then remove the domain name info from CSM and test. (EDIT: This might have been fixed in 3.2.2 not 100% sure but it broke my network in 3.1). I'm going to take a wild stab in the dark and say that the wild card might be failing you because it doesnt match between CSM host name and domain name sections to the ACS host name.
    Dale
    Oh one final test you can try, log into the end device manually using telnet or ssh using the system identity user and pass. Just double check that the account gets access to the device via tacacs and that you can perform enable access type functions using this account.

  • AAA ACS and Nexus

    Hello,
    i am setting up tacacs+ aaa on nexus switch.
    Using nexus cli i can record all entered commands (see example 1).
    Using Cisco Device Manager with the same switch i cannot get a record of entered commands (see example 2).
    Via CDM, nexus is using snmpv3 and MD5 for authentication allowing me to type username/password to authenticate.
    How can i setup aaa on nexus to provide same level of reporting when using CDM and CLI?
    If anyone can provide some config info would be greatly appreciated.
    AAA config lines:
    feature tacacs+
    aaa authentication login default group AAA
    aaa accounting default group AAA
    tacacs-server host 5.5.5.5 key <key>
    aaa group server tacacs+ AAA
        server 5.5.5.5
        use-vrf management
    Example 1
    22/03/2011,14:45:57,MaxPower,Nexus,terminal length 0 (SUCCESS),0,none,0,10.2.2.44@pts/0,1.1.1.1,
    22/03/2011,14:45:57,MaxPower,Nexus,terminal session-timeout 60 (SUCCESS),0,none,0,10.2.2.44@pts/0,1.1.1.1,
    22/03/2011,14:45:57,MaxPower,Nexus,sync-snmp-password ******** MaxPower 10.2.2.44 (SUCCESS),0,none,0,10.2.2.44@pts/0,1.1.1.1,
    22/03/2011,14:46:02,MaxPower,Nexus,terminal length 0 (SUCCESS),0,none,0,10.2.2.44@pts/3,1.1.1.1,
    22/03/2011,14:46:02,MaxPower,Nexus,terminal session-timeout 60 (SUCCESS),0,none,0,10.2.2.44@pts/3,1.1.1.1,
    22/03/2011,14:46:03,MaxPower,Nexus,sync-snmp-password ******** MaxPower 10.2.2.44 (SUCCESS),0,none,0,10.2.2.44@pts/3,1.1.1.1,
    22/03/2011,14:46:11,MaxPower,Nexus,target (name:10.2.2.44/2162/0 address:10.2.2.44:2162 timeout:1500 retry:3 tagList:trap params:10.2.2.44/2162/0) added ,0,none,0,snmp_3277_10.2.2.44,1.1.1.1,
    22/03/2011,14:46:16,MaxPower,Nexus,target (name:10.2.2.44/2162/0 address:10.2.2.44:2162 timeout:1500 retry:3 tagList:trap params:10.2.2.44/2162/0) added ,0,none,0,snmp_3279_10.2.2.44,1.1.1.1,
    Example 2
    22/03/2011,14:46:36,MaxPower,ACSGroup,write <cr>,15,shell,tty2,2,10.10.10.15,
    22/03/2011,14:48:26,MaxPower,ACSGroup,configure terminal <cr>,15,shell,tty1,29,10.10.10.34,
    22/03/2011,14:49:06,MaxPower,ACSGroup,aaa group server tacacs+ AAA <cr>,15,shell,tty1,31,10.10.10.34,

    Hi
    there are many ways to achieve this, but the *correct* and most scalable is to enable command authorisation on your devices.
    In ACS create some groups based on the permissions levels each group should have.
    In the groups enable the shell (exec) service.
    At this point you can either list the denied commands for certains groups right in the group edit page itself.
    Alternatively, you can created Device Command Sets in the share profiles UI. These are more flexible because inside a single group you cap map to different DCSs based on the device being managed (either by device ip or by network device group)
    Its all there in the ACS docs!
    Good luck.

Maybe you are looking for